A cyber incident can happen at any time, and quick, coordinated action is critical to minimise impact. This guide outlines the steps all staff should follow if they suspect a security incident, such as malware, phishing, or unauthorised access. Keep this guide accessible at your workstation so your team can respond immediately and correctly.
Create your own one-page guide
Access our interactive Cyber Incident Plan Builder to generate a customisable, print-ready one-page guide for your organisation.
For all staff: If you suspect a cyber incident, act immediately and follow these steps.
-
Stop and Isolate
• Immediately stop using the device.
• Disconnect from Wi-Fi or unplug the network cable if safe to do so.
• Do not power off the device unless instructed by IT or the MSP.
• For mobile devices, enable airplane mode. -
Preserve Evidence
• Do not attempt to fix the issue yourself.
• Do not delete emails, files, browser history, or logs.
• Leave any suspicious messages, windows, or files open. -
Capture Basic Details
• Take screenshots or photos of anything unusual, including timestamps, senders, and error messages.
• Note what you were doing just before the issue occurred. -
Report Immediately
• Contact: <security@company / hotline / ticket> or call <Incident Lead / IT>.
• Report first, then provide details.
• Include: name, device, time, what happened, actions taken. -
Protect Accounts if Directed
• Only change passwords if instructed by IT and use a clean device.
• Enable MFA if prompted.
• Do not forward suspicious emails to colleagues; use the reporting function in Outlook. -
Follow Response Instructions
• Cooperate with IT or MSP for containment and investigation.
• Do not communicate externally about the incident.
• Only authorised personnel may contact customers, partners, or media. -
Post-Incident Actions
• Complete any required follow-up actions or awareness refreshers.
• Do not delete files or contact customers unless instructed.
• Await confirmation before resuming normal use of the device.
Comments