When a cyberattack hits, the first moments are critical. What you do—and just as importantly, what you don’t do—can make the difference between a quick recovery and a costly disaster.
✅ Do: Stay Calm and Follow a Plan
Panic leads to poor decisions. The best thing you can do in the early moments of an incident is remain calm, lean on your team, and follow your incident response plan. If you don’t already have a plan printed and accessible offline, make that a priority. During an attack, you may not have access to digital files or internal systems.
❌ Don’t: Communicate with the Threat Actor
No matter how angry or tempted you are, do not engage with the attacker. Some ransomware gangs have gotten bold—printing ransom notes to every printer in your company or sending them directly to executives. One CEO responded emotionally to a ransom note, telling the attacker off. When professional negotiators tried to step in later, the attacker refused to budge, referencing the CEO’s harsh words. Bottom line: leave communication to experienced professionals.
✅ Do: Involve the Right Experts Immediately
Have your forensic response team and cybersecurity-specific legal counsel on standby. Your cyber insurance provider often has a pre-approved panel you should use. Reach out at the first sign of trouble—even if you think the incident is contained. Scoping calls with these experts are often free, and early advice could prevent a small phishing event from escalating into full-blown ransomware.
❌ Don’t: Power Off or Destroy Affected Machines
Unplugging or shutting down compromised machines might feel like the right move, but it can erase valuable forensic evidence. We’ve seen clients go as far as smashing machines—don’t do that either. The better route is to isolate the device from the network without turning it off.
✅ Do: Establish an Out-of-Band Communication Channel
If attackers are inside your email system, they’re likely monitoring your conversations. Set up a temporary, dedicated communication channel (such as a new Gmail account created solely for the investigation) to talk securely with your response team and legal counsel. Don’t use existing personal or business accounts—if litigation follows, those accounts could become discoverable.
✅ Do: Prepare for a Long Weekend
Cyber incidents rarely strike at convenient times. Many occur on Friday evenings or holiday weekends. Be ready. Make sure your IT team has what they need: changes of clothes, snacks, and a place to focus. They might be in for a long few days.
❌ Don’t Assume It’s Over
Just because the attack seems resolved doesn’t mean the threat is gone. Many businesses mistakenly believe they’ve handled an event, only to suffer a larger breach weeks later. If anything seems off—even a minor phishing attack—get expert eyes on it.
Responding to a cyberattack is a high-stakes scenario. The decisions you make in those first hours matter. Proactive preparation and knowing the right steps to take can save your company time, money, and reputation.
Reach out to Aldridge today to make sure you’re ready for whatever comes next—and if you don’t have a plan in place yet, download our free Security Incident Response Template to get started.