5 Cyber Incident Decisions You Need to Make Before the Attack Happens

When a cyber incident hits, the companies that recover fastest aren’t the ones with the best technology. They’re the ones that already made the hard decisions.

AI has compressed the attack timeline. A compromised Microsoft 365 account can be weaponized in minutes, not hours. AI-generated phishing emails are grammatically perfect and visually indistinguishable from real ones. Voice cloning and deepfake video are no longer theoretical threats. According to the 2025 Verizon DBIR, the median time from phishing email click to credential compromise is now under 60 seconds.

That speed makes one thing clear: the middle of an incident is the worst time to figure out who’s in charge.

Why pre-incident decisions matter more than tools

Most incident response plans read like checklists: isolate the system, notify IT, preserve evidence. That’s useful, but it skips the harder part. The questions that paralyze organizations during a breach aren’t technical. They’re organizational.

Who has the authority to pull the plug on the network? Who calls the lawyer? Who decides whether to pay a ransom? When everyone in the room is looking at each other waiting for someone else to make the call, the attacker is already moving to the next system.

The five decisions below are the ones that separate a controlled response from a chaotic one. None of them require a budget. All of them require a conversation your leadership team should have this month.

1. Who owns investigation when something looks wrong?

An employee reports a suspicious email. A technician notices unusual login activity. Someone gets an MFA prompt they didn’t request. Who picks it up?

For companies with an internal IT person, this seems obvious, but it often isn’t documented. What happens when that person is on vacation? What if the suspicious activity involves their own account?

For companies using a managed security provider, the answer should already be defined in your service agreement. If it’s not, or if your team doesn’t know the answer without looking it up, that’s a gap. The first 15 minutes of investigation set the trajectory for the entire response. Unclear ownership during those minutes means the attacker gets a head start.

Write down the name, role, and backup. Make sure your team knows it.

2. Who can declare “this is an incident” and trigger the plan?

There’s a difference between “something looks suspicious” and “we are in an active incident.” That second declaration triggers escalation, communications, and response workflows. It may also trigger contractual obligations with your cyber insurance carrier.

Many companies have no one explicitly empowered to make that call. The result is a slow drift from “let’s keep an eye on it” to “this is worse than we thought” to “we should have done something two hours ago.”

Designate someone, by title, not just by name, who has the authority to declare a cybersecurity incident and activate your response plan. This person needs to be reachable 24/7 and comfortable making high-stakes calls with incomplete information. For most SMBs, this is the CEO or COO.

3. Who decides whether to disconnect from the internet?

This is the decision that causes the most debate in the moment, and the most damage when it’s delayed.

Disconnecting your network limits an attacker’s ability to exfiltrate data, spread laterally, and communicate with their command infrastructure. It also stops your business. Email goes down. Cloud applications become unreachable. Phone systems that run on VoIP stop working. Revenue-generating operations halt.

A security consultant’s default recommendation will be to disconnect immediately. That’s the safest technical move. But they don’t always understand the business impact of taking a 200-person company offline without warning.

This decision needs a designated person who understands both the security risk and the business cost. They need to know the answer to: “If we disconnect right now, what breaks, and for how long?” That analysis shouldn’t happen for the first time during the incident. Run through the scenario now, while there’s no pressure.

Your business continuity and disaster recovery plan should already account for a full network disconnection scenario. If it doesn’t, that’s the first thing to fix.

4. When do you engage insurance, legal, and law enforcement?

Cyber insurance carriers typically have specific notification windows written into your policy. Miss the window, and your claim may be denied. Some carriers also require you to use their pre-approved incident response firms, which means calling your own vendor first could create complications.

Legal counsel needs to be engaged early, not because you’re in trouble, but because attorney-client privilege can protect sensitive findings from discovery. The forensic investigation and internal communications about the breach may be protected if they’re conducted under legal direction. If they’re not, everything is potentially discoverable.

Law enforcement notification varies by situation. For ransomware, the FBI and CISA both encourage reporting and can sometimes provide decryption keys or intelligence. For data breaches involving personal information, Texas law (Texas Business and Commerce Code, Chapter 521) requires notification to affected individuals without unreasonable delay.

Before any of this matters, someone on your team needs to know:

• Your cyber insurance carrier’s breach notification number (not the general customer service line)
• Your pre-approved incident response vendor (if your policy requires one)
• Your attorney’s direct line (someone familiar with breach response, not your general business counsel)
• The FBI field office number for your region and the CISA reporting portal

Print this list. Put it somewhere that doesn’t require network access to reach.

5. Who makes the ransom decision?

Ransomware attacks demand payment to decrypt your files. Data extortion attacks demand payment to prevent publication of stolen data. Either way, someone will need to decide whether to pay.

This is an executive decision, not a technical one. It involves financial exposure, legal risk, regulatory implications, and business continuity tradeoffs. The FBI’s official position is that they do not encourage paying ransoms, because payment funds criminal enterprises and doesn’t guarantee recovery. But the FBI also acknowledges that each organization must weigh its own situation.

The person who makes this call should be your CEO or owner, with input from legal counsel and your insurance carrier. The IT team provides technical context (can we recover from backups? how long? what data is affected?), but the business decision belongs to leadership.

Define this now. When a ransom note appears on your screen at 2 AM, you don’t want the first conversation to be about who has the authority to respond.

What these decisions look like in practice

Put all five into a one-page document. Include names, titles, phone numbers, and backup contacts. Store it somewhere accessible without network access, printed in the CEO’s desk drawer, in a sealed envelope with your building manager, and in your incident response binder.

Review it every quarter. People change roles, insurance policies get renewed, and law firms change partners. A plan with last year’s contact information is barely better than no plan at all.

If your company runs tabletop exercises, use them to test these decisions. Walk through a realistic scenario and see whether the designated people actually know their roles. The exercise almost always reveals at least one gap.

The gap AI creates and how to close it

AI didn’t create new categories of cyber incidents. It accelerated existing ones. Phishing campaigns that used to take days to craft now generate thousands of unique, convincing messages in minutes. Credential stuffing attacks run through millions of combinations before your security team finishes their morning coffee.

That speed means your response can’t start with a meeting. It has to start with a plan that everyone already understands. The five decisions above are that plan, stripped to the essentials.

If you don’t have a formal incident response plan, these five decisions are the minimum viable version. If you do have a plan, check whether it clearly answers all five. Most plans we review cover the technical response steps but leave the organizational decisions vague or undefined.