What to Do After a Cyber Attack: Your 5-Step Emergency Response Plan

Contain the Breach Before It Spreads

Your first priority is containment. Act fast to prevent further damage.

Immediate Actions to Take:

• Disconnect affected devices from the internet and your network (unplug ethernet cables, disable WiFi)
• Don't shut down computers - keep them running to preserve evidence
• Change all passwords for compromised accounts immediately
• Revoke access for any suspicious user accounts
• Take screenshots of any ransom messages or suspicious activity

Contact Your IT Team:

• Alert your internal IT staff or managed service provider
• If you don't have IT support, call a cybersecurity professional immediately
• Document the time you discovered the breach

Get the Right People Involved Now

You can't handle this alone. Build your incident response team quickly.

Key People to Contact:

• IT/Security personnel (internal or external)
• Legal counsel familiar with data breach laws
• Insurance agent to discuss cyber liability coverage
• Senior management and decision-makers
• Communications lead for customer/stakeholder messaging

If You Don't Have Internal Resources:

• Hire a cybersecurity incident response firm immediately
• Contact your cyber insurance carrier first - they often have preferred vendors
• Document all communications and decisions made

Understand the Scope of Your Cyber Security Breach

You need to know what you're dealing with to respond effectively.

Critical Questions to Answer:

• What systems are affected? (servers, workstations, databases, cloud accounts)
• What type of attack is this? (ransomware, data theft, business email compromise)
• How did they get in? (phishing email, compromised password, software vulnerability)
• What data might be compromised? (customer records, financial data, employee information)

Document Everything:

• Take photos/screenshots of any attack messages
• Record timestamps of when issues were discovered
• List all affected systems and accounts
• Note any unusual network activity or performance issues

Protect Critical Information for Investigation and Legal Requirements

Proper evidence handling is crucial for recovery and potential prosecution.

Evidence Preservation Steps:

• Don't delete anything - even suspicious files contain valuable evidence
• Create backup copies of affected systems (if technically possible)
• Document all actions taken with timestamps
• Preserve log files and system activity records

Reporting Requirements:

• Contact law enforcement (FBI Internet Crime Complaint Center for cyber crimes)
• Notify relevant regulatory bodies (depending on your industry)
• Report to your cyber insurance carrier within required timeframes
• Prepare for customer/client notifications as legally required

Protect Your Business and Start Getting Back Online

Focus on securing your environment and planning your recovery.

Immediate Security Measures:

• Verify backup integrity - ensure your backups weren't compromised
• Update all software and security patches
• Implement additional security controls (multi-factor authentication, network monitoring)
• Change all system passwords and security credentials

Recovery Planning:

• Prioritize critical business functions for restoration
• Test restored systems thoroughly before bringing them online
• Monitor networks closely for signs of ongoing compromise
• Develop communication plan for employees, customers, and stakeholders

Professional Support Options:

• Cyber incident response services for comprehensive investigation and remediation
• Legal counsel for regulatory compliance and breach notifications
• Public relations support for reputation management
• Ongoing security assessments to prevent future attacks