Advanced Cybersecurity, Cybersecurity

What to Do in the First Hour of a Cyberattack

Timblog1

When a business discovers a cyberattack, the first instinct is often to start clicking things.

Turn off the computer. Delete the suspicious email. Change every password. Send a message to the whole company.

Some of those actions may eventually be necessary. Doing them in the wrong order can spread the problem, destroy useful evidence, or alert an attacker who is still reading your email.

You don’t need to become a cybersecurity expert in the middle of an incident. You do need a simple plan.

First, Don’t Make It Worse

Before doing anything else:

  • Don’t delete suspicious emails, ransom notes, files, or security alerts.
  • Don’t wipe or reinstall the affected computer.
  • Don’t immediately pay a ransom.
  • Don’t discuss the attack through an email account that may be compromised.
  • Don’t start unplugging every piece of equipment in the building unless your IT team tells you to.

And, when possible, don’t power off an affected device before isolating it.

Turning a computer off may erase information stored in memory that could help an incident-response team understand what happened. CISA recommends disconnecting an affected device from the network first and shutting it down only when it can’t be isolated another way.

What to Do, in Order

1. Disconnect the affected device

Unplug its network cable and turn off Wi-Fi.

The goal is to stop the affected computer from communicating with other systems, shared drives, cloud services, or backups.

If you aren’t sure which machine is causing the problem, don’t begin experimenting. Call your IT provider and follow their instructions.

2. Call your IT provider

Use the phone, not email.

If an attacker has access to your inbox, they may be able to read messages about the response, see who you are contacting, and learn what your team is doing next.

Tell your IT provider what you noticed, when it started, and which devices or accounts appear to be involved.

If you have cyber insurance, contact the insurer early as well. Some policies require businesses to use approved incident-response firms or follow specific reporting procedures.

3. Leave the evidence alone

Don’t clean things up yet.

Leave suspicious messages, ransom notes, unusual files, and security warnings where they are. Take photographs or screenshots if it is safe to do so, but keep the originals.

Your IT team may also need system logs, email records, login histories, and information stored on the affected device. The digital equivalent of tidying the office before the investigator arrives is rarely helpful.

4. Call the bank if money was sent

If someone transferred money to a scammer, call the bank’s fraud department immediately.

Ask whether the payment can be recalled, frozen, or flagged before it moves any farther. Then report the incident to law enforcement.

The FBI’s Internet Crime Complaint Center works with financial institutions and FBI field offices to help freeze funds in qualifying fraud cases. Don’t wait for your internal investigation to be finished. With fraudulent transfers, speed matters more than having every detail neatly organized.

5. Secure accounts from a clean device

Once your IT or response team gives you the go-ahead, reset passwords using a device that is known to be safe.

Start with:

  • Email accounts
  • Administrator accounts
  • Banking and financial systems
  • Remote-access accounts
  • Cloud services containing sensitive information

Turn on multifactor authentication wherever possible. That is the extra login step that requires a code, app notification, or security key in addition to a password.

Avoid changing passwords from the affected computer. If it contains software that records keystrokes, you may simply be handing the attacker the new password.

6. Report the attack

Report cyber-enabled crime to the FBI’s Internet Crime Complaint Center, commonly known as IC3. Businesses can also report significant cyber incidents to CISA.

Reporting can help law enforcement investigate the crime and may improve the chances of recovering stolen funds. It can also help authorities connect your incident to attacks against other businesses.

You may need to notify customers, employees, regulators, insurers, or other organizations as well. The requirements depend on what information was exposed, the states where you operate, and which laws apply.

Bring your attorney and insurance provider into the conversation early rather than trying to work that out after a deadline has passed.

Should You Pay a Ransom?

The FBI does not recommend paying.

Payment does not guarantee that your files will be restored, that stolen information will be deleted, or that the attacker won’t return later.

That doesn’t make the decision simple. A business may be facing stopped operations, inaccessible patient or client records, and several days of mounting pressure.

But it should never be a decision made by one frightened person staring at a countdown clock.

Talk to your incident-response team, attorney, insurer, and law enforcement. They can help determine what data was affected, whether recovery from backups is possible, and whether a free decryption tool already exists for that particular ransomware.

Prepare the One-Page Version Now

A useful incident-response plan doesn’t need to be a three-ring binder nobody has opened since 2019.

For many small businesses, one page is a good start. It should include:

  • Who to call first
  • Your IT provider’s phone number
  • Your cyber insurer’s contact information
  • Where backups are stored
  • Which systems are most important
  • Who can make decisions during an incident
  • A reminder not to use compromised email accounts

Keep a printed copy somewhere accessible. Saving the only copy on the network that just became unavailable would be unfortunate, although not especially unusual.

The first hour of a cyberattack is rarely calm. Having the phone numbers and first few steps written down means nobody has to invent the plan while the business is already in trouble.

Frequently Asked Questions

What should we do first during a cyberattack?

Disconnect affected devices from the network by unplugging the network cable and turning off Wi-Fi. Then call your IT provider using the phone.

Should we turn off a computer infected with ransomware?

Disconnect it from the network first when possible. Powering it down may erase evidence stored in memory. Shut it down only when you cannot isolate it from the network another way, or when your incident-response team directs you to do so.

Should we pay the ransom?

The FBI recommends against paying because payment does not guarantee that your files will be restored. Discuss the situation with law enforcement, your insurer, legal counsel, and your incident-response team before making a decision.

We wired money to a scammer. What should we do?

Call your bank immediately and ask its fraud department to recall or freeze the transfer. Submit a report to the FBI’s Internet Crime Complaint Center as quickly as possible.

Who should receive a cyberattack report?

Notify your IT or incident-response provider and cyber insurer first. Report the incident to IC3 and, when appropriate, CISA.

Depending on what happened, you may also need to notify regulators, customers, employees, business partners, or other affected parties.

What can we do better?

We love to hear from our clients, please let us know if there are any areas that you think we could improve upon.