Incident Response: What to Do After a Cyberattack

Discovering that a cyberattack has hit your business is one of the most disorienting moments an executive or business owner can face. It’s natural to want to start clicking around, call an emergency team meeting, or worse, let things sit, hoping it’s all just a glitch.

But the decisions you make in the first few hours after a cyberattack are critical, and the wrong moves can turn catastrophic quickly.

Follow this clear, actionable roadmap for what to do when a cyberattack hits.

Step 1: Don’t Panic, But Act Immediately

The moment you suspect a cyberattack has occurred, time is working against you as ransomware spreads, data gets exfiltrated, and systems get further compromised. Panicking leads to mistakes, like unplugging the wrong machines, alerting attackers that they’ve been detected, or destroying evidence you’ll need later.

Your first call should be to your IT team, IT provider, or a cybersecurity incident response professional. If you don’t have any of those on speed dial right now, find a trusted MSP in your area ASAP. Businesses in and around Tampa Bay and Palm Beach, Florida, can contact MHD at 833-MHD-INFO (833-643-4636).

Step 2: Isolate and Contain the Threat

It’s imperative to stop the attack from spreading.

Containment is your immediate priority. This means:

• Disconnect affected systems from the network. Pull the Ethernet cable or disable Wi-Fi on machines you believe are compromised. Do not simply turn them off. Powered-off machines can sometimes lose forensic evidence held in memory.
• Segment your network if possible. If you have the capability, isolate affected network segments to prevent the attack’s lateral movement to other systems.
• Disable remote access. Temporarily shut down VPN access, remote desktop connections, and any other remote entry points into your network. Attackers frequently use these to maintain persistence after the initial breach.
• Do not wipe or reimage machines yet. As tempting as it is to “start fresh,” doing so destroys evidence that’s essential for understanding what happened, how it happened, and whether any data was taken.

Step 3: Activate Your Incident Response Plan

Ideally, your business has a documented incident response plan. If so, now is the time to activate it.

If you don’t have one, you’ll need to improvise a command structure on the spot.

Designate:

• An incident commander—the person making final calls during the response
• A technical lead—whoever is closest to the systems
• A communications lead—someone to manage internal and external messaging
• A legal/compliance contact—This is especially important if customer data is involved

Establishing clear roles prevents chaos. Even a brief 10-minute huddle to assign these can make the next 48 hours less painful.

Step 4: Document Everything

From the moment you discover the incident, start a written log.

Record:

• When the incident was discovered, and by whom
• What systems appear to be affected
• What actions have been taken, and when
• Who has been notified

This documentation serves multiple purposes: it supports your internal investigation, it’s required for most regulatory reporting, and it will be essential if you need to work with law enforcement or file a cyber insurance claim. Use a notebook, a shared document, or even a chain of emails—just make sure documentation starts from the beginning.

Step 5: Assess the Scope of the Attack

Once you’ve contained the immediate threat, you need to understand what you’re dealing with. This is where a cybersecurity professional becomes essential if you don’t already have one engaged.

Key questions to answer:

What type of attack is this?

Is it ransomware, phishing-based credential theft, business email compromise, denial-of-service, or something else? Your response will differ depending on the attack type.

What systems were affected?

Workstations, servers, cloud environments, email, and so much more can all be compromised in a cyberattack.

Was data accessed or exfiltrated?

Knowing this is critical for both your business and regulatory compliance.

How did they get in?

Understanding the entry point is essential to closing it and preventing future attacks.

Don’t assume the scope is small. Attackers can be within a network for weeks or months before making themselves known.

Step 6: Notify the Right People

Cyberattack notification is not optional, and it’s not just about internal communications. Depending on your industry, your location, and the nature of the breach, you may have legal obligations to notify:

• Your cyber insurance provider (if applicable)—Do this early. Most policies have notification requirements with tight windows, and failing to report promptly can affect your coverage.
• Law enforcement—The FBI’s Internet Crime Complaint Center (IC3) accepts reports of cybercrime at ic3.gov. For ransomware specifically, law enforcement may be able to assist and has intelligence that can help your response.
• Regulatory bodies—If you handle healthcare data (HIPAA), financial data, or customer personal data in certain states, breach notification laws may require you to report the incident within a specific timeframe.
• Affected customers or partners—If their data was compromised, they have a right to know. How and when you communicate this should be guided by legal counsel.
• Your employees—Your team needs to know what happened, what it means for them, and what they should or shouldn’t do (like resetting passwords or avoiding certain systems).

