How to respond immediately to prevent a cyber incident getting any worse.
Once you know that some form of cyber incident is underway, as a first step you should:
- Take a look at your security software (such as antivirus alerts and server logs) to see if you are able to identify the specifics of the attack, and the cause of the incident. If you are unable to do this (but you know which device has been affected) run your antivirus programme to complete a full scan and take notes of the results it gives you. If nothing is found, consider using an alternative antivirus programme.
- Do not turn off your computer(s) – it should remain on to preserve any evidence. Log-off (not shut-down) the computer and ensure no-one uses it – consider putting a sign-on to warn others. Isolate the affected system or device from the network to prevent further disruptions. Quarantine the computer by removing the network cable or put it in ‘airplane mode’ if connected to Wi-Fi. Secure any memory discs/CDs/DVDs or other media connected to or used in the computer.
- Check who else has been affected, speak to your software supplier(s) to find out whether they or other care providers they supply are reporting similar incidents.
Data security and protection leads can also use this short form to gather vital information as soon as you suspect something has gone wrong.