Security incidents happen. They happen to organisations with mature security programmes, experienced teams, and robust controls. The measure of a security posture is not only how well it prevents incidents but how effectively it responds when prevention falls short.
Knowing what to do in the first moments after something goes wrong matters. Delayed or poorly managed responses consistently make outcomes worse, giving attackers more time, increasing the scope of compromise, and complicating recovery. A calm, structured response is both possible and worth preparing for.
Incidents don’t always announce themselves clearly. Some are obvious, for example, ransomware that locks systems and displays a demand, an account that suddenly won’t accept a known password, unusual alerts from security tools. Others are subtler: unexpected activity in an account, files accessed or modified without explanation, unfamiliar applications appearing on a device, or system behaviour that doesn’t have an obvious cause.
Unusual behaviour across accounts, devices, or systems should be treated as a potential indicator rather than dismissed as a technical glitch. The instinct to assume something is a minor fault rather than a security issue is understandable, but acting on that assumption can cost time that matters.
The immediate priority in most incidents is to limit further exposure. If a device is behaving unusually, disconnecting it from the network where safe and appropriate to do so, can prevent an attacker from maintaining access or moving laterally to other systems . This is not about fixing the problem but stopping it from spreading while help is sought.
Credentials that may have been compromised should be changed promptly, and any accounts accessible with those credentials should be reviewed. If MFA is in place, check for unexpected authentication attempts or registered devices that shouldn’t be there.
The instinct to try to fix things quickly and quietly is common and understandable. It’s also one of the factors that most consistently makes incidents worse. Containment takes priority over repair.
Report early, report accurately, and report to the right people. In an organisational context that means following whatever incident reporting process is in place, typically a security team, IT function, or helpdesk, rather than attempting to resolve things independently.
When reporting, include what you noticed and when, what actions you’ve taken since, which systems or accounts may be affected, and whether anyone else is involved or aware. You don’t need a complete picture before reporting. Incomplete information reported promptly is more useful than a thorough account provided after a significant delay.
If personal data may have been involved i.e., customer records, staff information, anything that falls under data protection obligations, this needs to be flagged specifically and quickly. Regulatory timelines for breach notification are short, and missing them compounds the problem.
The (quite natural) instinct is to clean up, post incident. Delete the suspicious email, wipe the affected device, clear logs. However, this is often counterproductive. Forensic investigation of an incident depends on preserving what was there. Deleting what looks like the problem often removes the information needed to understand how it happened and what else may have been affected.
Leave affected systems, files, and communications in place unless instructed otherwise by whoever is managing the response. If in doubt, ask before acting.
Once an incident is contained and under investigation, the next step is to understand what happened, how far it reached, and what needs to change. This is where lessons are identified and controls are improved. Not as a blame exercise, but as a practical step towards reducing the likelihood or impact of a recurrence.
Incidents that are reported, investigated, and acted on properly make organisations more resilient. Incidents that are quietly managed around the edges of process tend to resurface, often more seriously.
The most important thing anyone can do when something goes wrong is act quickly, report honestly, and resist the urge to handle it alone.
Further reading:
- NCSC – Incident Management: https://www.ncsc.gov.uk/section/advice-guidance/all-topics/incident-management
