Return to Insights

What to do if your business suffers a cyberattack


As a business owner, you do your best to follow basic cybersecurity practices. You secure your networks, use multifactor authentication, implement security software, and train your employees to know the red flags. But one day it happens, your business or a vendor is hit with a cyberattack. Cyberattacks are never a business event that your organization wants to go through. They are costly and can damage your business’ reputation. They can bring your organization to a halt, suspending operations and make it nearly impossible for you to do business.

Assess the situation and act

In the middle of a cyberattack it can be easy to panic. It’s important to take a few steps to prevent further damage. Immediately following the attack, ensure that your vendors are protecting consumer data and check this on an ongoing basis. Contact your vendor immediately to clarify this information. It will be necessary to immediately understand the impact and scope of the breach. Was the breach isolated to one customer or did it impact many customers?

  • Identify the risks or impact of the breach.

    Was this a customer facing breach? Is there reputational or financial impact due to the breach? It is necessary to begin noting these loss areas immediately in case future legal action is needed.

  • Begin a remediation process based on your Security Incident Response plan.

    Assess if the vendor has communicated an approach in use of their product. If not, it may be necessary to halt use of the vendor’s product or service.

  • Identify state and industry regulations

    Assess if you will need to comply with these regulations during this incident and also identify who you may need to report this event to (Regulatory bodies, customers, etc.).

  • Be aware of your state or industry's data breach notification laws and guidance.

    Does your vendor need to comply with laws and regulations? Do you need to comply on this reporting as well? Contact your legal counsel for guidance on this.


Once you determine the scope of you or your vendor’s breach, contact your customers immediately to notify them of the situation AND provide assurance you are working to remediate and handle the situation. It’s important to communicate as soon as possible while being honest about what happened. Your communications to customers should include an overview of what happened, what you’re doing to prevent further attacks and what customers can do to protect themselves.

You may want to publish a frequently asked questions (FAQ) document to post on social media as well as your website, so you are not inundated with customer questions. If your customer data is affected due to this breach, identify what options are available to the customer. You or the vendor should offer credit monitoring or dark web monitoring to further protect your customer from identity theft.

After the breach

After the breach has been handled by you or your vendor it’s important to conduct post incident review to learn and improve your organization’s security posture. Use the attack as a learning opportunity to improve your cybersecurity. Use the results of the incident review to evaluate if your current security controls are sufficient and where you may need to tighten up.

Evaluate your vendors

If the attack occurred at a vendor, consider the following:

  • Enhance your Vendor Management and oversight program. The vendor experienced a breach. What else should you be evaluating or monitoring?

  • Evaluate the current vendor contract to understand what options your organization has if a vendor breach occurs. Monetary returns and auditing rights are all potential options.

  • Consider if your organization will need to audit the vendor.

Plan and prepare

With the attack fresh in your mind, this is the ideal time to plan. First, update your current security processes to reflect any new learnings from the attack. Next, create an incident response plan to make your organizations response to any future attacks quicker and more organized. You should consider all the action steps you needed to take during this attack and incorporate them into the plan. This should include:

  • How you’ll identify an attack

  • Teams you will need to notify

  • Your response to various incidents

  • Sample drafts of any communications that need to be sent

  • Tabletop exercises of your response plan that you can regularly complete

Lastly, one of the most important things you can do to improve your organization’s security awareness programs is to educate your employees. An organization’s employees are the greatest asset, and educating them is the best way to protect your environment. You should regularly conduct trainings and audits to ensure your employees know the red flags.