My Incident Response Planning Epiphany

3:35 AM.  Alarm blaring.  Disoriented, I pop out of bed, reach for my glasses and ask, “what is that?”  “It’s the security alarm” my spouse replies.  For a moment, I was relieved because I feared it was the fire alarm.  For a split second, fire seemed like a better option than an intruder.  After briefly playing out the intruder scenario in my head, the fear returned. 

Armed with nothing but our cell phones and bed head, we scurried downstairs.  The alarm app indicated that the breached door was in the basement.  Desperately needing the deafening alarm to stop, I instructed my wife to shut it off.  And then I headed to the basement.  Two incredibly dumb decisions in hindsight.

First, turning the alarm off stopped the signal to the police.  No one would respond.  The alarm company would not call to check on us.  Second, we went to the precise location of the danger without a second thought and without any plan at all.  While my wife’s bed head can be scary, I doubt it would have saved us.

Fortunately, we found no danger.  There was no breach.  The basement door sensor was not working properly.

I found it particularly difficult to get back to sleep at 4 AM.  I was astonished by our complete and utter failure to respond in a reasonable and logical manner.  We didn’t have a plan.  I have an incident response plan for my business.  I help create them for clients.  I understand the importance of being prepared to respond to a cyber incident, but clearly, I did not see the value in having an incident response plan in other contexts.

Notably, many businesses have not done any incident response planning at all.  In fact, the HIPAA Journal reports that 42% of all healthcare organizations have not developed an incident response plan.  Given the vulnerability of the healthcare industry to cyber attacks and the implications of falling victim to ransomware or system failure, that number is way too high.  According to the article, there was a 73% increase in healthcare cyberattacks in 2020.  I doubt we will see a decrease over the next several years.

While an incident response plan won’t prevent an incident, it will, without question, mitigate the devasting effects of an incident.  And it will help avoid bone-headed decision making in the middle of the night.

For the record, we now have a plan in place at home and it does not rely on my wife’s bed head.