As cyber-attacks continue to hit businesses of all sizes, we know that both CISOs and boards struggle during what is one of the most stressful situations they experience. While there’s no one-size-fits-all plan that addresses every organization and every kind of breach or attack they may face, any successful cybersecurity incident response effort requires planning, open communication and excellent teamwork.

Based on that foundation and our broad experience helping organizations handle a variety of crises, we outlined the following list of five steps that are the most important to take when dealing with a cyber attack.


Step 1: Stay calm

As in any crisis, staying calm and composed in the wake of a cyber-attack or data breach is critical. While identifying any damage to mitigate risks as quickly as possible is important, panicking often leads to making hasty decisions that can have poor outcomes. For example, attempting to contact the threat actor or deleting potentially critical data can make the situation worse, both when trying to respond to the incident and when it comes to collecting evidence.

Before doing anything, take a step back and try to form a holistic picture of the incident based on information that is available to you at the time. Key aspects of an incident you should aim to determine initially include information such as which employees, accounts or applications were compromised and whether any company data or funds were stolen. Focus on determining a clear plan of action with immediate, near-term and longer-term steps.

Finally, keep in mind that leadership sets the tone. It’s critical that every member of your C-suite and board comes across calmly, both so other employees follow suit and so leaders are seen as competent and confident in addressing the issue.


Step 2: Prepare: Organize your crisis management team

While not all cyber incidents are major, they can quickly escalate – particularly if they’re not handled well. The name of the game is preparation; you can’t wait until an attack hits to take action. CISOs should develop playbooks and cybersecurity incident response readiness playbooks during their first few months on the job. We also recommend organizing or participating in red teaming and purple teaming exercises and cybersecurity crisis simulations.

Cybersecurity incident response services can be utilized here, especially if your organization or IT team is small. A good external security partner can help with assessments and penetration testing, as well as provide training around the most beneficial types of threat simulations, playbooks and scenario planning.

Further, since cybersecurity attacks and data breaches can impact many areas of a business beyond the IT and security teams, it is important especially for large organizations to have a dedicated crisis management team made up of employees from across relevant business departments, including internal and external communications, finance, IT, legal and human resources. The team should be put in place and meet regularly before crisis strikes to help mitigate potential financial, legal and brand perception risks.

Keep in mind that your plans do not need to be fully comprehensive, but they should outline a clear process for implementing initial stages of the response and identify the right people who will be involved.


Step 3: Mobilize both your crisis management and response teams

Setting up your crisis management and response teams in advance means that you can immediately activate them when an attack hits. Unlike the crisis management team, which is made up of representatives from relevant departments to address all business risks, the response team should be made up of key members of your IT and security teams who have the necessary expertise to handle the actual incident.

Specifically, the crisis response team needs to have both the experience and technical expertise to identify the type of attack or breach, understand its real and potential impact across the organization and take all necessary action to mitigate any damage. Mobilizing this team as quickly as possible is critical for minimizing and containing any damage to prevent an attack from spreading, implementing any fixes and restoring normal operations across the business.

Most notably, it is critical that every member of these teams has specific roles and responsibilities so everyone involved knows who is doing what to avoid duplication of efforts and ensure that what needs to occur does. During planning meetings before an attack occurs, we also strongly recommend identifying clear lines of communication so each team knows what the other is doing and always has the latest information so they can pivot, as necessary.

Especially during a crisis, CISOs and the board also need to ensure they are fostering a culture of teamwork and open dialogue where team members feel comfortable asking questions and “group think” doesn’t creep in. Security leaders need to be able to identify if that is not the case and quickly right the ship. It should go without saying, but teams with strong communication are much more effective.


Step 4: Gather evidence throughout the crisis

As we mentioned above, staying calm and taking deliberate action is key to ensuring you don’t mistakenly delete data that could be critical in determining the full scope of an incident and its impact. Collecting evidence is a crucial element in identifying the source of the attack and understanding the threat attacker’s potential motive.

The critical response team should record as much information as possible, including the time of the attack, the method of attack, any messages or ransom demands from the attacker and any potentially compromised systems. Ideally, the forensic evidence your team collects can help answer questions that address that information, including all the actions taken by the threat actor and over what period of time they compromised your system.

Collecting such evidence is necessary for conducting an initial analysis of the incident and the information should inform decision making as you manage the crisis, contain the attack, recover operations and conduct a post-mortem around how the incident was handled. As you’ll see in our next step, such evidence is also necessary for sharing with third-party stakeholders and authorities.


Step 5: Notify the relevant third-party stakeholders, including authorities

Given the potential legal, financial and reputation implications surrounding a cybersecurity attack, it is crucial to report the details to the relevant third-party stakeholders and authorities. This can include but is not limited to shareholders, vendors, your internet service provider (ISP), and law enforcement agencies.

It’s important to note that if your organization is in a highly regulated industry such as financial services, energy and critical infrastructure or education, there are specific reporting requirements to local, state and federal government agencies and regulatory bodies. Such requirements can include timely notification of the breach and/or attack, as well as relevant evidence the crisis response team collected throughout the process.

Depending on the scope and scale of the incident, your organization will likely face a variety of questions and scrutiny from both internal and external stakeholders, so providing honest and timely details around the facts is critical. Also make sure that accurate information is flowing to the relevant departments through the crisis management team so that what the public relations or communication teams are giving to the media about the incident isn’t factually different from what you are giving other third parties.

While this is a non-exhaustive list, following the above five steps will limit the damage cyber attacks can cause and help protect your organization’s key assets and reputation.

It’s no secret that being a CISO is stressful and brings a lot of responsibility, so everything you can do to prepare and have a plan in place is critical. Having the right people in place is also key – you can always bring in external partners to augment your security team. Most importantly, remember that you can’t be held responsible for preventing all attacks, but you are responsible for how you and your team responds to them.