5 Steps to Take After a Cybersecurity Incident

Table of Contents

A cybersecurity incident can be devastating for an organization. Data can be stolen, leaked, or destroyed, and the reputation of the company can be damaged. Our Okta Data Breach Overview is very telling of how an organization’s inadequate response to an incident could be as damaging as the cyberattack itself. In this blog post, we will outline the usual steps an organization must take to recover from a cybersecurity incident. We will also discuss detection and containment of the cyberattack, remediating vulnerabilities, and reporting on the incident.

1. Detect

When an incident occurs, determining first its nature and scope is crucial. This will help you develop a plan to mitigate the consequences and limit the damage. To do this, you need to ask yourself some key questions:

  • Is it a data theft, a ransomware attack, or else?
  • What systems were affected?
  • What type of data was compromised?
  • How did the attacker gain access to your systems?
  • Are there other systems that may be affected?
  • What is the extent of the damage?

If you have answers to these questions, you can start developing a plan to contain and mitigate the security incident. This is where having prepared an incident response plan beforehand comes in handy.

2. Contain

Immediately contain and isolate the critical systems that were affected by the cybersecurity incident. This will help prevent the attacker from causing more damage and give you time to assess the situation. To do this, you need to do the following:

  • Disconnect any infected machines from the network
  • Change all passwords
  • Update security software and run scans
  • Restrict access to systems that may have been compromised
  • Ensure your offsite backups are ready for deployment
  • Notify upper management

3. Remediate

Eradicate whatever caused the attack and start remediating the vulnerabilities and any weak security controls. This is the whole process at this point:

  • Ensure all artifacts of the incident (registry keys, files, timestamps, and event logs) have been fully removed from your system.
  • Repair or update your systems as required.
  • Verify that all software patches are current and any needed protections strengthened.
  • Ensure your offsite backups are ready for deployment.

4. Report

Compile a report on the incident that includes information on what happened, how it happened, and what steps were taken to mitigate the damage. This report should be sent to upper management, the board of directors, any relevant regulatory bodies, and other stakeholders, including clients, partners, and vendors. The report should also include recommendations on how to prevent similar incidents from occurring in the future.

5. Recover

Once the threat is eliminated and the damage repaired, you can start to restore your systems and resume your operations. This process can take some time, depending on the extent of the damage. To do this, you need to do the following:

  • Restore any lost data from backups.
  • Reinstall any software that was deleted or corrupted.
  • Reconfigure any settings that were changed.
  • Test your systems to make sure they are working properly.
  • Notify upper management, any relevant regulatory bodies, and other stakeholders that the incident has been resolved and that your systems are back up and running again.

Wrapping up

However effective and experienced your technical staff can be, today’s highly-sophisticated automated cyberattacks are best handled with prior preparation to the above steps. If you don’t have a plan, now is the time to develop one. To do this, you need to bring together a team of people who will be responsible for dealing with the incident. This team should include IT staff, cybersecurity experts, and upper management. The team will need to determine the steps that need to be taken to address the incident and make sure that everyone knows their roles and responsibilities.

Having at your disposal an incident response plan will help your organization minimize damage, disruption, and stress. But, ultimately, the best preparation is helping prevent a cyberattack from ever happening in the first place, namely through continuous penetration testing of your networks against common threats. A ransomware readiness audit also allows you to address any vulnerabilities that could readily be exploited by a ransomware attack.

Contact us if you need help assessing your risks of being breached by a cyberattack.

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Share this article on social media:

Recent Blog Posts

Featured Services


The Latest Blog Articles From Vumetric

From industry trends,  to recommended best practices, read it here first:



Everything You Need to Know

Gain confidence in your future cybersecurity assessments by learning to effectively plan, scope and execute projects.
This field is for validation purposes and should be left unchanged.


Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.