Handling the First 24 Hours After a Cyberattack

When a cyberattack occurs, how your organization responds can make all the difference in mitigating the damages. In particular, time is of the essence. That’s why it’s vital for your organization to have an effective cyber incident response plan in place that specifically addresses key actions to implement within the first 24 hours following an attack.

During these initial hours, your organization’s response can help foster business continuity, protect stakeholders, limit legal repercussions and ultimately put a stop to the incident as fast as possible. What’s more, taking steps to quickly contain the attack can provide significant financial benefits. According to a recent report from the Ponemon Institute, organizations that were able to resolve a cyberattack in less than 30 days saved over $1 million in resulting costs when compared to organizations that took more than 30 days to do so.

In order to minimize the lasting damages that can often accompany a cyberattack, here’s an overview of important tasks to complete during the first 24 hours after an attack is discovered at your organization:

  • Start documenting the incident. As soon as you find out that a cyberattack is taking place, begin documenting what you know. This should include when and how the attack was discovered, the technology or data impacted by the attack and any other supporting evidence regarding the event. Keep updating this documentation as you learn more about the incident.
  • Alert important personnel. Be sure to gather the members of your organization’s cyber incident response team and alert them of the attack. This may include IT leaders, crisis communication experts and legal advisors. These individuals should then begin carrying out their designated roles and responsibilities as outlined in the cyber incident response plan. Inform additional employees about the attack on a need-to-know basis.
  • Secure all workplace technology. Do what you can to secure all organizational servers and devices, as well as stop further data loss or destruction. Take any impacted technology offline, but don’t turn it off, as it could offer important evidence during the attack investigation. Launch any backup systems or data required to perform key operations and ensure business continuity (if applicable).
  • Seek further assistance. Consult your organization’s forensic team and—depending on the severity of the incident—local law enforcement to start conducting an in-depth investigation of the attack and help identify the perpetrators. Reach out to your insurance company to kickstart the claim process and receive further assistance.
  • Inform the appropriate parties. Based on guidance provided by your crisis communication experts and legal advisors, develop a plan for effectively sharing the key details of the attack with organizational stakeholders, shareholders and government agencies (if necessary).

For additional loss control resources, schedule a complimentary Cyber Insurance consultation with JGS today!