You’ve Been Breached. Now What?
No organization wants to face a cyber breach, but the reality is that even with strong protections in place, incidents can still happen. What you do in the first 24 to 48 hours after discovering a breach can significantly affect the outcome.
This post outlines the key steps organizations should take immediately after discovering a potential security incident. Having a plan ahead of time is essential, but if you’re in the middle of it now, this can serve as a guide to begin managing the response.
1. Stay Calm and Activate the Incident Response Plan
The first step is to stay focused. Panic can lead to rushed decisions. If your organization has an incident response plan, now is the time to activate it. This plan should outline who needs to be notified internally, how systems are evaluated, and what steps to take to contain the damage.
If no formal plan is in place, identify and gather your internal response team immediately—this usually includes IT, leadership, communications, and legal or compliance contacts.
2. Contain the Breach
The priority is to limit the spread of the attack. Disconnect affected systems from the network but avoid turning them off unless instructed by security professionals. Doing so could interfere with forensic analysis.
Containment may involve resetting passwords, disabling accounts, revoking access, or isolating specific servers or devices.
3. Preserve Evidence
Do not delete logs or files related to the incident. Preserve system logs, email headers, files, and communication records. These will be critical for understanding how the breach occurred and for any legal or regulatory investigations that may follow.
If your organization works with a managed IT or cybersecurity partner, contact them immediately for forensic support.
4. Assess the Scope
Work quickly to determine what systems, data, or users were affected. Understanding the nature and scale of the incident will help guide the next steps, including whether reporting obligations are triggered.
Some breaches are limited in scope, while others involve personal data, financial records, or proprietary information. Mapping out what was compromised is key to responding appropriately.
5. Notify Key Stakeholders
Internal communication is important. Leadership and key departments should be informed, but it’s just as important to coordinate messaging. Mixed messages can create confusion and worsen reputational damage.
If customer or regulatory notifications are required, legal counsel should review the wording and timeline to ensure compliance with data breach laws or contractual obligations.
6. Begin Recovery Efforts
Once the immediate threat is contained and evidence is preserved, begin restoring affected systems. Make sure clean backups are available and that they are not compromised.
As part of the recovery phase, communicate updates internally, continue monitoring for signs of further issues, and document every action taken.
7. Review and Learn
After the situation is under control, conduct a full post-incident review. What happened? How did it happen? What worked during the response and what didn’t? Use this information to update your incident response plan and strengthen your defenses.
Strategic Cyber Partners helps organizations prepare for and respond to cyber incidents with speed and clarity. Whether you’re building a response plan or navigating a live situation, experienced guidance can make a critical difference.