Megan Samford

Figure out if you need to formally declare an incident that would need to be investigated, the level of that incident.

For the mobile app, where people are responding to text messages, could be phishing, not quite sure, not sure how many people, all of that.

That's why you stand up incidents to kind of get the full scope of what's going on and you begin to tackle it.

And I would say, depending on the nature of the phish or how sophisticated you think the phishing attack was,

Just start an incident when you're in doubt.

Just declare an incident and begin to investigate it.

And you can always de-escalate the incident and say, OK, well, this wasn't as big of a deal as we thought it was going to be.

But you can huddle over all the teams together that would be responsible for providing some immediate stopgaps and then longer term things like more education and things like that for your employees.

So that's how I think about that.

Probably the mobile one in the immediate until you get your arms around the scenario, because the first scenario, the way you described it to me, I mean, if people aren't doing this stuff every day, what are they doing?

Identifying risk and dispositioning risk, right?

Because the whole scenario is, hey, we've uncovered some risk.

We're aware of it.

We're not sure what we're going to do about it.

Yes.

Yeah, I took number two, but I mean, I don't.

That's exactly right.

And with things like NIST 2 and CRA and global regulation, you better build some muscle memory in to where if you know that there is a potential for greater risk in your company and you know that a select population has been spearfished on the mobile and there's a good potential that there could be something on your network or that risk is moving laterally.

Yeah, absolutely.

You need to declare an incident to huddle around that so that you can understand if you have any reporting obligations.