Everyone has a plan until they get punched in the mouth. Mike Tyson’s been coming out of security professionals’ mouths when discussing cyberattacks for decades. Now someone punched the world in the mouth. And organizations are realizing their IR plans were prepared for a different fight entirely.
Three things have changed at once: the methods attackers use to monetize have evolved, phishing has become more sophisticated, and regulators have gone from suggesting IR planning to demanding it.
The Backup Strategy That No Longer Saves You
For most of the past decade, ransomware meant encryption. Attackers locked files and demanded payment to restore access. The industry responded with backup investments and recovery playbooks built around getting systems back online.
Between November 2024 and November 2025, there was an 11x increase in data-only extortion attacks, going from 2% to 22% of all incident response engagements. Across 57.6% of extortion attacks, threat actors leveraged data theft without any encryption. They quietly infiltrate, steal the data they desire, and leave without setting off the alarms that file encryption would cause.
Restoring from backups brings systems back online. It does not undo the fact that sensitive data has already left your environment. Once it has, breach notification obligations under HIPAA, state privacy laws, and SEC disclosure rules activate regardless of your recovery speed. The regulatory clock starts at exfiltration, not at restoration.
Most incident response plans do not have workflows for this scenario. They lack decision trees for assessing what data was in an affected environment, determining notification timelines, and coordinating with legal counsel from the first hour. Building those workflows into the plan before an incident occurs is what the HALOCK Incident Response Plan is designed to do.
Phishing Is More Dangerous Because It Looks Internal
Cisco Talos Incident Response data from Q1 2026 shows phishing back at the top of the initial access rankings across healthcare, financial services, and public administration. The technique is not new. The execution has evolved enough that most defenses do not catch it.
The pattern Talos documented is worth understanding. One legitimate account gets compromised, then that account sends phishing lures to colleagues internally. The message arrives from a recognized name, in a familiar email thread, with no external sender flags. Recipients have no reason to be suspicious. A second account gets owned. Then a third. The attacker moves laterally without triggering a single perimeter alert.
In 65 percent of non-business email compromise intrusions, the initial foothold came through remote access tools, including RDP, VPN, and remote management platforms. These are the pathways your team uses every day to support distributed work. They feel like infrastructure. That perception gap is what attackers count on.
The FBI’s Operation Winter SHIELD, launched January 28, 2026, distilled ten defensive actions directly from real breach investigations. The most urgent need for most organizations is phishing-resistant authentication on administrator and high-impact accounts. FIDO2 hardware security keys and device-bound passkeys meet that bar. SMS-based MFA does not. Push-notification-only authenticator apps without number-matching do not. The authentication most organizations have deployed was not built for the credential-based attack patterns driving 2026 breaches.
Privileged account management (PAM) and IRP testing were also among the controls FBI agents said they found most often missing from breaches they investigated. The March 2026 attack on Stryker is a case in point: intruders who seized control of an administrator account used Microsoft’s Intune device management tools themselves to erase data from 200,000 computers in 79 countries. No malware. Just a governance gap.
The First 90 Seconds Determine the Investigation
Research published by The Hacker News found that the decisions made in the first 90 seconds of detecting an incident shape the entire trajectory of the response. The natural reaction of most organizations is to quarantine the impacted system. While that may be good for operations, it obliterates valuable forensic information that analysts use to determine scope, track attacker paths, and show regulators they’ve done due diligence.
If organizations can’t answer what was stolen, where it was stolen from, and how the attacker traversed their network, they can’t properly file SEC disclosures, meet HIPAA breach notification guidelines, or explain their response to litigation attorneys. Getting those answers wrong creates downstream legal exposure that continues long after systems are restored.
The organizations that handled incidents well had pre-resolved this tension. They had decided in advance what evidence to preserve before isolating, who notifies legal counsel, and when the communications team gets looped in. Those decisions were made during planning, not under pressure.
Cisco Talos documented the difference in real engagements. When organizations called in IR support quickly, even when the initial signal was something as routine as unusual authentication volume, teams identified pre-attack staging, shared indicators of compromise, and stopped the threat before data left the environment. When organizations waited, even for hours, that window had closed.
Security environments generate more alerts than most teams can triage. The early indicators of a phishing chain, lateral movement, or pre-exfiltration staging are consistently present in logs. Research by Talos found that in every post-mortem, the attacker had been active for days before detection. The information was there. The configuration to surface it as meaningful was not. Tuning detection tools to correlate patterns rather than surface individual events is a configuration problem, and one that a compromise assessment can identify before an attacker exploits it.
Proactive IR Planning Is Now a Compliance Requirement
This is where many compliance teams have fallen behind. The National Law Review reported in the first quarter of 2026 that incident response plan deadlines tied to regulatory requirements are approaching for a wide range of organizations. The proposed 2025 HIPAA Security Rule updates include mandatory IRP development and testing. State frameworks in California, New York, and others impose similar obligations with their own timelines.
GLBA, HIPAA, state privacy laws, and SEC cybersecurity rules all contain incident response preparedness requirements. For regulated organizations, a written IRP is no longer optional. It is a compliance deliverable with legal consequences when it is absent or inadequate. The organizations treating this as a future consideration are already behind.
The financial case reinforces the regulatory one. A Ponemon Institute study found that organizations with tested IRPs experienced $2.66 million lower breach costs than those without them, a 58 percent cost difference. Many cyber insurers now require a tested IRP as a condition of coverage, and demonstrated readiness is beginning to reduce premiums.
AI governance has entered this equation, too. An employee pasting client data into an external AI tool may trigger the same notification obligations as a network intrusion. Most IRPs written before 2025 do not address this. They need to.
Practical Steps That Change Outcomes
Know where your sensitive data actually lives. Organizations typically describe their primary systems of record when asked where sensitive data resides. The real answer includes shared drives, email archives, endpoint devices, backup systems, and third-party platforms accumulated through normal business operations. Breach scope cannot be accurately assessed against an inventory that is incomplete. Sensitive data scanning shows you where that data really resides, and can frequently reveal your largest compliance gaps.
Contain how far an attacker can go once they gain entry. Limit lateral movement with microsegmentation. The less data an attacker can access before you detect the breach, the better. Organizations with microsegmentation in place reported faster incident response times and lower cyber insurance premiums. Even a few additional minutes of detection window can determine whether an incident stays contained.
Test the Plan. Whether you’ve read the FBI’s Winter SHIELD bulletin, the Cisco Talos introspective post-mortems or about proposed HIPAA Security Rule changes, the bottom line is the same: disaster plans that appear comprehensive on paper fall short during actual incidents due to a lack of joint coordination. Helpful tabletop exercises ensure your team understands their roles and communication protocols.
Govern vendor access actively. The CareCloud and Stryker breaches both originated through vendor and administrator access that had not been reviewed. Signing a contract or business associate agreement establishes intent. Periodically auditing what access vendors actually hold in your environment, and testing whether breach notification provisions work as written, is what makes that intent real.
What Separates Organizations That Contain Incidents
Incident response readiness is not primarily a technology question. It is a governance question. The organizations that consistently contain incidents know where their data lives, have closed the authentication gaps that make credential-based attacks easy, actively govern their vendor relationships, and have tested their response plan against the scenarios their peers are experiencing right now.
Reasonable security means controls proportionate to actual risk, documented in a way that holds up to regulatory scrutiny. The Duty of Care Risk Analysis (DoCRA) framework provides the structure for making those decisions defensibly, ensuring that incident response investments are grounded in what your organization actually faces rather than what a generic checklist assumes.
Are You Ready for an Attack? Assess Your Incident Response Readiness
