If You Were Hit by a Cyberattack Tomorrow. What Would You Do?

Most organisations have an incident response plan.

Very few executives have rehearsed it.

Cyberattacks don’t announce themselves politely. They arrive early, spread quickly, and demand decisions before all the facts are known. When that happens, technical teams don’t make the hardest calls. Executives do.

The problem is that many leaders only discover this once they’re already in the middle of an incident.

The First 24 Hours Are a Leadership Test

When a serious cyber incident hits, the initial questions are not technical. They’re commercial, legal, and reputational.

Do we shut systems down and stop the bleeding. Or keep them running and risk further damage?

Do we notify customers now. Or wait until we know more?

Do we involve regulators immediately. Or assess exposure first?

Do we pay a ransom. Or absorb the consequences?

These decisions are made under pressure, with incomplete information, and often outside normal governance structures. Executives who haven’t engaged with cyber risk beforehand are forced to improvise.

Improvisation is rarely a good strategy.

Why Cyber Plans Fail in Practice

Most cyber incident plans are built to look good on paper. They outline steps, responsibilities, and escalation paths.

What they rarely test is reality.

• Key decision-makers are unavailable

• Information is contradictory or delayed

• Legal, IT, and communications disagree on priorities

• External advisors arrive with different incentives

Under pressure, theoretical plans collapse into judgement calls. That’s where leadership preparedness matters more than documentation.

The Decisions Executives Will Actually Face

During a live incident, executives are asked to trade off competing risks.

Speed vs accuracy

Act too quickly and you may overreact. Wait too long and damage escalates.

Transparency vs control

Early disclosure builds trust but limits flexibility. Silence preserves options but increases suspicion.

Operational continuity vs containment

Keeping systems live may protect revenue. It may also widen the breach.

These aren’t IT decisions. They are leadership decisions with lasting consequences.

Cyber Risk Is Asymmetric. And That Matters.

One of the hardest things for executives to accept is that cyber risk doesn’t scale neatly.

Years of good decisions can be undone by a single incident. Strong teams and solid controls reduce risk. They don’t eliminate it.

That’s why preparedness isn’t about prevention alone. It’s about response.

Executives who understand this invest time in:

• Scenario planning

• Clear decision authority

• Pre-agreed escalation thresholds

• Communication strategies under stress

Those who don’t are left reacting in real time.

The Role of Executive Alignment

Cyber incidents expose organisational misalignment very quickly.

If executives disagree on priorities before an incident, that disagreement will surface when it matters most. If roles and authority aren’t clear, decisions slow down.

Strong cyber resilience depends on:

• Clear ownership of cyber risk at executive level

• Agreed principles for response decisions

• Confidence in advisors before they’re needed

Alignment achieved in advance saves time when time is scarce.

Why Most Leaders Underestimate This

Cyber incidents feel abstract until they’re not.

Executives are busy. Competing risks demand attention. Cyber often feels like a low-probability, high-impact issue that can be safely delegated.

Until the call comes.

The leaders who handle incidents best aren’t the most technical. They’re the most prepared. They’ve thought through uncomfortable scenarios before they were forced to live them.

That’s where the ExecPacks Cybersecurity for Non-Technical Executives unit fits.

It’s designed to help leaders understand cyber risk in business terms, anticipate decision points, and prepare for the realities of an incident. Without drowning in technical detail.

The Question Isn’t If

It’s When

Cyber incidents are no longer rare edge cases. They’re part of the operating environment.

The question executives should ask isn’t “are we secure?”

It’s “are we ready to decide?”

If a cyberattack happened tomorrow, would you know:

• Who takes control?

• What principles guide decisions?

• What trade-offs you’re willing to accept?

If not, cyber risk is being managed by assumption. Not by design.

And assumptions don’t hold up well under pressure.