The Breach

CHOOSE YOUR CHARACTER

LET'S PLAY!

A Technology Leader (CIO) responding to the technical side of a ransomware breach

LET'S PLAY!

A Business Leader (CEO/CFO) navigating communications, stakeholder trust, and business continuity.

ALERT: Suspicious Activity Detected!

Several users have lost access to files. Your SOC just flagged abnormal file encryption activity across multiple employee endpoints. Finance systems and shared drives are among the affected. Time is critical.

Do you...

A / Triage and isolate affected devices

B / Alert the full executive team

C / Wait for more data before reacting

Devices isolated quickly. Containment is underway.

Executives are briefed, but containment is delayed.

Tip: Alerting executives early is important, but only after immediate action is underway.

Missed the first move? Try a Breach Simulation to learn the right order.

Delay allowed the attack to spread further.

Tip: Delaying containment allows threats to spread.

Need to prepare? Our Breach Simulation can show how to act faster.

How bad is it?

You've isolated endpoints, but you don’t know how far the attack has spread. Your team is scrambling to assess the blast radius.

Do you...

B / Activate automated forensic tools

C / Pull overnight backups

A / Review logs manually

Forensics reveal full breach scope in minutes.

Backups are pulled, but infection point is unclear.

Tip: Backups are recovery tools— not breach investigation tools.

Want faster threat scoping? Consider a Security Health Check. Schedule one today >

Manual review is slow. Malware spreads to shared drives.

Tip: Manual reviews are often too slow for fast-moving attacks.

Automating with Security Copilot can enhance reliability and reach. Learn more >

Containment Questions

Your analysts suspect lateral movement. Servers may already be affected. Act fast.

Do you...

B / Launch internal threat hunting protocols

A / Shut down all network traffic

C / Leave systems online to avoid disruption

Internal protocols reveal extent of lateral movement.

Complete shutdown halts business operations.

Tip: Shutting down systems disrupts business. Targeted threat hunting is more effective.

Reduce investigation time with AI for Defenders. Learn more >

Leaving systems online lets threat persist.

Tip: Leaving systems online risks deeper infiltration.

Not sure if your environment is safe? Run a Control Validation Audit today.

Find the Entry Point

Initial review shows possible phishing and unpatched software. Pinpointing origin will help guide response.

Do you...

A / Investigate endpoint logs

B / Review suspicious email activity

C / Examine software patch logs

Endpoint logs confirm origin of breach.

Email activity shows signs, but no clear source.

Tip: Email reviews help, but endpoint logs provide concrete origin data.

Missing log visibility? Evaluate anti-virus platform's post-breach detection and response capabilities. See how >

Patch history shows critical gaps were ignored.

Tip: Patch gaps often lead to breaches.

A Security Health Check can identify unpatched vulnerabilities. Schedule one today >

Who needs to know?

Legal, compliance, and ops teams are asking for updates. It’s a comms minefield.

Do you...

A / Brief legal and compliance first

B / Loop in customer support and ops teams

C / Share a mass incident update firm-wide

Legal helps shape incident response early.

Ops helps calm customers but lacks full context.

Tip: Customer teams need talking points aligned with legal.

Consider help developing a Crisis Communication Plan. Learn more >

Firm-wide update causes panic and misinformation.

Tip: Sharing unverified updates can lead to panic.

Build a communication plan with professional support. Start here >

Mitigating Business Impact

Do you...

B / Focus on containment until confirmed safe

A / Prioritize restoring finance systems

C / Spin up parallel systems in clean environment

Threat fully neutralized before restoration begins.

Finance systems restored, but containment was incomplete.

Tip: Restoring business systems before full containment can backfire.

Application resilience tools help time this right. See how >

Spinning up systems risks reinfection.

Tip: Parallel environments can reintroduce threats if isolation isn't confirmed.

A secure recovery plan helps avoid reinfection. Learn more >

Your finance team flags halted transactions. Containment may be working—but your business is suffering.

Board Wants Answers—Now

You need a clear summary of events for an emergency board call. Time is limited.

Do you...

A / Ask your AI assistant to generate a breach report

B / Query real-time dashboards for insights

C / Manually compile incident notes

AI compiles report and flags potential impacts.

Dashboards help, but require manual input.

Tip: Dashboards are useful, but AI can accelerate board communication.

Assess your AI maturity to enhance reporting. Start here >

Manual notes are incomplete and delayed.

Tip: Manual notes can miss critical indicators during a crisis.

Use AI tools to reduce risk and reporting time. See how >

Prepare for the Audit

Compliance teams begin prepping disclosure statements. Regulators are watching.

Do you...

A / Start a post-breach control validation audit

B / Draft an internal-only summary

C / Delay until legal requires formal review

Audit prep begins proactively, catching control gaps.

Internal-only summary risks future liability.

Tip: Internal summaries may help now but won't satisfy auditors.

Start a control validation assessment to prepare users for real-world audit needs. Access here >

Delay increases compliance exposure.

Tip: Delayed audit prep increases risk exposure.

Validate your controls with a Threat Protection Assessment & Zero Trust Archictecture. Access here >

What comes next?

Do you...

B / Implement recurring breach simulations

C / Deploy AI-driven threat detection

A / Update incident response playbooks and runbooks

Simulations prepare teams for future threats.

AI improves detection, but playbooks are outdated.

Tip: AI improves detection, but without simulation, teams miss the big picture.

Join a Breach Simulation to prepare better. Start now >

Playbooks updated, but without new tech or training.

Tip: Playbooks without tech or testing are incomplete.

Let us help you build a modern incident response strategy.

The crisis is contained. You’re rebuilding. What’s the long-term play to reduce future risk?

Unfolding Crisis

Your CIO reports a ransomware attack in progress. Financial systems are affected. Employees are posting about it on LinkedIn. The board is pinging you.

