The Incident Responder Wishlist

Nobody plans to start their Monday morning with a total system lockout or the realization that a six-figure wire transfer never arrived at its intended destination. When a cyber attack strikes, the flip from business as usual to full-blown crisis can happen in seconds.

In those moments, incident responders are the most valuable people on the line. They’re the calm in the storm: digital detectives and forensic firefighters who support distraught CEOs at 2 a.m., balancing the adrenaline of the chase with the frustration of seeing a preventable vulnerability cause potentially millions in losses. They understand the livelihoods, reputations, and years of hard work behind those computer screens.

Because they’ve stood on the front lines of so many different "fires," incident responders’ first-hand experience reigns supreme. They often see trends that others overlook, so we asked the experts at Coalition Incident Response (CIR) …

If you could wave a magic wand over the businesses you support, what would you change?

Below, we’ve compiled a list of six strategic shifts that any business can make to enhance its overall security posture and make incident responders infinitely happier.

1. The Identity Truth Serum: Human-Centric Zero Trust

Hackers "lie" by using stolen credentials, which means businesses must verify the true identity of every user in their systems. That old adage of trust but verify? Ditch it for a basic zero-trust framework that prioritizes constant, active verification. 

One of the biggest offenders CIR sees is the “admin account,” a single, all-powerful login that has lingered for decades but hasn't seen a password change since Y2K. When an attacker lands on that account, it’s game over.

“Tools like Microsoft’s EntraID make applying zero trust much more friendly to small businesses and can block the majority of credential thefts,” said Shelley Ma, Incident Response Lead at CIR. “There are a lot of free tiers that exist for platforms like this, so it’s very well-suited to the SMB market.”

Ultimately, privileged accounts should be tied to a human being, not a non-attributed “ghost” in the machine. By enforcing multi-factor authentication (MFA) and single-sign-on everywhere and monitoring identities rather than just passwords, businesses can stop unauthorized access before it gains momentum.

“Tools like Microsoft’s EntraID make applying zero trust much more friendly to small businesses and can block the majority of credential thefts.” — Shelley Ma, Incident Response Lead, Coalition Incident Response

2. The Wall-Less Office: Retiring the Vulnerable Firewall

Many business leaders think they need more walls, but the walls themselves are often the primary point of failure. We’ve seen a relentless wave of vulnerabilities in VPNs and other boundary devices. Even when businesses do everything else right, attackers find their way in through these legacy entry points, especially when VPN login panels are exposed online. In fact, businesses with exposed VPN login panels are 3x to 4x more likely to experience a cyber incident.

“People might laugh, but I truly mean it: Get rid of your firewall,” said Leeann Nicolo, Incident Response Lead at CIR. “There are more and more people who say that they can’t escape from VPN or other boundary device vulnerabilities. Even if they’re doing everything else right, attackers are finding their way in through new zero-days.”

Shifting to zero-trust network architecture (ZTNA) or secure access service edge (SASE) isn’t a simple or cheap option, but it can be the difference between building a higher wall and making the house invisible to the burglar standing outside.

3. The Secure Vault: Moving Off Local File Shares

Most companies have a firewall in place (discussed above) so employees can join a network just to access a drive, but legacy file-share services are a ransomware playground. Once an attacker is on the network, they can hold the entire drive for ransom, grinding operations to a halt while they encrypt every PDF, spreadsheet, or anything else the business has ever created and stored there.

The magic wand fix is simple: Get rid of the file shares.

“Transition your team to a corporate-managed cloud drive (like Google Drive or SharePoint) that requires MFA for every login,” said Chris Hendricks, Head of Security Services at CIR. “Virtually no cyber criminal ransoms an entire Google Drive effectively, but they do it to local file shares every single day.”

Encouraging employees to live in a secure, authenticated cloud environment removes one of the most common pain points incident response teams have to deal with.

