Cyber Incident Response Do's and Don'ts: Tips for Surviving the First 24 to 48 Hours After an Incident

November.03.2021

As cybersecurity incidents become increasingly complex, your initial response to a potential cybersecurity crisis matters. The decisions that you make in the first 24 to 48 hours of a potential cybersecurity incident can have a lasting financial, reputational and legal impact on your company.

Drawing on our experience from working on some of the largest and most complex incidents in history—including nation-state attacks with national security implications, enterprise-wide network intrusions, malicious and negligent insiders, business email compromises, ransomware attacks and everything in between—we prepared this high-level list of do's and don'ts in the first 24 to 48 hours of a cybersecurity incident.

Do:

Do: Take steps to safely secure your network to the extent that your internal resources have the capabilities to do so.

Do: Immediately engage legal counsel to help determine legal obligations that flow from the incident (e.g., when and how to notify), manage the crisis response and investigation and assert and preserve privilege over the same.

Do: Identify and convene your internal incident response team which should include information technology (IT), legal and public relations (PR) and communications team members to lead the incident response.

Do: Activate any incident response plans and business continuity plans you have in place.

DO: Consider the need for specialist third parties, including forensic firms and communications experts as required.

Do: Determine whether you have cyber insurance and work with your lawyers to activate your policy.

Do: Establish a regular cadence of calls to keep all relevant stakeholders informed of developments.

Do: Consider taking communications off the company domain (consider a secure Teams site or similar) if the threat actor could still be in the system.

Do: Create a "real-time" factual log of all decisions taken and activities carried out.

DO: Stick to simple holding statements to enable you to provide a consistent and coherent response to any immediate queries received from third parties while you develop a communications strategy.

Don't:

Don't: Treat every incident as a crisis. Instead, determine the organization's risk level and respond appropriately.

Don't: Immediately notify regulators or data subjects, as you usually have more time than you think you do to gather the facts and determine your legal obligations. Acting hastily often results in over-notification and increased risk.

Don't: Release reactive or proactive communications. Publishing incomplete or worse, inaccurate information can materially increase the legal and reputational risk.

Don't: Engage directly with the threat actor without engaging specialists to determine how best to engage and if relevant, how to respond to any ransom requests.

Don’t: Instruct third parties directly, including security/forensics specialists, without first engaging legal counsel, as this may result in unhelpful chains of correspondence, documents or reports which may need to be disclosed to third parties, law enforcement and regulators at a later stage.

Don't: Delete any files or correspondence as it is important to preserve all documents and evidence in case of future litigation or regulatory enforcement.

Don't: Create damaging documents. In a crisis even the coolest heads can panic, so avoid putting things in writing pointing blame or catastrophizing the situation, because these documents can and will be used against you later.

Orrick's global Cyber Incident Response Crisis Hotline is available 24 hours a day, seven days a week. Email us at [email protected] or call our 24/7 hotline if you are experiencing a crisis or need help determining if your network has been compromised.