{"id":212924,"date":"2026-05-11T03:00:00","date_gmt":"2026-05-11T07:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/11\/most-companies-still-dont-have-a-cyberattack-plan-that-is-the-real-vulnerability\/"},"modified":"2026-05-12T18:56:42","modified_gmt":"2026-05-12T22:56:42","slug":"most-companies-still-dont-have-a-cyberattack-plan-that-is-the-real-vulnerability","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/11\/most-companies-still-dont-have-a-cyberattack-plan-that-is-the-real-vulnerability\/","title":{"rendered":"Most Companies Still Don\u2019t Have a Cyberattack Plan. That Is the Real Vulnerability"},"content":{"rendered":"

Most Companies Still Don\u2019t Have a Cyberattack Plan. That Is the Real Vulnerability<\/a><\/p>\n

https:\/\/www.zmescience.com\/science\/news-science\/most-companies-still-dont-have-a-cyberattack-plan-that-is-the-real-vulnerability\/<\/a><\/p>\n

Publish Date: 2026-05-11 03:00:00<\/a><\/p>\n

Source Domain: www.zmescience.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Credit: Unsplash.<\/p>\n

When a hurricane hits, emergency crews don\u2019t start by debating who should pick up the phone. When a disease outbreak begins, health officials don\u2019t invent a containment strategy from scratch. But when a cyberattack lands inside a company, many organizations still improvise.<\/p>\n

That\u2019s the uncomfortable point behind a cybersecurity response framework developed by researchers Mohammad Jalali, Bethany Russell, Sabina Razak, and William Gordon. Their work argues that companies focus too much on keeping attackers out and too little on what happens after attackers inevitably get in.<\/p>\n

\u201cThe reality is no matter how amazing you are with your prevention capabilities, you\u2019re going to be hacked,\u201d said Mohammad Jalali, a research faculty member at MIT Sloan.<\/p>\n

\u201cThen what are you going to do? Do you already have a good response plan in place that is continuously updated? And communication channels are defined, and stakeholder responsibilities are defined? Typically the answer in most organizations is no.\u201d<\/p>\n

The researchers reviewed 13 journal articles on cybersecurity and health care and turned those lessons into a framework called EARS, short for eight aggregated response strategies. Although the cases came from health care, the basic problem applies almost everywhere: companies cannot treat cyber incidents as IT surprises. They need emergency plans, rehearsals, leadership buy-in, ethics, documentation, and recovery systems before the breach starts.<\/p>\n

Cybersecurity Is Still Too Focused on the Firewall<\/p>\n

Corporate cybersecurity has always sold itself around prevention: things like stronger passwords, better firewalls, more monitoring tools, stricter access controls. All of that matters. But prevention alone does not solve the problem.<\/p>\n

Hospitals, manufacturers, schools, banks, and public agencies now run on connected systems. A breach can lock patient records, freeze payments, halt production, expose personal data, or knock out basic services. In this ecosystem, a cyberattack looks less like a technical inconvenience and more like an operational crisis.<\/p>\n

That is why cybersecurity increasingly resembles emergency management. A good organization does not merely ask, \u201cHow do we stop this?\u201d It asks, \u201cWho responds first? Who tells employees? Who calls regulators? Who talks to customers? Which machines get cut off? How do we recover?\u201d<\/p>\n

\u00d7<\/p>\n

Thank you! One more thing…
\n Please check your inbox and confirm your subscription.<\/p>\n

This is also where training matters. Security teams can benefit from structured preparation, whether through internal drills, tabletop exercises, or formal certifications such as CISM, which stands for Certified Information Security Manager. This is aimed at professionals who manage information security programs rather than simply operate technical tools. It is described as a credential that validates the ability to assess risk, govern security programs, and respond to incidents. Candidates must pass the CISM exam, show at least five years of professional information security management experience, follow ISACA\u2019s ethics code, and maintain continuing education requirements. Companies who are serious about their security often help their key employees with CISM training or at least cover their exam cost.<\/p>\n

For cybersecurity professionals, the value is partly technical, partly strategic. CISM helps signal that someone can connect breach response, risk management, compliance, executive communication, and business continuity. For employers, these things can matter because a major cyber incident does not stay inside the IT department. It quickly becomes a legal, financial, operational, and reputational problem. A CISM-certified manager should be better prepared to translate technical risk into business decisions, coordinate teams during a crisis, and build response plans that survive contact with reality.<\/p>\n

But the researchers\u2019 point goes beyond certificates. The whole organization needs to know what happens when systems fail.<\/p>\n

The EARS framework splits the work into two parts: what companies should do before an incident and what they should do after one.<\/p>\n

