Thirteen Rules for Cyber Attack Survival

Every horror fan knows the “rules.” Don’t say "I'll be right back." Don’t go off to investigate that weird noise in the basement. You might also want to check the torch batteries before heading into the woods. Wes Craven’s Scream famously laid them out, but they’ve always been lurking in the background of horror movie classics: survival is about knowing the patterns.

Cybersecurity is no different. Breaches, like masked assailants, follow predictable tropes. They go after the careless, the unprepared, and those who thought it only happens to other people.

So, in true Samhain spirit, here are 13 golden rules for surviving a cyber attack, written with a nod to slasher logic, and more than a few timely reminders of how modern identity security (think: just-in-time access, zero standing privilege, CIEM, ILM) helps keep the lights on.

1. Never Go Alone Into the Dark (Shadow IT)

Every horror movie starts with someone wandering into the shadows. In the enterprise, that’s shadow access: unsanctioned users the attacker can impersonate. CIEM shines a torch into those blind spots, so your team doesn’t get picked off.

2. Don’t Hand Out the Keys to the Bunkhouse

In Scream, anyone could be the killer. In cloud environments, any user could be compromised. Just-in-time (JIT) access ensures privileges only exist when they’re needed, not lurking out there under the mat like a set of house keys in a slasher’s hand. Also, take a hint from that establishing shot of the wood chipper, and lock down machine identities.

3. If You Hear a Strange Noise, Don’t Ignore It

The doomed teenager always says, “It’s probably nothing.” It never is. In cybersecurity, that “weird login” or “unexpected privilege escalation” is the noise you investigate now, not after the breach report.

4. Never Say “I’ll Clean Up Later”

Unrotated keys, orphaned accounts, and stale privileges are the ghosts of bad access hygiene. They always return. Identity Lifecycle Management (ILM) automates the cleanup so nothing lingers in the dark.

5. Don’t Trust the Creepy Dude in the Mask (Service Accounts)

Service accounts often wear the most convincing disguise: background, boring, harmless. In reality, they often hold more power than human users. Wrangle them with context-aware policies before they reveal their true face.

6. Avoid Splitting Up the Team

Horror victims scatter. Security teams' silo tools and processes. Both end badly. Keep provisioning, monitoring, and reviews tied together so nothing falls through the cracks.

7. Stay Sober (Avoid Convenience Over Security)

Victims who get drunk don’t make it. Enterprises that rely on blanket admin rights or unchecked convenience don’t either. Zero Standing Privilege (ZSP) is the security equivalent of staying sharp.

8. Never Say “I’ll Be Right Back”

You won’t. In identity security, “I’ll disable that access later” is famous last words. IT rarely circles back, and stale permissions linger like ghosts in the system. Automate time-bound, just-in-time access so privileges vanish when the task ends, not when someone remembers.

9. Don’t Ignore the Sequel

Attackers don’t stop after the first breach. Persistence is their de facto plot twist. Tokens, backdoors, and forgotten entitlements all let them “rise again,” like Ghostface. Continuous access enforcement keeps them from starring in Part II.

10. Always Lock the Door Behind You

Slasher villains love unlocked doors, and so do attackers. In the cloud, that means standing privileges left open long after the job’s done. With self-provisioned, time-bound access, users can get what they need, and the door locks itself behind them. Principle of least privilege, automated deprovisioning, and a healthy respect for the babysitter’s safety.

11. Watch the Phones

In Scream, the killer taunts you over the phone. In modern breaches, it’s phishing and MFA fatigue, as well as staff becoming desensitized to cyberattack training. Teach staff to treat unexpected messages with suspicion, mix up the training, and enforce phishing-resistant MFA to hang up on attackers.

12. Don’t Trust the House Guest

In horror, the new boyfriend or friendly neighbor invariably turns out to be the killer. In the cloud, it’s third-party entities, including contractors, vendors, and supply chain partners. Lurkers are not to be encouraged. Limit their access to the bare minimum and revoke it the second they’re gone.

13. Assume the Bad Guy's Still Out There

At the end of almost every horror film, the villain’s body vanishes and, in a sequel, the death scenes are always far more elaborate and visceral. In cybersecurity, attackers are rarely “gone for good.” Assume compromise is always a possibility. That means continuous monitoring, fast remediation, and treating access as a living, breathing risk.

The Real Lesson

Horror movies exaggerate, but the rules stick because they’re rooted in truth: bad things happen when you cut corners. The same applies to cybersecurity. Breaches love over-privileged accounts, forgotten keys, unchecked access reviews, and the casual assumption that “we’ll deal with it later.”

Survival is about flipping those tropes. Make access intentional, temporary, and visible. Treat identities like potential suspects until proven otherwise. Keep cleaning up after the party, no matter how tired you are.

This Halloween, don’t be the first one picked off. Whether it’s JIT access, Zero Standing Privilege, Identity Lifecycle Management, or CIEM, the tools exist to keep your organization out of the slasher’s spotlight.

In horror and cybersecurity, the survivors aren’t the ones who were fearless. They’re the ones who knew the rules.

‍