In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to their help desk. The threat actor impersonated an employee, gained access to internal systems, and deployed ransomware across the enterprise. The entire operation took roughly 10 minutes to initiate. The recovery took months. Knowing how to respond to a cyberattack isn't optional anymore — it's the difference between a contained incident and an existential crisis for your organization.
I've worked incident response cases where companies did everything right after detection and walked away with minimal damage. I've also seen organizations freeze, make panic-driven decisions, and turn a manageable breach into a catastrophic data loss event. This post gives you the exact steps to take when — not if — your organization faces an attack.
Why Most Organizations Fail When a Cyberattack Hits
According to the IBM Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million in 2024. But here's the number that matters more: organizations with a tested incident response plan saved an average of $2.66 million compared to those without one.
The gap isn't about technology. It's about preparation. Most companies I've assessed have some form of antivirus and firewall in place. What they don't have is a clear, rehearsed plan for the moment those defenses fail.
The most common failures I see are delayed detection, unclear escalation paths, and employees who don't know who to call. These aren't technical problems. They're training and planning problems.
Step 1: Detect and Confirm the Incident
Before you can respond, you need to know something is actually happening. This sounds obvious, but the Verizon 2024 Data Breach Investigations Report found that 68% of breaches took months or longer to discover. Your employees are often your earliest detection layer — they notice the strange email, the locked account, the system behaving oddly.
What Detection Looks Like in Practice
- An employee reports a suspicious phishing email or unusual login prompt
- Your security tools flag anomalous network traffic or unauthorized access attempts
- Systems slow down unexpectedly or files become inaccessible (potential ransomware)
- A vendor or customer reports receiving fraudulent communications from your domain
Once you spot something, confirm it. Not every anomaly is an attack, but every anomaly deserves triage. Assign someone on your team to verify within minutes, not hours.
Training your staff to recognize and report threats immediately is critical. A strong cybersecurity awareness training program turns every employee into an early warning sensor.
Step 2: Contain the Threat Immediately
Containment is where speed matters most. Every minute a threat actor has access, they're moving laterally, escalating privileges, and exfiltrating data. Your goal is to limit the blast radius.
Short-Term Containment Actions
- Isolate affected systems. Disconnect compromised machines from the network. Don't power them off — you may destroy forensic evidence.
- Disable compromised accounts. If credential theft is suspected, reset passwords immediately and revoke active sessions.
- Block malicious IPs and domains. Update your firewall rules and DNS filtering in real time.
- Activate multi-factor authentication on all critical systems if it isn't already enforced.
I cannot stress this enough: don't try to "clean up" before you contain. I've watched teams waste hours reimaging a single workstation while the attacker was still active on three other servers.
Step 3: Assemble Your Incident Response Team
You should already know who's on this team before the attack happens. If you're figuring it out during the crisis, you're already behind.
Who Needs to Be in the Room
- IT/Security lead: Coordinates technical response and forensic analysis
- Executive sponsor: Makes resource and communication decisions
- Legal counsel: Advises on breach notification obligations and regulatory exposure
- Communications lead: Manages internal and external messaging
- HR representative: Involved if insider threat or employee negligence is a factor
Document every action with timestamps. This log becomes critical for regulatory compliance, insurance claims, and law enforcement cooperation.
How to Respond to a Cyberattack: The First 24 Hours
This is the window that defines your outcome. Here's the priority sequence I recommend based on real-world incident response:
- Hour 0-1: Detect, verify, and begin containment. Notify your IR team lead.
- Hour 1-4: Full containment in progress. Begin forensic preservation. Engage legal counsel.
- Hour 4-12: Assess scope — what data was accessed, what systems are affected, how did the attacker get in.
- Hour 12-24: Begin eradication planning. Draft initial communications. Contact your cyber insurance carrier.
If ransomware is involved, do not pay the ransom before consulting with legal counsel and law enforcement. The FBI's Internet Crime Complaint Center (IC3) should be notified, and they may have decryption keys or intelligence about the threat actor group.
Step 4: Eradicate and Recover
Containment stops the bleeding. Eradication removes the threat entirely. These are different steps, and skipping eradication is how organizations get hit twice by the same attacker.
Eradication Checklist
- Remove all malware, backdoors, and persistence mechanisms from affected systems
- Patch the vulnerability that allowed initial access
- Audit all user accounts — especially those with elevated privileges
- Verify backup integrity before restoring any systems
Recovery Priorities
- Restore systems from known-clean backups in a prioritized order: critical business operations first
- Monitor restored systems closely for 72+ hours for signs of reinfection
- Implement additional monitoring and zero trust controls on previously compromised network segments
Recovery isn't just technical. It's operational. Your employees need to know what's changed, what to watch for, and what new security measures are in place.
Step 5: Communicate Clearly and Legally
Breach notification laws vary by state, country, and industry. In the United States, most states require notification to affected individuals within 30 to 60 days. HIPAA, PCI-DSS, and GDPR each have their own timelines and requirements.
Here's what I tell every client: be honest, be specific, and be timely. Vague statements like "we take security seriously" without actionable detail erode trust faster than the breach itself.
Notify affected parties about what happened, what data was involved, what you're doing about it, and what they should do to protect themselves. That's the template that works.
Step 6: Learn From It — The Post-Incident Review
Every incident is a lesson. The organizations that get stronger after an attack are the ones that conduct a brutal, honest post-mortem.
Questions Your Post-Incident Review Must Answer
- How did the attacker gain initial access? Was it a phishing email, an unpatched system, a compromised vendor?
- How long did it take to detect the breach, and what slowed detection?
- Did the incident response plan work as written, or did the team improvise?
- What training gaps did this incident expose?
In my experience, the answer to that last question almost always involves phishing. If your organization hasn't implemented regular phishing awareness training with simulated attacks, you're leaving your biggest vulnerability completely unaddressed.
The Biggest Mistake: Waiting Until After the Attack to Prepare
I've seen companies spend six figures on incident response retainers while spending nothing on the security awareness training that would have prevented the incident in the first place. That math doesn't work.
Your employees will encounter phishing simulations, social engineering attempts, and credential theft attacks this year. The question is whether they'll recognize them. According to Verizon's DBIR, the human element is still involved in the majority of breaches. Your people are both your greatest risk and your strongest defense — depending on how well you train them.
Build your incident response plan now. Test it quarterly. Train every employee, not just IT. And make sure your plan addresses the full lifecycle: detection, containment, eradication, recovery, and lessons learned.
Because the only thing worse than suffering a cyberattack is suffering one you weren't prepared for.