When a cyber breach occurs, cooler heads need to prevail.  This can be a highly emotional and stressful occurrence.  Being prepared and having a clear plan of action will help you stay focused, meet your compliance requirements, and above all, minimize the fallout and risk. 

In building your response plan, here are five things to consider:

1. Contain

First and foremost, isolate the affected systems or networks to prevent the threat actor from spreading or causing more damage. This may involve your IT and security teams shutting down impacted servers, partitioning networks, or disconnecting affected devices from the internet.

2. Notify

Dictated by the type of breach and jurisdictional requirements; you may be legally obligated to notify impacted or potentially impacted parties, including customers, partners, employees, and regulatory bodies. If you are obligated to notify, you will need to provide information about the breach, including the extent, along with what you are doing to address it and steps individuals can take to protect themselves.

3. Investigate

Don’t go it alone! Bring in professionals experienced in conducting post-breach forensics to gain a full understanding of the breach and the threat actor, including the extent of the breach, where and when it started, techniques used to access your environment, and what specific systems and data were compromised. Additionally, make sure you preserve evidence and logs that will assist in the breach analysis.

4. Message

Having a well-conceived communications strategy for handling internal and external messaging will serve you well in the near and long term. If you have a PR agency, engage with them early and inquire about crisis management services. Your communications plan should include a consistent set of messages crafted for each specific audience, such as employees, customers, and the media.

5. Recover

Remember, you can overcome a breach! Once the breach has been contained and you have identified the entry points and tactics, focus on locking down the system and removing any vulnerabilities that allowed the incident to happen or could expose you in the future. This might include patching systems, changing passwords, strengthening security protocols, and implementing additional security measures. You will also want to have a plan to quickly and, above all, safely get affected systems and services back online to minimize downtime and mitigate the chance of another breach.

CyberHawk-AI by Integreon
The first cyber incident response machine learning application

As the only end-to-end cyber incident response (CIR) solution downstream of forensics, Integreon understands the role of speed and accuracy during first-pass CIR reviews. Historically, this has been a highly manual process that could result in errors, inaccuracies, and bottlenecks. Integreon knew we could do more and do it better for our clients.

Leveraging deep CIR expertise honed over five years working across industries, jurisdictions, and document types, Integreon’s center for innovation, i-Lab team developed CyberHawk-AI, the first CIR ML application.

Technology and deep expertise power scalable cyber-specific data mining and review platform


Integreon is a pioneer in cyber incident response (CIR) with a highly evolved built-for-purpose platform and processes that enable handling of large, complex, multi-lingual projects. Our proprietary tech stack addresses niche document types and bespoke workflows and is the product of a team of experienced technologists and data scientists dedicated to CIR innovation.


Learn more about Integreon’s Cyber Incident Response services here: https://www.integreon.com/what-we-do/legal-and-compliance-solutions/cyber-incident-response/