How to Prepare for a Cyber Attack: A Leader’s Checklist

How to prepare for a cyber attack — readiness decided before the incident — LeadingCyber

I spent years in public-sector and utility IT, where emergency preparedness isn’t a slide deck — it’s a way of operating. Storms, outages, equipment failures: you plan for them because they’re coming whether you plan or not. Cyber attacks belong in exactly that category. So when people ask how to prepare for a cyber attack, my answer starts with an uncomfortable premise: stop trying to make it impossible, and start making it survivable.

Prevention matters. But the organizations that come through incidents intact aren’t the ones with the most tools — they’re the ones that decided, practiced, and wrote things down before the bad day. Here’s the checklist, in three phases: build, practice, respond.

Why Preparation Beats Prevention

You can’t prevent everything. New vulnerabilities appear daily, phishing only has to work once, and your attack surface grows with every vendor and SaaS signup. The modern operating assumption — “assume breach” — isn’t pessimism; it’s the same logic as fire drills. Nobody runs fire drills because they’ve given up on preventing fires.

And the math backs the mindset: the cost difference between a contained incident and a catastrophic one usually comes down to hours — how fast you noticed, how fast you isolated, whether the backups restored. All three are decided by preparation, not luck.

Phase 1: Build the Foundation

1. Know What You’re Protecting

An honest inventory of systems and data, with your crown jewels flagged — the systems whose loss would actually stop the business. You cannot triage an incident if you don’t know what matters most. If you’ve built the asset inventory from your vulnerability management lifecycle, you’re already halfway there.

2. Write the Incident Response Plan

Short, printed, and findable when the network is down. The plan answers questions that are miserable to answer at 3 a.m.:

  • Who’s in charge? One named incident commander, plus a deputy for vacations — because incidents check nobody’s calendar
  • Who’s on the call tree? IT, leadership, legal, insurer, external IR firm — phone numbers, not just email addresses
  • Who can pull the plug? Pre-granted authority to isolate systems or take services offline without a committee meeting
  • What gets preserved? Basic evidence handling, so recovery doesn’t destroy the forensics

3. Backups That Actually Restore

The single biggest difference between a bad week and a company-ending event. Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy offline or immutable — because modern ransomware hunts and encrypts backups first. And then the step that separates real preparation from theater: test the restore. A backup you’ve never restored is a hope, not a backup.

Infographic showing what an incident response plan should include: commander, call tree, authority, evidence, and communications — LeadingCyber

4. Close the Cheap Gaps

Preparation includes making the attack less likely to land: MFA everywhere (especially remote and admin access), patching on a real cadence, endpoint detection on every machine, and least-privilege access as written in your information security policy. None of this is exotic. All of it shows up in post-incident reports as the thing that wasn’t done.

5. Draft the Communications Before You Need Them

During an incident, you will not have the calm to write well. Draft templates now: the internal all-staff note, the customer notice, the regulator notification, the press statement. Legal should bless them in peacetime. Fill-in-the-blank beats blank-page at 3 a.m., every time.

6. Line Up the Outside Help

Cyber insurance (read the policy — many require specific controls and specific response vendors), a breach attorney, and an incident response firm you’ve at least spoken to. Exchanging business cards during a crisis is the expensive way to do it.

Infographic explaining the 3-2-1 backup rule for cyber attack preparation: three copies, two media types, one offline — LeadingCyber

Phase 2: Practice — The Step Everyone Skips

Here’s where my utility background does the talking. We ran emergency drills constantly — not because plans were bad, but because plans meet reality badly on first contact. The cyber equivalent is the tabletop exercise: two hours, a conference room, a realistic scenario (“ransomware note on the finance server, backups look encrypted too — go”), and the actual people walking through the actual plan.

Every tabletop I’ve seen surfaces the same category of finding: the plan says call the insurer, but nobody knows the policy number. The commander’s “deputy” left the company. The offline backup wasn’t. These discoveries cost nothing in an exercise and everything in an incident.

Practice cadence that works: a tabletop twice a year, a backup restore test quarterly, and a phishing-response refresher so employees know what to do after clicking a phishing link — because that’s how most incidents will actually start. After every exercise: a one-page after-action note and one fixed gap. That’s it. Small, boring, compounding.

