Disrupt first, ask questions later

Ryno Le Roux, Cyber Operations Manager at NEC XON. (Image: Supplied)

---

Attackers don’t wait for board approval. They slip through a misconfigured firewall at 2am on a Sunday or phish a distracted employee just before quarter-end. At that moment, every control you’ve bought is judged in milliseconds. That is why incident response (IR) isn’t a “nice-to-have” line item; it is the only thing standing between a bad day and a business-ending week.

Cyber attacks are no longer a question of if, but when. From ransomware and data breaches to social engineering and phishing campaigns, organisations face a relentless barrage of digital threats. The critical differentiator isn’t whether you’re attacked – it’s how quickly and effectively you respond. That’s why incident response (IR) is not just a cyber security function, but a strategic imperative. Our view? “Rather you disrupt your own operations and make certain than let a threat actor do it for you,” as the NEC XON Threat Unit often puts it. It’s a hard truth that many organisations realise only after the damage is done.

Incident response is the structured process organisations follow when facing a cyber threat. Whether dealing with malware, unauthorised access or data exfiltration, the goal is simple: detect the incident, contain it, eradicate the threat and recover normal operations as swiftly as possible. Crucially, IR also ensures that every attack becomes a lesson – strengthening defences and refining preparedness for what comes next.

A delayed or poorly executed response can be devastating. The longer an attack persists, the more damage is done – both technically and reputationally. An effective IR strategy is critical for four key reasons:

• Limiting the damage: Fast containment prevents attackers from spreading laterally or exfiltrating valuable data.
• Protecting core assets: Data is the lifeblood of modern organisations. A decisive response can stop attackers before they access sensitive information.
• Regulatory compliance: From GDPR to POPIA, regulatory bodies demand demonstrable control over data protection. IR helps organisations respond swiftly and in line with these obligations.
• Preserving trust: How a company responds in the wake of a breach often matters more than the breach itself. Customers respect transparency and speed; they don’t forgive silence or confusion.

Incident response isn’t just about cleaning up after an attack – it’s about disrupting the attacker mid-action. I believe in a more aggressive approach when needed: taking decisive, sometimes disruptive, steps to ensure the attacker cannot re-establish control.

That might mean:

• Disabling compromised identities to block further access.
• Disconnecting infected systems to halt lateral movement.
• Blocking malicious IPs to cut off communication channels.
• Removing malware completely, not just isolating it.
• Shutting down attacker command infrastructure, denying them the ability to co-ordinate the breach further.

In short, the aim is to neutralise the attacker completely. Hence, the “rather you disrupt your operations than the threat actor” dictum.

Technology plays a central role in enabling swift and accurate incident response. Automated detection, AI-driven risk modelling, and integrated IR platforms give defenders the speed and co-ordination they need when every second counts. These tools also streamline collaboration, documentation and post-incident analysis – ensuring that human error is minimised and compliance is maintained.

You can't schedule a cyber attack, but you can prepare for it. Effective incident response is not just about damage control – it’s about being ready. A well-rehearsed IR plan empowers your team to act decisively, recover rapidly and emerge stronger. Those who plan ahead, survive. Those who don’t? They become someone else’s cautionary tale.