Which of the following practices helps incident responders during recovery after an insider attack?

Implementing "immutable" and "unbreakable" backups is a crucial practice that significantly supports incident responders during the recovery phase after an insider attack. These types of backups ensure that data cannot be altered or deleted once they are created, which protects against malicious insider actions that may aim to compromise or destroy vital data. This ensures that, even in the face of an insider threat, responders can restore systems and data to a secure state using these unaffected backups.

This practice also instills confidence in the integrity of the backup systems, allowing for a quicker recovery time and minimizing operational disruptions. With immutable backups, if a data breach occurs, the organization maintains a secure snapshot of data that can be relied upon, helping to facilitate an effective recovery process and restoring operations with minimal risk of data loss.

In contrast, relying solely on employee reports of unusual activity, ignoring minor incidents, or depending on external audits can expose the organization to greater risks, as these strategies do not provide the fundamental safeguard that robust and secure backup systems do. Minor incidents can serve as early warning signals of larger problems, and solely depending on external audits may overlook internal threats that could be detrimental to the organization's overall data security.