A cyberattack can strike without warning. These five practical steps help organisations respond calmly, contain threats, and turn incidents into long-term resilience.
feb 24, 2026
A cyberattack rarely arrives with a warning. One moment everything is working, and the next you’re facing unknown activity, locked-out systems or suspicious behaviour. The most important thing you can do is act with intention, not panic. These five recommendations help guide your response when things feel chaotic.
1. Pause, assess, and gather the right people
Start by stabilising the situation. Bring together the people who handle incidents internally – IT, security, leadership, legal, communications or whoever is responsible in your organisation. Your first priority is to understand the situation clearly:
What do you know so far?
Which systems or accounts seem affected?
What has changed unexpectedly?
Write everything down as you go. A calm, documented start keeps you from making mistakes under pressure.
2. Communicate early and honestly
Once you have a basic understanding of what’s happening, begin informing those who should be aware. This may include internal teams, partners, service providers, customers, legal advisors or insurance contacts. You don’t need the full story yet – just clear, simple information that you are investigating an incident. Early communication prevents speculation and builds trust during a stressful moment.
3. Contain the threat – carefully
Your next step is stopping the attacker from moving further. This often means isolating affected devices, blocking suspicious connections, and limiting access where needed. The key here is caution: Don’t shut down or wipe systems unless told to by a professional. Turning devices off can destroy clues that help you understand what happened and prevent a repeat. Think of this phase as creating breathing room while keeping evidence intact.
4. Remove, restore, and strengthen
Once the threat is contained, shift your focus to cleanup and recovery. Remove anything the attacker left behind: unwanted tools, strange accounts, unfamiliar software or changes in configuration. Before restoring systems or backups, make sure they are clean and safe to bring back. Recovery should be done gradually and with full visibility. Use this moment to strengthen your environment – close gaps, tighten permissions, improve monitoring, or update processes that proved fragile.
5. Turn the incident into long-term resilience
When the immediate pressure has passed, take time to review the entire incident with your team. Ask yourselves:
What helped us respond quickly?
Where did we lose time or clarity?
What gaps in processes or tools became obvious?
What should change so this doesn’t happen again?
A post-incident review is one of the most valuable outcomes of a difficult experience. It turns a stressful situation into concrete improvements that protect your organisation going forward.