“Transition your team to a corporate-managed cloud drive (like Google Drive or SharePoint) that requires MFA for every login.” — Chris Hendricks, Head of Security Services, Coalition Incident Response

4. The Crystal Ball: Visibility and Forensic Logging

In a crisis, logs are one of the few ways to see the past, providing the forensic narrative needed to make informed decisions rather than expensive, sweeping guesses. When incident responders arrive on the scene, their first task is to reconstruct the timeline of the attack. Too often, however, they find the digital cameras were never plugged in, leaving the most critical moments of the breach in the dark.

“Businesses should strive to maintain 90 days of searchable, standardized logs across their entire environment,” said Devin Canavan, Senior Incident Response Analyst at CIR. 

Without this data, it’s impossible to determine the true scope of an intruder's actions. In an email compromise, for example, logs are the evidence that distinguishes a hacker who could have read an inbox from one who downloaded specific sensitive files. When that trail is missing, responders are often forced to assume the worst-case scenario for regulatory reporting.

High-fidelity logging replaces that ambiguity with clarity, allowing you to limit notification requirements and protect your reputation rather than being forced into a costly "burn it all down" recovery.

5. The Automatic Shield: Prioritizing Patch Management

Attackers are opportunistic by nature, feasting on the low-hanging fruit of unpatched software. CIR frequently sees compromises caused by end-of-life technologies that haven't been updated in months. It’s the equivalent of installing a high-tech alarm on a house where the back door is falling off its hinges.

“Having good auditing structures and ensuring that your software and appliances are patched regularly is one of the most effective ways to ensure your business isn't the easiest target on the block,” said Ma.

When a vendor releases a patch, it’s often because attackers are already exploiting a vulnerability in the wild. Delaying that update is essentially giving hackers a timed window to walk right through your front door.

Furthermore, many organizations, especially those that operate critical infrastructure, still rely on technologies that use legacy operating systems. This creates a massive blind spot because modern security technology, like endpoint detection and response (EDR), cannot provide full coverage or protection on these ancient systems. It leaves your most vital assets exposed, even if you've invested in the latest security tools.

When a vendor releases a patch, it’s often because attackers are already exploiting a vulnerability in the wild. Delaying that update is essentially giving hackers a timed window to walk right through your front door.

6. The Superpower of Recovery: Making Backups Sexy Again

Data backups are sometimes treated like a boring IT chore, but they’re actually a vital security product. In a crisis, the financial impact of a cyber incident often has less to do with the tech and data, and everything to do with the costs of downtime.

“Viable backups make for a better experience across the board during a cyber incident,” said Hendricks. “They provide the leverage to ignore a ransom demand because businesses can reset to a clean state. Without them, businesses are at the mercy of the attacker’s decryption key, which, even when paid for, can sometimes fail to restore the environment to its original state.”

A truly resilient business uses backups to stay afloat and avoid massive downtime while the IR team works to evict the intruder. However, it’s not enough to simply have the tech and data; you must know how to actually recover it. We’ve seen many businesses realize too late that their backups were either corrupted or, worse, connected to the network and encrypted right along with the primary tech and data.

To make backups a true superpower, they must be immutable, off-site, quick to restore, and regularly tested through recovery drills. When you know for a fact that you can restore your entire operation in hours rather than weeks, the terror of a ransomware note lessens. It transforms a business-ending disaster into a manageable, though annoying, operational hurdle.

Beyond the Wishlist: Building a Resilient Reality

The six wishes on this list might seem like a tall order for a busy organization, but businesses don’t have to fix everything overnight to significantly enhance their overall security posture.

From ditching a legacy admin password to moving files to a secure cloud drive, most of these strategic shifts are about changing habits and architecture rather than just increasing spend or purchasing new technologies. Cybersecurity isn’t “just an IT problem" to be delegated, but a core component of every business' resilience.

By listening to the people who see the worst-case scenarios every day, businesses can turn a potential disaster into a manageable speed bump. No magic required — just an active approach to cyber risk.

This article originally appeared in the January 2026 edition of the Cyber Savvy Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

Incident response services are provided by Coalition Incident Response Inc. dba Coalition Security, an affiliate of Coalition Inc. Coalition Security services are offered to Coalition policyholders as an option via Coalition’s Panel Provider List and are subject to availability. Coalition Security does not provide insurance products.

This communication is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. This communication may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. 

Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.