What to do after you’ve identified a cyber security incident

Responding quickly to a cyber security incident can reduce the impact on your business, but sometimes it’s difficult to know where to start. Following these steps will help you make sure you’ve got the basics covered as you get your business back up and running.

If you’ve an incident response plan prepared, now’s the time to put it in to action. If you don’t have an incident response plan prepared, that’s ok too, you can still use this guide to help navigate your response and recovery.

To show how each step could apply to a business we’ve included a fictional scenario.

1. Call in support and reinforcements

As a small or medium business, you might not have in-house IT expertise. Call in people who can help you resolve the incident and make any technical, legal and business decisions. These people could include an IT service provider, a lawyer and your bank.

Note: Even if you’re an IT expert, during an incident you’ll have to stay focused on keeping your business running and managing the response, while others work to resolving the technical aspects of the incident.

2. Triage and contain the incident

Depending on the type of incident and what systems are affected, you will need to take steps to contain the incident and prevent any further damage. This might mean temporarily shutting down or suspending some of your business operations.

The company’s website host confirms that an attacker has accessed the website to share political messaging. She advises shutting down the e-commerce functionality, while she works to resolve the issue, and to prevent anything going wrong with potential online purchases and to protect customer information.

3. Tell your staff

Once you’ve identified the incident you’ll need to let your staff know. They need to be aware of the incident, what the next steps are and who is leading the incident response.

Make sure staff have the correct information they need to respond to any customer or supplier enquiries. It’s important that messaging is clear and consistent – they’re your frontline for any incoming questions and concerns.

Calls a meeting with his staff to inform them of the incident and that the e-commerce functionality of website is temporarily closed until the incident is resolved. Appoints himself as incident lead because he is working closely with technical support. He appoints the office administrator with the role of communications and the first task of circulating consistent messaging that all staff can use when talking to customers.

4. Let your customers know

One of the most difficult parts of an incident can be letting your customers know about it and how it might affect them. Once you know some details about the incident, you may have to disclose it to your customers. You may decide to let your customers know about an incident even if you’re not sure they’ve been, or will be affected. This decision will need to be made on a case-by-case basis.

In appointed communications role, the office administrator posts a message to the business’s social media channels letting customers know that the online shopping function of the website is temporarily unavailable while an issue is being resolved.

He also asks the website host to place the same message on the website’s homepage.

You and your lawyer need to decide who you’re legally obliged to contact about an incident. You’ll also need to decide who you’re morally obliged to contact. If you have a communications or public relations consultant, they’ll be able to help you decided when and how to do this.

5. Maintain business as usual

A cyber security incident can be costly and time consuming to recover from. To minimise the impacts, try to keep the unaffected systems of your business running. You might appoint a staff member to take the lead of day-to-day operations while you focus on the incident and keep track of response and recovery process, decisions and actions.

6. After the incident

Once the incident is resolved, there are some important last steps to round out the response. These include:

Hope this article helpful for you. Thank You


If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great


  • a debrief with staff on what went well and what could be done better
  • completing an incident report to document what happened, what decisions were made and why. This document may be helpful for any investigations or insurance claims
  • monitoring activities closely to make sure the incident hasn’t reoccurred or that any other systems have been affected by the response
  • responding to any enquiries from customers who were affected by the incident
  • updating policies or noting changes to systems as a result of the incident
  • updating, or creating, your incident response plan with lessons learned.

Leave a Comment

Your email address will not be published. Required fields are marked *