Skip Ribbon Commands
Skip to main content

Breach Preparedness


By ​Helge Skov Diernæs, Management Consultant at NNIT​ & Lars Hviid, Senior Security Architect at NNIT

9-1-1 or 1-1-2 is used globally when calling for help. But which number is used for requesting cyber-help?

When you have a fire you cannot put out, you call the fire department. When you witness a robbery, you call the police. But who do you call when you witness an ongoing break-in into your IT infrastructure or applications?

The EU General Data Protection Regulation (EU GDPR) has highlighted the necessity of a swift and capable response by demanding all companies to have a breach policy and to enforce it effectively. This requires an effective incident response organization to be prepared to cope with even the nastiest breaches. Similar to the fire department, this is the life-line you call when the incident resolution exceeds your own incident response capabilities.​

Cyber Incident Response

Anyone familiar with incident response organizations knows that a typical breach policy, including underpinning procedures, includes:

  • Roles and responsibilities

  • Actions

  • Time KPI

  • Response plan/strategy

  • Incident recovery

  • Documentation

 And particularly after EU GDPR goes live, the following is also required:

  • Internal & External communication plan for affected accounts

  • External communication plan for handling press inquiries, dialogue on social media, etc.

  • Legal plan and potential e-discovery concerns

  • Forensics

Preparedness is key and the question is how prepared your incident response organization is for breach handling. The question becomes even more crucial if your IT landscape involves cloud and outsourced solutions. In the case of EU GDPR, all relevant logs must be consolidated, which requires strong vendor guarantees and service levels. Example: does your current SLA include access to all EU GDPR relevant logs?

Going forwards, handling breaches satisfactorily therefore requires an effective incident response organization including adequate security monitoring and datamining technologies to enable swift responses, forensics, and technological countermeasures - combined with strong execution of communication and legal plans.​


Partner with a cyber-security provider

A cyber security provider can provide the buffer of breach-handling-expertise needed when a breach occurs; however, it is recommended to partner up before the need arrives. Similar to physical security companies, a cyber-security provider must be tied into the company alarm/SOS structure and have emergency keys (passwords) to enter (log onto) the IT premises. Otherwise you end up with inefficient security consultants instead of an efficient Computer Emergency Response Team (CERT). A qualified cyber security provider has the required diverse and specialized skills, moreover proven processes and procedures, to manage even the nastiest breaches and limiting financial and reputational damage.

Key to success is to proactively establish a bridge between the external Computer Emergency Response Team (CERT) and the in-house Security Operations Centre/Incident Response Team. This ensures swift incident coordination of both onsite and offsite personnel to quickly provide incident verification and mitigating actions, whilst also securing evidence for legal action if required. This is vital to have in place for EU GDPR compliance after May 2018.

The flexibility of this combined approach offers your company the best match between your need for enhancing your breach handling capabilities and the cost. Rather than “either/or”, you can now opt for having both. Which one you ultimately select is up to you.​


About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at if you want to know more about how NNIT can help your business increase its information security level.​


About the Authors

The authors are Lars Koch Hviid and Helge Fraes Skov Djernes.

Lars Koch Hviid is a C|CISO & CISSP & GICSP certified security professional with more than 17 years’ of experience within Information Security, IT Security and Operational IT security; moreover Lars is very experienced on the strategic level where he pulls on his experience from being CISO. Furthermore, Lars’ has been Lead IT Security Architect in 300+ projects, delivered to the Power, Petrol, and Pharma sector.

Helge Fraes Skov Djernes is a CISM certified security professional with more than 18 years of experience within the IT industry, of these 8 years as advisor, service delivery manager and project manager within the field of information security. Customers cover major financial and manufacturing companies, with focus on risk management and risk mitigation initiatives.