In July 2020, Garmin went dark. Their fitness trackers, aviation navigation tools, and customer support systems all went offline simultaneously. A ransomware attack attributed to the WastedLocker strain reportedly crippled the company for days. If you're wondering how to respond to a cyberattack, Garmin's very public scramble is the kind of wake-up call that should make every organization pay attention — because most businesses don't have Garmin's resources to recover.

I've worked incident response cases where the first 60 minutes determined whether a company lost thousands or millions. The difference almost always comes down to preparation. Not the fancy tools. Not the expensive consultants. The plan — and whether anyone actually practiced it.

This guide walks you through exactly what to do before, during, and after a cyberattack. It's based on real incident response frameworks, actual breach data, and hard lessons I've seen organizations learn the expensive way.

Why Most Organizations Fail When a Cyberattack Hits

According to the 2020 Cost of a Data Breach Report from IBM and the Ponemon Institute, the average cost of a data breach hit $3.86 million globally this year. Organizations that contained a breach in under 200 days saved an average of $1.12 million compared to those that took longer.

That gap isn't about technology. It's about response speed. And response speed comes from having a plan that people actually know how to execute.

Here's what I see over and over: companies buy endpoint detection tools, install firewalls, and assume they're covered. Then a threat actor sends a well-crafted phishing email, one employee clicks, and suddenly the security team is scrambling to figure out who's in charge, what systems are affected, and whether they should call law enforcement or their cyber insurance carrier first.

That confusion is where the real damage happens.

How to Respond to a Cyberattack: The 6-Phase Framework

The gold standard for incident response is NIST's Computer Security Incident Handling Guide (NIST SP 800-61 Rev. 2). I've adapted its phases into a practical workflow that any organization — from a 20-person office to a Fortune 500 — can use.

Phase 1: Preparation — Before Anything Goes Wrong

This is the phase that saves you. If you're reading this article and you haven't been attacked yet, you're in the best possible position. Use it.

Preparation means:

  • Documenting an Incident Response Plan (IRP). This isn't a 200-page binder no one reads. It's a concise playbook: who gets called, what their roles are, what the escalation chain looks like, and where critical contact info lives (insurance carrier, legal counsel, law enforcement, IT vendors).
  • Identifying your crown jewels. What data, if stolen, would destroy your business? Customer PII? Financial records? Intellectual property? You can't protect everything equally, so know what matters most.
  • Running tabletop exercises. Gather your incident response team in a room and walk through a scenario. "It's Tuesday morning. Accounting reports they can't open any files. The file server shows ransom notes. Go." I've watched executives realize during these exercises that they don't even know their own backup schedule.
  • Training every employee. The Verizon 2020 Data Breach Investigations Report found that 22% of breaches involved phishing. Your employees are your first line of detection — or your biggest vulnerability. Investing in cybersecurity awareness training gives your staff the ability to recognize social engineering before it becomes an incident.

Phase 2: Detection and Identification — Something Is Wrong

You can't respond to what you can't see. Detection is where most organizations discover how blind they actually are.

Common indicators of a cyberattack include:

  • Unusual outbound network traffic, especially to unfamiliar IP addresses or countries
  • Unexpected account lockouts or credential theft alerts
  • Employees reporting phishing emails or suspicious login prompts
  • Antivirus or EDR tools flagging malware that keeps reappearing
  • Unexplained database queries or large data exports
  • Ransom notes appearing on screens or file systems

When you detect something, the first step is classification. Is this an actual incident or a false positive? Who reported it? What systems are involved? Document everything from minute one. Timestamps matter enormously for forensics and for any legal proceedings that follow.

I always tell my clients: "Assume it's real until you've proven it's not." The cost of overreacting is a few hours of investigation. The cost of underreacting can be catastrophic.

Phase 3: Containment — Stop the Bleeding

Once you've confirmed an incident, containment is your immediate priority. The goal is simple: prevent the threat actor from expanding their access or exfiltrating more data.

Containment has two stages:

Short-term containment: Isolate affected systems immediately. Disconnect compromised machines from the network — but don't power them off. Shutting down a system can destroy volatile memory that forensic investigators need. If the attack involves credential theft, force password resets on all affected accounts and revoke active sessions.

Long-term containment: Once you've stopped the immediate spread, set up a clean environment. This might mean building a parallel network segment, applying emergency patches, or deploying additional monitoring on unaffected systems to watch for lateral movement.

A critical mistake I see: organizations skip containment and jump straight to "wipe everything and rebuild." That destroys evidence. If you need to file an insurance claim, report to regulators, or pursue legal action, you need that evidence intact.

Phase 4: Eradication — Remove the Threat

Containment stops the bleeding. Eradication removes the bullet.

