What to do in the event of an IT security incident?

June 5, 2023

If your company has been hacked, it is important to take immediate action to limit the damage and prevent further breaches. In the best case scenario, you should have an incident response management plan, i.e. an emergency plan that describes the processes, responsibilities and tasks in detail.

If you do not have such a document, here are some steps you can take:

Isolate the affected systems (if possible): Disconnect all compromised computers from the Internet or your company's network to prevent the spread of malware or further data exfiltration.
Use professional help: If you do not have cyber security experts in-house, you should call in your service provider. Make sure that they also have sufficient experience in incident response management. In addition to forensics, this also involves topics such as cyber insurance, crisis team, crisis communication, authority management, infrastructure restoration, etc.
Assess the damage: Try to determine which data may have been accessed or stolen and how extensive the damage is. The aim is to get back up and running as quickly as possible in a secure IT environment. Backdoors or similar should be ruled out when operations are resumed.
Internal and external communication strategy: Inform all persons or organisations that could be affected by the security breach. Define the individual stakeholder groups, such as customers, authorities, but also the board of directors or strategically important partners. You should then consider exactly what is communicated to these stakeholder groups - when and in what level of detail. Keep them informed about the situation, the measures taken and the measures to prevent similar incidents in the future.
Report the incident: In this context, there are obligations that must be fulfilled. Report the incident immediately to the relevant authorities and check the guidelines. Depending on which data has been affected or leaked, several authorities and reporting chains must be observed.
Forensics: Conduct a thorough investigation to determine how the security breach occurred and to identify any vulnerabilities that need to be addressed. Make sure that the data obtained can also stand up in court if necessary. This means that it may be analysed, but not changed.

You will learn a lot from the incident. The course of the attack provides an insight into the obvious vulnerabilities. But what might have been neglected in the run-up to the attack? Come out of the incident stronger by comprehensively evaluating what should be done better next time. Because there will almost certainly be a next time.

Review and update your IT security: Review your security protocols and make any necessary updates to prevent similar security breaches in the future. Put the entire IT security concept to the test and develop a roadmap with your service provider to strengthen cyber resilience. Where are any blind spots? What could be quick wins? Decide according to criteria such as impact and effort in order to prioritise projects.
Emergency plan - but now: Your first security incident? Then now is the time to be better prepared for the next one. A sensible emergency plan ensures that all the points listed here are observed and implemented.
After-incident review: Review the incident and identify opportunities for improvement and implement the necessary changes to the response plan and security protocols.

An IT security incident is a stressful situation for the entire organisation. Similar to a fire, precautions should therefore be taken. Prevention is the key to ensuring a rapid resumption of productivity. It is the task of the management to ensure this. If you find yourself unprepared in such a situation: look for experts who know such situations and know how to moderate them.