Step 7: Eradicate the Threat and Begin Recovery

Only after you have a clear picture of the attack’s scope and entry point should you begin remediation. This phase includes:

• Removing malware, backdoors, and attacker persistence mechanisms from affected systems.
• Patching the vulnerability that allowed the attacker in.
• Resetting all credentials, not just the ones you know were compromised. Assume all passwords on affected systems have been compromised.
• Restoring systems from clean backups. This is where solid, tested, off-site backups earn their keep. If you don’t have them, recovery becomes significantly more complicated and expensive.
• Rebuilding compromised systems from scratch when necessary.

Rushing this phase is a common mistake. Businesses that bring systems back online before fully eradicating the threat often get hit again within days.

Step 8: Conduct a Post-Incident Review

Once the immediate crisis is over, resist the urge to put it behind you. It’s critical to evaluate the entire incident to prevent it from happening again.

Ask:

• What went wrong, and why?
• Where were the gaps in your defenses?
• How did the attacker get in and move around undetected?
• What would have made the response faster and more effective?

A thorough post-incident review, ideally conducted with the help of a cybersecurity professional, turns a painful experience into a meaningful investment in your organization’s future resilience.

A Full Defense Strategy Against Future Threats

If reading this guide makes you realize that your business doesn’t have an incident response plan, monitored security tools, or a trusted IT partner to call in a crisis, you are not alone. Too many small and mid-size businesses are operating with significant gaps in their cybersecurity posture.

The good news is that you can act now to establish the right protections and the right team, and it doesn’t have to be complicated. It just takes partnering with a skilled, trusted MSP equipped to provide powerful, around-the-clock IT and cybersecurity solutions.

For companies in Florida, all you have to do is contact MHD.

MHD Is Here When It Matters Most—Call 833-MHD-INFO (833-643-4636) Today

Businesses throughout Tampa Bay, Palm Beach, and other parts of Florida trust MHD’s IT professionals for managed cybersecurity services, network monitoring, incident response support, and much more. Whether you’re picking up the pieces after an attack or looking to make sure you’re never in that position in the first place, our team knows how to protect your business and get it back on its feet.

Call MHD and speak directly with our IT pros: 833-MHD-INFO (833-643-4636)

MHD is your premier IT partner, serving businesses in and around Tampa, Florida, and West Palm Beach, Florida.

Frequently Asked Questions About Next Steps After a Cyber Attack

What is the first thing I should do after discovering a cyberattack at my business?

Contain the threat immediately. Disconnect affected systems from the network, disable remote access, and contact a cybersecurity professional or IT provider. Do not turn machines off or wipe them. Preserving the systems in their current state allows forensic investigators to understand what happened and how far the attack spread.

Should I pay the ransom if my business is hit with ransomware?

This is a decision that should involve legal counsel, your cyber insurance provider, and a cybersecurity professional, not one made in the heat of the moment. Paying does not guarantee you’ll get your data back, does not guarantee the attacker will leave, and, in some cases, it may create legal exposure depending on who the attacker is. Explore all options before paying, and engage experts immediately.

Do I have to report a cyberattack to anyone?

It depends on your industry, the type of data involved, and your location. Healthcare organizations covered by HIPAA, financial institutions, and businesses that hold personal customer data in certain states are typically subject to mandatory breach notification laws. Cyber insurance policies also have notification requirements. When in doubt, consult legal counsel early.

How long does it take to recover from a cyberattack?

Recovery timelines vary widely based on the severity of the attack, the quality of your backups, and how quickly you engage qualified help. Minor incidents might be resolved in days. Significant ransomware attacks or data breaches can take weeks or months to remediate fully. Businesses with solid backup systems, a tested incident response plan, and an experienced IT partner recover significantly faster.

What’s the difference between an incident response plan and a disaster recovery plan?

An incident response plan (IRP) focuses specifically on detecting, containing, and recovering from cybersecurity incidents. A disaster recovery plan (DRP) is broader and covers how a business restores operations after major disruptions, such as cyberattacks, natural disasters, or power failures. Both are important, and they often overlap. If your business doesn’t have either, that’s a gap worth addressing before something forces your hand.

How can MHD help my business after a cyberattack?

MHD’s IT professionals provide incident response support, managed security services, and post-incident remediation for businesses throughout Tampa Bay, Palm Beach, and surrounding Florida communities. If your business has been hit, or if you want to make sure it’s protected before something happens, call us at 833-MHD-INFO (833-643-4636) to speak with our team directly.

Recent Articles

• Do You Really Need 24/7 IT Monitoring?
• Zero Trust Security: Why FL Businesses Should Adopt It Now
• How Business Email Compromise (BEC) Can Cost You Millions
• The Hidden Dangers of Public Wi-Fi for Florida Professionals
• Cybersecurity Mistakes Businesses Make & How to Avoid Them
• Cybersecurity for Remote Workers: Tips for Florida Companies