This phase involves identifying the root cause and eliminating it entirely. If a threat actor gained access through a phishing email that installed a backdoor, you need to find every system that backdoor touched. If they exploited an unpatched vulnerability, you need to patch it — and verify no other systems have the same exposure.

Eradication often requires:

  • Full malware scans across all systems, not just the ones you know were affected
  • Reviewing all user accounts for unauthorized additions or privilege escalations
  • Checking scheduled tasks, startup items, and registry entries for persistence mechanisms
  • Verifying that multi-factor authentication is enabled and functioning on all critical systems

This is also where you discover whether the attacker left additional backdoors. Sophisticated threat actors — especially those deploying ransomware — often plant multiple access points so they can return if you only close one door.

Phase 5: Recovery — Getting Back to Business

Recovery is the phase everyone wants to rush. Don't.

Bringing systems back online before eradication is complete is how companies get hit twice. I've seen it happen. An organization restores from backups, declares victory, and two weeks later the same ransomware activates again because the attacker's persistence mechanism was baked into the backup image.

Smart recovery looks like this:

  • Restore systems from clean, verified backups — test them in an isolated environment first
  • Monitor restored systems intensively for at least 30 days
  • Implement additional security controls: network segmentation, enhanced logging, tighter access controls
  • Validate that all patches and configuration changes from the eradication phase are in place
  • Gradually bring systems back into production, starting with the most critical

During recovery, communicate clearly with stakeholders. Your employees need to know what happened and what's changing. Your customers may need notification depending on the data involved. Your legal counsel should guide that conversation.

Phase 6: Lessons Learned — The Meeting Nobody Wants to Have

Within two weeks of recovery, hold a blameless post-incident review. Every person involved in the response should attend.

Answer these questions honestly:

  • How did the attacker get in?
  • How long were they inside before detection?
  • What worked in our response? What failed?
  • Where were the gaps in our plan?
  • What tools or training would have made a difference?

Document everything. Update your incident response plan based on what you learned. Then — and this is the part most people skip — actually implement the changes.

What Should You Do First During a Cyberattack?

If you're under active attack right now and looking for immediate guidance, here's your priority list:

  • Don't panic and don't power off systems. Isolate affected machines from the network by disconnecting cables or disabling Wi-Fi.
  • Activate your incident response team. If you don't have one, designate someone as incident commander immediately.
  • Document everything. Screenshots, timestamps, error messages, ransom notes — capture it all.
  • Contact law enforcement. The FBI's Internet Crime Complaint Center (IC3) accepts reports online. Your local FBI field office has a cyber squad.
  • Call your cyber insurance carrier if you have a policy. They'll assign breach counsel and forensic investigators.
  • Do not pay a ransom without consulting legal counsel and law enforcement. Payment doesn't guarantee data recovery, and it may violate OFAC regulations.

The Role of Zero Trust in Cyberattack Prevention

If 2020 has taught us anything, it's that perimeter-based security is dead. The mass shift to remote work blew holes in traditional network defenses that threat actors exploited aggressively.

A zero trust architecture operates on a simple principle: never trust, always verify. Every user, device, and connection must be authenticated and authorized before accessing any resource. This limits the blast radius of any single compromise.

Practical zero trust steps you can take now:

  • Enforce multi-factor authentication on every account, especially email, VPN, and administrative access
  • Implement least-privilege access — users get only the permissions they need
  • Segment your network so a compromised workstation can't reach your backup servers
  • Log and monitor all access attempts, successful and failed

Your Employees Are the Detection Layer You're Ignoring

Every incident response plan assumes that someone detects the attack. In most small and mid-sized organizations, that someone is an employee who notices something odd — a strange email, an unexpected login prompt, a file that won't open.

If your employees can't recognize a phishing email, your detection capability just dropped to near zero. The Verizon DBIR consistently shows that social engineering and credential theft are the top attack vectors. Your people need to know what these attacks look like.

That's why phishing awareness training for organizations isn't optional — it's a core security control. Running regular phishing simulations teaches employees to pause before clicking, report suspicious messages, and become active participants in your defense rather than passive targets.

I've seen organizations cut their phishing click rates by over 60% within six months of consistent training. That's not a nice-to-have. That's a measurable reduction in your attack surface.

The $3.86M Question: Can You Afford Not to Prepare?

Knowing how to respond to a cyberattack isn't theoretical. It's the difference between a contained incident and an existential crisis. The organizations that survive breaches aren't the ones with the biggest budgets. They're the ones that prepared, practiced, and built a culture where security awareness is everyone's job.

Start with the basics. Write your incident response plan. Train your people. Run a tabletop exercise this quarter. Enable multi-factor authentication everywhere. These aren't expensive initiatives — they're the minimum standard for operating a business in 2020.

The threat actors aren't waiting. Neither should you.