Subscribe
About
  • Home
  • /
  • Security
  • /
  • Incident response preparation for executives: what to do when a breach happens

Incident response preparation for executives: what to do when a breach happens

Joanne Carew
By Joanne Carew, ITWeb Cape-based contributor.
Johannesburg, 03 Jun 2025
Yunus Scheepers, service delivery manager: SecOps at BUI.
Yunus Scheepers, service delivery manager: SecOps at BUI.

You don’t have to look very far to find examples of businesses targeted by cybercriminals. Almost every day, there’s a new headline about an organisation being hit by ransomware or suffering a data breach. Most recently, the UK retailer Marks & Spencer (M&S) stopped taking orders after a major cyberattack. The incident forced M&S to use pen and paper to move products. The company expects its digital systems to be offline until July this year, with projected losses of about 300 million pounds (over R7-billion) in operating profit.

Yunus Scheepers, service delivery manager: SecOps at BUI, started his keynote address at the ITWeb Security Summit at the Cape Town International Convention Centre on Wednesday by sharing several examples of prominent businesses that suffered serious and sometimes devastating consequences after being targeted by cybercriminals. He did so to illustrate that even if you think you’re prepared for a major cyber incident, chances are, you’re not.

How not to handle a cyber incident

Drawing inspiration from the cartoon characters I.R. Baboon and I.M. Weasel (who appear in the Cow and Chicken spin-off series I Am Weasel), Scheepers identified the two types of leaders in an incident response situation.

An I.R. Baboon-type leader is reactive, disorganised, and prone to ego-driven decisions. Leaders like this will panic – and they’ll panic because they believe that panicking will motivate their teams to take the situation seriously. They won’t tell anyone because they think if they keep it secret, they can handle the situation without anyone else ever having to know that something went wrong. And they’ll try to cover it up –wiping all evidence of the incident and trying to restore what’s been lost or compromised from their backups. “Just so you know, this is not how you should respond,” Scheepers told the audience.

An I.M. Weasel-type leader, on the other hand, is proactive, resourceful, and unflappable. Leaders like this will stay calm during a cyberattack, Scheepers said. These leaders do not panic. Why? Because they have a comprehensive plan in place, they’re prepared, and they’ve practised how they will respond. Practice, he believes, isn’t prioritised enough.

They have a saying in the Royal Marines: they don’t practice until they get it right – they practice until they can’t get it wrong.

Leaders like I.M. Weasel favour clear and thorough communication with the right people. Who are these ‘right people’? Your internal teams, law enforcement officials, the media, and other key stakeholders. Additionally, a good leader will focus on minimising disruptions to operations, while also making sure that they document everything and preserve all the necessary evidence.

Evidence preservation can be incredibly complex, but maintaining detailed logs is crucial. “If this isn’t your area of expertise, don’t be afraid to bring in digital forensic experts who can guide you around what you should and shouldn’t do,” advised Scheepers. “This is important because missteps can affect cyber insurance claims, result in regulatory fines, and even lead to customer lawsuits.”

When a business has a clear incident response plan in place, and its team members have rehearsed this plan over and over again, they respond instinctively and without hesitation. “A good friend of mine is a Royal Marine. These guys are highly specialised people and they are training constantly. They have a saying in the Royal Marines: they don’t practice until they get it right – they practice until they can’t get it wrong,” Scheepers said. “I believe that we in the cybersecurity space need to think in a very similar way. It might sound dramatic, but we really are on the front lines of defence and we need to own that.”

Share