Phase 3: The First Hours — What Good Looks Like

If the foundation and practice are in place, the response almost runs itself:

  1. Detect and escalate — whoever sees it reports it, blame-free, straight to the commander
  2. Isolate — affected systems come off the network using the pre-granted authority; containment beats diagnosis in hour one
  3. Preserve — evidence kept, logs saved, before recovery overwrites the story
  4. Communicate — the pre-drafted templates go out on the pre-decided schedule, and one voice speaks for the organization
  5. Recover from known-good backups — and only after you understand how they got in, or you’ll restore the vulnerability along with the data

For Leaders: Make the Hard Decisions in Peacetime

The most valuable preparation isn’t technical — it’s decisions made in advance, in daylight, with legal input. Who can take revenue-generating systems offline? At what point do we notify customers? What’s our position on paying a ransom, and who has the authority to decide? That last one deserves its own discussion — the pay-or-don’t-pay question is genuinely harder than the headlines suggest.

Decisions made under attack are made badly — by frightened people, at speed, with incomplete information. Decisions made in advance are policy. Move as many as possible into the second category.

Key Takeaways

  • Prepare for survivability, not invulnerability — “assume breach” is fire-drill logic, not pessimism
  • The incident response plan answers the 3 a.m. questions now: who commands, who’s called, who can pull the plug
  • 3-2-1 backups with one offline copy — and a backup you’ve never test-restored is a hope, not a backup
  • Tabletop exercises find the gaps for free; incidents find them at full price
  • Pre-draft the communications and pre-make the hard decisions — policy beats panic

Checklist infographic showing the decisions leaders should make before a cyber attack happens — LeadingCyber

Frequently Asked Questions

How do you prepare for a cyber attack?

Prepare in three phases: build the foundation (asset inventory, a short printed incident response plan, tested 3-2-1 backups, MFA, patching, pre-drafted communications, insurance and legal contacts), practice it (tabletop exercises twice a year, quarterly restore tests), and pre-make the hard decisions — who commands, who can isolate systems, and how notification happens. The goal is survivability, not invulnerability.

What should an incident response plan include?

A named incident commander and deputy, a call tree with phone numbers (IT, leadership, legal, insurer, IR firm), pre-granted authority to isolate systems without waiting for approval, basic evidence-preservation steps, communication templates and schedules, and recovery priorities keyed to your most critical systems. Keep it short and keep a printed copy — the plan must survive the network being down.

What is a tabletop exercise?

A tabletop exercise is a discussion-based drill where the real response team walks through a realistic attack scenario — for example, ransomware discovered on a key server — using the actual plan, in a conference room, with no systems touched. It typically takes two hours and reliably surfaces gaps: outdated contacts, missing authority, backups that aren’t what everyone assumed. Twice a year is a solid cadence.

What is the 3-2-1 backup rule?

Keep three copies of your data, on two different types of media or platforms, with one copy offline or immutable. The offline copy is the critical one against ransomware, which deliberately seeks out and encrypts connected backups before revealing itself. Just as important: test restores regularly — a backup that has never been restored is unverified hope.

How can businesses prevent cyber attacks?

Total prevention isn’t achievable, but the basics block the majority of attempts: multi-factor authentication everywhere, disciplined patching, endpoint detection on every device, least-privilege access, employee phishing awareness, and vendor security requirements. Pair prevention with preparation — detection, response plans, and tested backups — because the goal is making attacks both less likely and less damaging.

What should you do during a cyber attack?

Follow the plan: escalate immediately to the incident commander, isolate affected systems from the network, preserve logs and evidence before recovery work overwrites them, communicate through one voice using pre-drafted templates, and restore from known-good offline backups only after understanding the entry point. Speed in the first hours — especially isolation — usually determines whether the incident stays contained.

Picture of  Iris A.

Iris A.

Author

Recent Posts

How to Prepare for a Cyber Attack: A Leader’s Checklist

How to Prepare for a Cyber Attack: A Leader’s Checklist

I spent years in public-sector and utility IT, where emergency preparedness isn’t…

Information Security Policy: How to Write One (+ Template)

Information Security Policy: How to Write One (+ Template)

Every audit, every compliance framework, every cyber insurance application asks the same…

What Is a CISO? Role, Salary, and How to Become One

What Is a CISO? Role, Salary, and How to Become One

Ask five people what is a CISO and you’ll get five answers:…