Fear Is the Mind-Killer: What Dune Teaches About the First Hour of a Breach

By Resolute Security

Field notes from a senior-led security practice

The call came in at 7:40 on a Tuesday morning, and the owner was already breathing hard. A few files on the shared drive had gone strange overnight, the names ending in something nobody recognized, and a text file sitting in the folder was asking for money. By the time I got him on the phone he had unplugged a server, told an employee to wipe and reinstall the laptop that “started it,” and was googling how to buy the cryptocurrency the note demanded. He had been awake for twenty minutes and had already destroyed most of the evidence we would have needed to figure out what actually happened.

I am not going to tell you that morning was his fault. Almost everyone reacts the same way. I want to tell you about the one habit that separates the businesses that recover quickly from the ones that turn a bad night into a disaster, and it has nothing to do with how good your firewall is.

The most useful line ever written about a breach

In Frank Herbert’s Dune there is an order called the Bene Gesserit, trained to keep their minds clear under extreme stress. They recite a short litany that begins, “I must not fear. Fear is the mind-killer.” The idea is simple. You do not pretend the fear is not there. You let it pass over and through you, and when it is gone you look and see that you are still standing and able to think.

I have read a lot of incident response guidance over the years, and that fictional litany is still the most useful thing I have ever come across on the subject. The first hour of a suspected breach is not won by the cleverest person in the room. It is won by the calmest one. Fear is what makes a survivable incident expensive, and almost every catastrophic decision I have watched happened in the first sixty minutes, made by someone who was scared.

Fear makes the four worst decisions

When fear is driving, it almost always reaches for the same four mistakes, and each one makes the day worse.

The first is paying the ransom on the spot. A frightened owner sees a countdown timer and wants the pain to stop, so the money goes out before anyone has checked whether the backups are fine, whether the attacker can even decrypt the files, or whether paying is legal in that situation. The second is wiping or rebuilding the machine that started it. That machine holds the only record of how the attacker got in and what they touched. Rebuild it in a panic and you have burned the one piece of evidence that tells you whether they are still inside. The third is unplugging the wrong thing, which either spreads the problem or knocks out a healthy system. The fourth, and the one that quietly does the most damage, is hiding the incident from the people who could actually help: your insurer, your attorney, the staff who noticed something was off. Shame keeps the phone in the drawer while the clock runs.

What a one-page plan actually says

The cure for fear is not courage. It is a plan you wrote on a calm afternoon, so that the scared version of you on a Tuesday morning does not have to invent one. It does not need to be a binder. One page, printed and also saved somewhere you can reach if the network is down, is enough to change the whole shape of the day. A good one answers a handful of questions before you ever need it.

  • Who you call first, by name and number. Your IT person or managed provider, and the order you call them in. The plan lives somewhere you can open it even if email and the file server are down, which is the whole reason it is on paper too.
  • Isolate, do not destroy. Disconnect an affected machine from the network to stop the spread, but leave it powered on and do not wipe, reimage, or “clean” anything. You are containing the fire, not bulldozing the building before the investigators arrive.
  • Preserve the evidence and the logs. Write down what you saw and when, take photos of any ransom note or strange screen, and do not let anyone clear logs to “free up space.” The logs are how you learn what really happened and prove it later.
  • Call the cyber insurance incident hotline early. If you carry a cyber policy, it almost certainly has a 24-hour breach number, and calling it is usually a condition of coverage. They bring lawyers and forensic specialists you do not have on staff, and calling too late can reduce or void what they pay.
  • Decide who talks to customers, and who does not. One named person handles outside communication. Everyone else says nothing publicly. A calm, accurate message later beats a panicked, wrong one now.

If you want a sense of what calm looks like minute by minute, we walk through it in The First Hour of a Suspected Breach. The federal guidance is good and free here too: CISA keeps practical ransomware response steps at StopRansomware.gov, and the structure behind most modern plans is the NIST Cybersecurity Framework.

Rehearse it once for sixty minutes

A plan you have never read out loud is just a document. The Bene Gesserit do not stay calm because they have read the litany once. They drill it until it runs on its own when the body wants to panic. You can get most of that benefit in a single hour. Sit your key people in a room, and describe a scene: the shared drive is encrypted, the ransom note is on the screen, it is 7:40 in the morning. Then walk it through out loud. Who picks up the phone? Where is the plan saved if email is down? Who calls the insurer? Who keeps quiet?

That sixty-minute tabletop, done once a year over coffee, is one of the cheapest security investments you will ever make. It finds the holes while they are free to fix: the insurance number nobody has, the backup nobody has actually restored from, the one person who knows the server password and is on vacation half the year. On that note, the rehearsal usually surfaces the most common gap of all, which is a backup that has never been tested. We wrote about that exact trap in The Backup You Never Tested, and the insurer’s expectations are spelled out in What Your Cyber Insurance Application Is Really Asking.

Calm is a business decision

Here is why this belongs in a business conversation and not just a technical one. The owner who unplugged the server and wiped the laptop turned a contained problem into weeks of downtime and a much larger bill, because nobody could tell what the attacker had done. The business that has a one-page plan and has rehearsed it once is usually back to work far faster, pays less, holds onto its customers’ trust, and is more likely to keep its insurance payout intact. The difference between those two outcomes is not better software. It is twenty minutes on a calm afternoon and one hour of rehearsal.

You can take a quick, plain-language read on where your own readiness stands with our security self-check before you ever need it. In a real incident, the clever move and the calm move are usually the same move, and you only see it once the fear has passed over and through. Write the page, rehearse the hour, and let the scared version of you on a Tuesday morning find that the thinking has already been done.

Further reading

Leave a Reply

Your email address will not be published. Required fields are marked *