The Plan Cannot Be a Generic PDF<\/p>\n

The first step sounds obvious: build an incident response plan. But Jalali argues that many companies do this badly.<\/p>\n

\u201cOne of the common weaknesses that organizations have is they put together an incident response plan, but the problem is that documentation is usually very generic, it\u2019s not specific to the organization,\u201d Jalali said. \u201cThere is no clear, specific, actionable list of items.\u201d<\/p>\n

That distinction matters. A vague policy saying \u201cnotify relevant stakeholders\u201d will not help much at 2 a.m. when ransomware spreads across a network. A useful plan spells out how the company detects an attack, investigates it, contains it, removes the threat, restores systems, and communicates throughout the crisis.<\/p>\n

It also cannot live only with IT. Executives, legal teams, communications staff, operations leaders, and department heads all need defined roles. A hospital breach, for instance, may affect patient care. A logistics breach may delay deliveries. A financial breach may trigger reporting obligations. IT can fix systems, but the business has to manage the fallout.<\/p>\n

The researchers also stress the need for an information security policy that works as more than a compliance checkbox.<\/p>\n

\u201cMany companies think that compliance is security,\u201d Jalali said. \u201c[That] if you just follow the information you\u2019ll be taken care of.\u201d<\/p>\n

Leaders Need to Show Up Before the Breach<\/p>\n

One of the more practical parts of EARS focuses on leadership. Senior executives do not need to become malware analysts. But they do need to understand what a cyber incident can do to the organization.<\/p>\n

That means leaders should know the response plan, support it, fund it, and participate in exercises. If they first encounter the plan during a live breach, the organization has already lost time.<\/p>\n

The researchers also call for regular mock testing of recovery plans. These exercises reveal gaps before attackers exploit them. They can show that nobody has the right phone number, that a backup does not restore properly, that legal review takes too long, or that a key vendor has no emergency contact.<\/p>\n

This reflects a broader shift in cybersecurity: resilience now matters as much as defense. Companies have begun to assume that some attacks will succeed. The goal is to limit damage, recover quickly, and learn from the incident rather than collapse into confusion.<\/p>\n

After the Attack, Speed and Clarity Matter<\/p>\n

Once an incident begins, EARS moves into post-incident response. The first priority is containment.<\/p>\n

That can mean isolating infected machines, cutting off compromised accounts, segmenting parts of a network, or escalating the issue to the IT team immediately. The researchers note that companies cannot always disconnect everything at once, but they can make containment easier before an attack by designing networks with separation in mind.<\/p>\n

The next step broadens the response beyond the organization. Cyber incidents affect customers, patients, regulators, vendors, insurers, and sometimes law enforcement. The framework urges companies to involve legal counsel, regulatory agencies, and outside experts when needed.<\/p>\n

Then comes investigation and documentation. Every serious cyber incident should leave a record of what happened, what decisions people made, what systems failed, and what the organization changed afterward. Without that record, companies cannot reliably identify the root cause or prevent the same mistake from recurring.<\/p>\n

AI Can Help Recovery, But It Cannot Replace Preparation<\/p>\n

The final part of EARS asks organizations to assess damage and build a recovery algorithm. In plain terms, companies should evaluate what broke, what the attack cost, how they restored operations, and how technology can help them detect and contain similar attacks faster next time.<\/p>\n

That may include AI-based tools that spot unusual behavior or support real-time containment. Jalali argues that many response frameworks still underplay this part.<\/p>\n

\u201cThe commonly used frameworks for incident response strategies often miss this essential step,\u201d Jalali said, according to the source material, \u201ceven though there are already AI-based products for this very purpose.\u201d<\/p>\n

Still, AI does not remove the need for human planning. A detection system may flag suspicious activity, but people still decide whom to notify, which systems to isolate, when to disclose, and how to recover.<\/p>\n

The bigger lesson from EARS is simple: cybersecurity is no longer just a technical contest between attackers and defenders. It is an organizational stress test. The companies that fare best will not be the ones that assume they are too secure to fail. They will be the ones that already know what to do when they do.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Most Companies Still Don\u2019t Have a Cyberattack Plan. That Is the Real Vulnerability https:\/\/www.zmescience.com\/science\/news-science\/most-companies-still-dont-have-a-cyberattack-plan-that-is-the-real-vulnerability\/ Publish…<\/p>\n","protected":false},"author":1,"featured_media":212925,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.zmescience.com\/wp-content\/uploads\/2026\/05\/guerrillabuzz-SYofhg_IX3A-unsplash.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,31,32,27],"class_list":["post-212924","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-exploit","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212924"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212924"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212924\/revisions"}],"predecessor-version":[{"id":212926,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212924\/revisions\/212926"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212925"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}