Cybersecurity Survival Series – Part III: Recovery

Cyber Attack - The recovery

Don’t Panic!

Following a breach incident, it’s important to take a breath and align your disaster recovery plan. Don’t begin rectifying straight away – your impulse will be to protect the endpoints targeted by the breach, or revert to previous backups to close hacker entry points. If you don’t have a strategy, hasty decisions could worsen the attack.

Make sure any and all important contacts and decision makers in the event of a breach are established before attack and then call on a hard copy contact details for these figures in the event of a particularly bad breach. Actions and responsibilities need to be established ahead of time so any authorisation required for the repair can be directly sought quickly and efficiently.

Keep up lines of communication with staff, customers, suppliers; essentially anyone that could be affected by the breach. It’s important that this comms is kept ongoing, even after the attack has happened, to keep members connected with the network in the know about when they can resume work on safe systems and checked secure channels.

Cyber Attack - The recovery
Cyber Attack – The recovery

PR and Crisis Control

If you’re an organisation large enough to warrant the need for an official media statement, PR will be your best friend. What’s important in this step is that you do not issue false information. Naturally many organisations do not wish to announce to the world any shortcomings in their security, but by addressing the issue as honestly and accurately as possible you can begin to make repairs on your public and brand image. This is also a key step as any publicly released statement can have knock-on affects to cybersecurity insurance policies, should you have one in place.


It’s important to learn from the mistakes made that caused the initial breach. Identify your endpoints and the points of breach to determine the extent of the damage to your systems and networks. It’s key at this point to make sure that your systems are monitored very closely over the next few months to ensure any access does not still remain. Learn from the incident that your previous IT security setups had a flaw and be humble in your acceptance of that – the next steps to take will be to seek new ways or processes to further bolster your defences, in particular the areas in which you fell down in the initial breach.

Depending on the type of attack that the organisation fell victim to, when making the advancements or reparations to your systems and network it may be the case that the sophistication of the attack falls out of your IT team’s level of expertise. In this event, seeking external advice from a security consultant or third-party can be invaluable.

An obvious and more well-known action that will need to be taken in the event of any breach incident is the change of passwords. Stressing the importance of users creating a strong password that is not alike to a previous version is very important to avoid risk of a potential future breach that might seek to utilise credential stuffing, or automatic password guessing programs. It will also be prudent to employ security questions or another form of multi-factor authentication in order for users to login (if not already in place) as this will add another layer of protection.


This element of post-breach activity is entirely reliant on how you have prepared for any potential breaches. Restoring assets can be simple. If you have a pre-beach backup, it could be the case that compromised IT assets can be wiped, or their storage drives replaced, and data redownloaded onto them from the backup. It’s key to catalogue any assets taken out of action and an audit held on what is needed on you network, according to the latest asset identification run by your IT team.

Future Proofing

In part 2 of this series we stressed the importance of not turning off your systems during the attack. One of the reasons for this is that your system activity logs will be preserved during the attack, and these can be sent post-breach for forensic analysis. This will give IT teams a better idea of the source of the attack so that future attempts can be shielded against. They may also come in useful as evidence for claims on any cyber insurance policy.

Cybersecurity threat is ever-evolving in its sophistication, and methods and modes of attack are popping up at a greater rate than businesses are able to protect against. Cybercriminals pose a threat to all industries and companies of any size. A managed cybersecurity service provider (MSSP) will be an important ally to have on your side, both when confronted by a breach and post-event.

One of the most crucial elements to any breach incident is making sure you’ve got a secure method of communication at all times. A system that is separate from the main network will not only allow for undisrupted comms during a crisis, but also will prevent any risk of access in the day-to-day communication of private emails, calls or data.

At Serbus, we provide a truly secure solution for communication, allowing your private information and correspondence to stay that way. Our Serbus Secure suite can be custom tailored to include advanced threat protection (APT) against incoming attack, and built to suit all that your business needs to stay on the front foot against cybercrime.

Get in touch with us for a chat today to see how we can assist with strengthening the security of your communications, email us at, or call our office on +44 (0)1432 870 879.