Do you...

A / Hold an immediate press briefing

B / Call an internal leadership meeting

C / Stay silent until the full scope is known

Early coordination minimizes confusion and error.

Internal sync helps but external perception worsens.

Tip: Crisis communication starts with internal coordination—not just PR.

Prepare your organization with a Crisis Management Readiness Session.

Premature exposure could mislead stakeholders.

Tip: Crisis communication starts with internal coordination—not just PR.

Prepare your organization with a Crisis Management Readiness Session.

Board Demands Answers

Board members are requesting details. Your CIO needs time to investigate.

Do you...

A / Promise a full update by EOD

B / Ask the CIO to brief the board immediately

C / Schedule a joint briefing with Legal and Tech

Balanced update ensures aligned messaging.

Sets unrealistic expectations under pressure.

Tip: Align legal, IT, and compliance to deliver confident board updates.

Use our Board Readiness Checklist to guide your next briefing.

CIO may share premature or inaccurate information.

Tip: Align legal, IT, and compliance to deliver confident board updates.

Use our Board Readiness Checklist to guide your next briefing.

Media Leaks Begin

A tech blog breaks the news. Reporters begin calling. Investors are concerned.

Do you...

A / Issue a holding statement

B / Confirm breach but downplay scope

C / Decline to comment

Allows time to assess while maintaining transparency.

May backfire if proven worse later.

Tip: A strong holding statement helps contain speculation and risk.

Get support building a tailored Crisis Communication Plan. Learn more >

Creates information vacuum and fuels speculation.

Tip: A strong holding statement helps contain speculation and risk.

Get support building a tailored Crisis Communication Plan. Learn more >

Customer Fallout

Top clients want to know if their data was impacted.

Do you...

A / Direct them to the legal team

B / Issue a templated apology letter

C / Host live customer briefings

Shows leadership and transparency.

Deflects responsibility and delays empathy.

Tip: Transparency builds client trust and limits long-term brand fallout.

Host a Customer Risk Communication Review to align your outreach plan. Learn more >

Can appear cold or dismissive.

Tip: Transparency builds client trust and limits long-term brand fallout.

Host a Customer Risk Communication Review to align your outreach plan. Learn more >

Market Confidence Slips

Stock dips. Analyst inquiries roll in. Your competitors are circling.

Do you...

A / Reassure investors with a live call

B / Wait until incident is fully resolved

C / Publish a Q&A with general info

Early coordination minimizes confusion and error.

May help, but lacks human leadership element.

Tip: Restore investor trust with facts, clarity, and next-step action.

Join a Resilience Briefing to learn how leading organizations communicate risk maturity. Join today >

Delays worsen market anxiety.

Tip: Restore investor trust with facts, clarity, and next-step action.

Join a Resilience Briefing to learn how leading organizations communicate risk maturity. Join today >

Staff Morale Drops

Internal confusion and fear are rising. Employees are unsure what to share or expect.

Do you...

A / Issue an all-hands update and guidelines

B / Stay silent to avoid misinformation

C / Allow managers to handle it on their own

Empowers staff and reduces speculation.

Leads to inconsistent messaging.

Tip: Lead with empathy and action to restore post-breach alignment.

Schedule a Post-Incident Internal Communication Planning Session. Learn more >

Creates fear and chaos.

Tip: Lead with empathy and action to restore post-breach alignment.

Schedule a Post-Incident Internal Communication Planning Session. Learn more >

Audit Flags Unpreparedness

You learn your org never completed a cyber resilience tabletop or risk exercise.

Do you...

A / Admit the gap and outline next steps

B / Minimize it in communications

C / Shift focus to containment progress

Early coordination minimizes confusion and error.

Avoids the core issue but buys time.

Tip: Start a Cyber Resilience Walkthrough to build your playbook.

Start a Cyber Resilience Walkthrough to build your playbook. Learn more >

Downplaying worsens credibility.

Tip: Start a Cyber Resilience Walkthrough to build your playbook.

Start a Cyber Resilience Walkthrough to build your playbook. Learn more >

Review

Test

Simulate

Assess

Legal Pressure Increases

Regulatory inquiries begin. You need a unified disclosure strategy.

Do you...

A / Launch a cross-functional disclosure task force

B / Rely solely on legal counsel

C / Delay response until more facts emerge

Demonstrates mature governance.

May miss PR and stakeholder nuances.

Tip: Engage a Risk Governance Alignment Session to build your playbook.

Engage a Risk Governance Alignment Session to build your playbook. Learn more >

Triggers compliance risk.

Tip: Engage a Risk Governance Alignment Session to build your playbook.

Engage a Risk Governance Alignment Session to build your playbook. Learn more >

Recovery Narrative

Crisis is contained. How do you position the business moving forward?

Do you...

A / Highlight how this made the company stronger

B / Downplay the event as minor

C / Avoid further discussion unless asked

Turns risk into resilience.

Misses opportunity to rebuild confidence.

Tip: Join a Post-Crisis Reflection Session to strengthen future readiness.

Engage a Risk Governance Alignment Session to build your playbook. Learn more >

Undermines future transparency.

Tip: Join a Post-Crisis Reflection Session to strengthen future readiness.

Join a Post-Crisis Reflection Session to strengthen future readiness. Learn more >

You’ve just navigated a high-stakes cyber crisis.

But in the real world, preparation matterseven more than response.

GET YOUR INCIDENT RESPONSEREADINESS ROADMAP BDO’s cross-functional team will provide real-world scenarios, identify key gaps, and provide a tailored roadmap with sample deliverables to strengthen your organization’s preparedness before the next breach hits. Explore the readiness framework, deliverables, and next steps to take today.

Start Your Readiness Review

PLAY AGAIN