Preparedness is not a slogan. It is a set of constraints that makes incidents smaller: strong control-plane accounts, fast containment, reliable restores, and evidence you can use when something goes wrong. The organizations that struggle most are not the ones that "get targeted." They are the ones that cannot answer basic questions quickly: who has admin, what changed, what is exposed, and how to restore.
Key idea: the first objective is to prevent re-compromise. Fixing one password while leaving the control plane weak turns incidents into loops.
A preparedness baseline you can implement now
| Control | What to implement | What it prevents |
|---|---|---|
| Control-plane hardening | Secure your primary email and admin accounts with phishing-resistant sign-in and alerts | Password resets, admin takeovers, persistent access |
| Patch and exposure discipline | Maintain an owner-tagged list of internet-facing services and patch the exposed list first | Drive-by exploitation of known vulnerabilities |
| Restore readiness | Backups that are isolated from normal admin accounts, plus restore tests | Ransomware leverage and catastrophic recovery delays |
| Session and access hygiene | Shorter sessions for admin actions, sign-out-everywhere, remove stale privileged roles | Token persistence and privilege sprawl |
| Reporting speed | A simple employee reporting channel and a standard triage flow | Late detection and slow containment |
For a broader long-horizon framing, use preparing for the future of cybercrime. For phishing-resistant authentication basics, see passkeys.
Why "not prepared" is usually a control-plane problem
Most high-impact incidents begin with a low-skill entry path: credential reuse, phishing, or a known vulnerability that was not patched. The reason the incident becomes expensive is rarely the initial foothold. It becomes expensive because the attacker gains options: an admin role, a mailbox forwarding rule, an OAuth grant, or a token that survives password changes.
Preparedness reduces options. If you can revoke sessions, audit admin changes, and restore cleanly, the attacker loses the ability to turn one compromise into sustained leverage.
The failure modes that keep repeating
- Shared admin and daily accounts: one stolen password becomes universal access.
- Weak recovery: the inbox that resets everything is protected only by a password or SMS.
- No evidence: logging is missing, overwritten, or not accessible during the incident.
- Backups that are not real: backups exist, but restores fail or credentials are shared with production.
- Unowned exposure: no single list of what is internet-facing, and no patch deadline discipline.
Rule of thumb: if you cannot force logout, revoke tokens, and enumerate admins quickly, you do not have containment.
A 90-day plan that actually changes outcomes
Most organizations cannot do everything at once. A 90-day plan works when it is owner-based and measurable.
| Days | Focus | What "done" means |
|---|---|---|
| 0 to 14 | Control plane | Primary inbox, password manager, and all admins protected with strong sign-in and alerts; stale admins removed |
| 15 to 45 | Exposure and patching | Explicit internet-facing inventory with owners; KEV-informed patch priorities; reduced exposure until patched |
| 46 to 75 | Recoverability | Backups isolated from production credentials; one successful restore test per critical system |
| 76 to 90 | Detection and response | Alerting for high-signal identity events; a written incident flow; employee reporting path tested |
Authoritative baseline references that map well to this plan:
- NIST Cybersecurity Framework 2.0: nist.gov/cyberframework
- CISA Cybersecurity Performance Goals (CPGs): cisa.gov/cpg
- CISA Known Exploited Vulnerabilities catalog for patch prioritization: known exploited vulnerabilities
When the warning becomes real: how to respond if you suspect compromise
Preparedness includes an execution path. If you suspect active compromise, do not spread changes across systems randomly. Stabilize the control plane, end unknown sessions, preserve evidence, and work the incident in a disciplined order. Start with what to do if your business or employees are hacked.
Preparedness is not about predicting the next attack. It is about reducing how much one mistake can cost and how long recovery takes.
When the control plane is secure, exposure is owned, and restores are real, most attacker tactics degrade into short events rather than crises.
That is the preparedness gap most warnings point to. Not a lack of tools, but a lack of constraints that make recovery fast and repeatable.