What to Do In the Immediate Aftermath of a Cybersecurity Attack
In today’s digitally driven economy, cyber threats can affect businesses of all sizes. However, small and mid-sized organizations (5–250 employees) can feel especially vulnerable—often lacking the extensive security teams and tools that larger enterprises have. If you find yourself suspecting a cyber incident, it can be unsettling, but it doesn’t have to be overwhelming. Below is a high-level roadmap to help you respond calmly and effectively.
1. Recognize the Signs
The first step is acknowledging that something might be wrong. Perhaps staff members receive suspicious emails, files suddenly become inaccessible, or systems start acting unusually. If your gut feeling says something is off, treat it seriously.
2. Stay Calm and Gather the Right People
Panic can lead to hasty decisions, so take a moment to ground yourself and rally key stakeholders. Depending on your company structure, this group might include:
Internal IT/Technology Lead – or, if you don’t have one, the person or team that typically manages your tech.
Managed Service Provider (MSP) – if you work with an external technology partner, contact them right away.
Insurance Broker – If you have any coverage, it often includes support for remediation and response.
Leadership Team – ensure your fellow executives or department heads are informed so everyone is on the same page.
Bringing these people together quickly will help you make coordinated decisions and convey a clear, consistent message to the rest of your organization.
3. Contain the Possible Incident
You can rely on your technology team to guide you, but it’s important to take immediate containment steps:
Limit Access: Temporarily restrict remote logins and ask employees not to connect from unverified devices.
Unplug Compromised Systems: If a particular workstation or server seems directly affected, you can temporarily take it offline (turn off Wi-Fi or unplug the network cable) to prevent potential spread of malware.
Network shutdown: In some cases your best approach may be to do a total network shutdown of all devices (computers, servers, switches, firewalls, and access points).
Secure Sensitive Data: If feasible, move or protect your most critical data and change all administrative passwords and passwords to sensitive information.
The goal here is to keep a possible incident from spiraling. You can always restore normal operations once you’ve confirmed that systems are secure.
4. Communicate Appropriately but Carefully
While you don’t want to create unnecessary alarm, it’s important to keep people informed:
Employees: Let them know that you’re aware of a potential issue and remind them to stay alert for anything unusual (e.g., strange emails). Ask them to report suspicious activity immediately and to be patient.
Customers and Partners: If there is definitive evidence that their confidential information has been affected, be honest about the situation. Let them know you’re taking it seriously and will update them as soon as you have more information.
Proper Authorities: Depending on the type of incident, it may be beneficial to involve the FBI, local police, Department of Homeland Security, and/or the Secret Service. Your advisors should be able to help you navigate who to contact and when to do it.
While it is generally best to be proactive and transparent with communication, keep a few things in mind:
Share Facts – Not Assumptions: Throughout the investigation the working theory of how the attack happened, what was accessed, how long recovery will take, and many other factors will change. It is best to only share what is absolutely certain.
Avoid the B word – There is a very important distinction between a cyber incident and a cyber breach. Until it has been definitively proven by experts that sensitive and/or protected information has been accessed or stollen, do not call the event a breach.
5. Investigate and Understand the ScopE
An investigation doesn’t mean you need to turn into a cybersecurity expert overnight. Rather, lean on your internal IT team, MSP, or external cybersecurity specialists to:
Pinpoint the Cause: Did someone click on a harmful link? Was there a weak password policy? Understanding how the incident occurred is the first step to preventing a repeat.
Determine the Damage: Find out what information, if any, was viewed or taken. This helps you figure out next steps and whether data disclosures are necessary.
Remember, your role as a leader is to ensure the right questions are being asked, resources are available, and everyone is following a clear plan.
6. Manage the Aftermath
Once you have enough information about what happened, take steps to restore full operations:
Strengthen Passwords and Access Controls: Require employees to change passwords, ideally using unique, complex combinations.
Update Software and Systems: Install critical updates or patches to close any security loopholes.
Evaluate Your Policies: This is an opportunity to revisit—or create—cybersecurity best practices. Consider formalizing them so employees know exactly what to do if something looks suspicious in the future.
Don’t forget to document these measures. It not only helps protect your company, but also demonstrates your commitment to cybersecurity if customers or auditors ask for details.
7. Learn and Improve
Every incident—no matter how big or small—presents an opportunity to strengthen your organization:
Conduct a Post-Mortem: Once normal operations resume, bring your incident response team and key stakeholders together to talk about what worked and what didn’t.
Refine Your Incident Response Plan: If you don’t have one, create a simple, step-by-step plan. If you do have one, adjust it based on what you learned.
Invest in Ongoing Training: Humans are often the weakest link in cybersecurity. Regular training and refreshers on safe practices (recognizing phishing emails, using multi-factor authentication, etc.) can dramatically reduce future risks.
8. Be Prepared for Next Time
Cyber incidents aren’t always a once-in-a-lifetime occurrence. By establishing clear protocols, training employees, and building strong relationships with IT and legal partners, you’ll be far more resilient if you face another challenge down the road.
Regular Backups: Store data backups in a secure, offsite location to help you recover quickly if systems go down.
Security Audits: Periodically review your systems or ask an external firm to conduct an assessment to spot vulnerabilities before attackers do.
Culture of Vigilance: Encourage everyone, from interns to executives, to view cybersecurity as part of their daily responsibility.
Final Thoughts
A suspected cyber incident can feel like a crisis, but with the right approach, it can also become a turning point for stronger, smarter digital practices. By remaining calm, gathering the right people, communicating transparently, and learning from the event, you can protect both your business’s bottom line and its reputation.
Remember, cybersecurity is not just a technology issue—it’s a leadership issue. By prioritizing it at the highest levels and fostering a culture of awareness, you can help ensure your company bounces back from any setback better prepared than ever.