Last week, President Joe Biden warned U.S. companies to prepare for cyberattacks from Russia, which could come as retaliation for sanctions against Russia for its invasion of Ukraine. Biden went so far as to call this preparation “a patriotic obligation that you invest as much as you can in making sure … that you have built up your technological capacity to deal with cyberattacks.”

So let’s talk cybersecurity again this week. We’ll hear from former National Security Agency Director Adm. Michael Rogers, who is currently a senior fellow and adjunct professor at Kellogg. A few weeks ago, I featured him talking in an episode of The Insightful Leader podcast about how to prevent a cyberattack. Today’s newsletter focuses on Part 2 of his conversation, which addresses what to do if your defenses failed and your network has been breached.

Your Organization’s Network Has Been Breached. What Do You Do Now?

Even the best cyber defenses can fail, Rogers explains. He knows this from experience. In 2015, while NSA director, he realized that hackers believed to be associated with the Russian government had penetrated the Department of Defense’s unclassified Pentagon networks.

Rogers offers advice for how organizations, from the Pentagon on down, should approach a breach. Here are a few of his strategies:

Move fast, even if that’s uncomfortable: You don’t have the luxury of time during a breach, which means you likely won’t have as much information as you’d want when making big decisions. “You can’t just wait to say, ‘well, I’m just going to wait until I have perfect knowledge or until I have a high level of confidence,’” Rogers says. “In the middle of a cyber crisis, look, you are going to have to get used to the idea that you’re going to have to make decisions with incomplete and often conflicting information.” This could include not being 100 percent sure you actually have been breached. But if the telltale signs are there—employees are having trouble logging in, for example, and there are a bunch of unrecognized login requests—then you should assume you’re under attack and respond accordingly.

Be careful how you communicate: If the hackers are in your network and you’re using that same network to coordinate a response, then you’ve got a problem. “The adversary, in most cases, is actually reading your emails,” Rogers says. So don’t communicate via company email. It may be time to go old school and use the telephone or a courier service. Or opt for a messaging app like WhatsApp.

Don’t pay ransom (unless you really, really have to): Much of the time, the hackers’ end goal is to extract a ransom. Rogers acknowledges that it can be tempting to pay up to get the incident over with. But he advises that unless there is an absolutely critical reason to pay, such as a hospital system where a network breach could cause death, then organizations shouldn’t pay. “I tend not to believe that a valid reason is, ‘well, we should pay because we need to regain control quickly for reputational purposes,’” he says. “My view would be, look in the long run, we’re just incentivizing these actors to engage in more aggressive activities. And I don’t think that’s good for us.”

You can listen to the full podcast episode here. And Part 1 with Rogers, where he discusses how to prevent an attack, is here.

Today’s Leadership Tip

“You’re essentially putting a bounty on figuring out how to game the incentive system.”

—Associate professor George Georgiadis in Insight, on why offering a simple cash bonus for good work can sometimes backfire for organizations.