It's made the news. Your company has been breached.
The public is demanding answers. The board is panicking. The phones won't stop ringing. Customers are threatening to leave. Regulators are circling.
Behind the scenes, three separate teams are working around the clock. Technical people frantically review logs that cyber criminals may have already deleted. Legal advisors calculate notification obligations across multiple jurisdictions. The communications team tries to draft statements with incomplete information that changes by the hour.
And to top it all off, the entire IT team is threatening to quit because leadership is making an already impossible situation worse.
This is what incident response actually looks like. Not the polished media statements or the carefully worded notifications to customers. The chaos, the complexity, and the crushing human cost that no one talks about until it's too late.
"Most people don't appreciate how time-consuming and complex it is to navigate through an incident," says Bex Nitert, a Perth-based digital forensics and incident response consultant who has lived through dozens of these scenarios.
"The public demands answers very quickly and is very quick to criticize companies that don't give a full response quickly or clearly. That's because it IS unclear and takes a lot of time to assess and validate the information."
The numbers tell part of the story. In the first half of 2025, the average cyber breach in Australia affected just over 10,000 individuals. The average cost to business: $4.26 million. But those figures don't capture what actually happens in the days, weeks, and months after a company discovers it's been compromised.
The three-ring circus
Once an incident is detected and it hits the news, or worse, before anyone realises how bad it is, multiple things occur simultaneously.
The technical team works to find out what happened and how to fix it. They're reviewing logs and system artifacts, many of which may have been deleted by the cyber criminals.
Meanwhile, the communications team needs to communicate with stakeholders, but they're entirely dependent on the people undertaking the technical work who are still figuring things out themselves.
At the same time, breach counsel works with legal advisors to understand the data you have, the jurisdiction, and the legal obligations regarding data breach notifications.
"Lots of work is happening all at once," Bex says. "Most people don't appreciate how complex it is."
Getting there requires surviving the immediate crisis. And that's where the human element becomes critical.
The breaking point
Sometimes incidents don’t even make the news. During one major breach, the company Bex was working with managed to contain it before public disclosure became necessary.
But, behind closed doors, everything was falling apart.
The entire IT team was threatening to quit. Leadership was severely mishandling communications with the team throughout the incident, adding pressure and blame to an already impossible situation.
Bex had to step in and counsel them. Not about technical matters. About whether they could keep coming to work.
"People are human," she says simply. "You need to be kind throughout because you can very quickly have a lot of people refusing to come to work or refusing to assist on an incident. Even the ones who want to help can reach that breaking point. It's such a stressful situation when it happens."
This, she says, is the part of incident response that never appears in the case studies or compliance reports. The mental health toll. The staff wellbeing crisis. The fact that your response capability can evaporate if you're not thinking about the people executing it.
Human error caused 37% of all breaches in the first half of 2025, up from 29% in the previous period. But blaming humans misses the point. Systems need to account for human stress, human limitations, and human breaking points.
Practice doesn't make perfect, but it does prevent panic
It's not just about having a plan. It's about practicing the plan.
"Tabletop exercises are super beneficial," Bex says. "They can catch flaws in a process when done right and can find gaps before something actually happens. They're highly recommended, even for mature organisations."
Even in controlled, made-up scenarios, interesting things happen. Arguments break out. People start panicking. Suddenly, C-suite executives are sweating.
"If this was an actual incident and you spent an hour arguing about what you were going to do, that's a problem," Bex points out. "These are the kinds of decisions you need to document beforehand or give one person the power to veto."
That's the value of practice. You discover these problems in a conference room with coffee, not at 2am with the media calling and customers demanding answers.
The most dangerous phrase in cybersecurity
‘It won't happen to us.’
(Even when it already has.)
Bex recalls a major ASX-listed company that experienced a ransomware incident. They didn't have any backups, so they couldn't restore their systems. They had to take their services offline.
The company had 80% of their computers running Windows XP in 2021. Windows XP - the operating system Microsoft stopped supporting years earlier.
One of Bex's key recommendations was straightforward: upgrade from Windows XP to a modern operating system.
The response: "No, we're not going to do that."
As of 2025, the company is no longer in business.
With 408 cyber security incidents reported by Australian government entities alone in 2024-25, and nearly 51% of Australian organizations encountering AI-powered cyber threats in the past year, the question isn't whether an incident will happen. It's when.
What you should actually do
The good news: preparation doesn't require unlimited budgets.
"It's important not to go too big too fast," Bex advises. "Look for the quick wins to get a good baseline, because something is better than nothing”
Documentation
Start with documenting decision-making processes before an incident occurs. Who has the authority to make critical decisions? Who communicates with media? When these questions get asked for the first time during an active breach, you've already lost valuable time, Bex advises.
Table top exercises
Practice through tabletop exercises. They don't need to be elaborate. Even a simple walkthrough of ‘what would we do if our systems were locked right now’ can reveal dangerous gaps.
Staff wellbeing
Consider staff wellbeing in your incident response plan. Who supports the technical team when they're working 18-hour days? How do you prevent the kind of breakdown that leads to mass resignations in the middle of a crisis?
Data obligations
Understand your data, your jurisdiction, and your legal obligations before an incident. Know your third-party service providers and their role in your response.
When prevention fails
"There's no such thing as a bulletproof organisation," Bex reflects. “The companies that survive are the ones that prepared before the crisis hit."
Not just with technology and policies, but with practiced plans and consideration for the people who will execute them under the worst possible circumstances.
That's what incident response really looks like. And that preparation needs to happen now, not after you've joined the unwelcome club of breached organisations.
"Things are not always what they seem in cyber," Bex says. "It's important to get the facts right. And that takes time, preparation, and thinking about these problems before they become your reality."
—
Cecily Rawlinson is the Director of CyberWest Hub, Western Australia’s central force for advancing cyber security. The Hub is committed to strengthening the state’s cyber industry, developing a future-ready workforce, and raising cyber awareness across all sectors of the economy. For more information, you can get in touch with Cecily at director@cyberwesthub.au.
Bex Nitert is a respected professional in the field of digital forensics and cybersecurity, with a demonstrated track record of leading complex investigations into cybersecurity incidents, factual issues in legal disputes, and allegations of fraud and misconduct. Her experience spans cases involving multimillion-dollar financial fraud, IT system sabotage, data breaches, ransomware attacks, and cyber espionage. With 20 years of experience delivering technical consulting services to clients across both public and private sectors, Bex plays a critical role in helping organisations respond to high-stakes incidents and strengthen their cybersecurity and fraud resilience.
