Cyber attacks are now a routine business risk, not an edge case. Recent industry reporting shows the global average cost of a data breach reached about $4.45 million dollars in 2023, a roughly 15% increase since 2020, with the United States averaging close to $9.5 million dollars per incident. At the same time, many organizations continue to underinvest in cybersecurity, often spending only a few hundred dollars a year on basic protections, while remaining attractive targets for attackers.
In that context, maintaining strong cyber hygiene and having a tested incident response plan is no longer optional. It is essential for regulatory compliance, business continuity, and reputation protection. When an incident happens, what your organization does in the first hours and days will determine the overall impact, the cost, and how quickly you can restore normal operations.
2023–2024 cyber risk snapshot
- 64% of organizations report at least one cyber attack or data breach.
- Ransomware remains one of the most common attack types, with double‑digit year‑over‑year growth in many sectors.
- Over 75% of attacks still begin with a phishing or scam email, highlighting the importance of security awareness.
- The average breach now takes about 277 days from identification to full containment and recovery, underscoring the need for faster detection and response.
In light of successful cyberattacks on multiple governments and corporations, it begs the question - what can the rest of us do? The answer lies in prevention and planning. In the event of an attack, there are practical steps your organization can take to mitigate the impact.
Cyber risk by the numbers
Today’s threat landscape is defined by the volume, speed, and sophistication of attacks. Current studies and threat analyses highlight several key trends:
- A majority of organizations report experiencing at least one cyber attack or data breach, with many facing multiple incidents per year.
- Ransomware remains one of the most disruptive and costly types of attack, with year‑over‑year growth reported across several sectors and geographies.
- More than three‑quarters of successful intrusions still begin with phishing or other social engineering tactics, underscoring the importance of user awareness.
- The typical breach lifecycle—from initial compromise to full containment and recovery—can approach nine months, significantly driving up direct, legal, and reputational costs.
The takeaway is clear: the longer it takes to detect, contain, and recover from an attack, the more damage your business will sustain. Planning and preparation are the most effective ways to reduce that impact.
Immediate steps after a cyber attack
Effective response aligns well with the NIST incident response lifecycle, which organizes activities into four core phases: preparation; detection and analysis; containment, eradication, and recovery; and post‑incident activity. Even if your organization does not yet have a formal plan in place, you can still move quickly and methodically through these steps.
1. Investigate and contain immediately
At the earliest sign of suspicious activity: unusual logins, disabled security tools, unexplained system behavior, or ransom notes. You should assume a potential incident and begin investigation. Confirm whether a cyber attack has occurred, what systems are affected, and whether sensitive data has been accessed or exfiltrated.
At the same time, work to contain the incident in a controlled way. This can include isolating compromised endpoints from the network, disabling or resetting potentially compromised accounts, and blocking known malicious IP addresses, domains, and command‑and‑control channels. Containment actions should be deliberate and well documented so that you do not inadvertently destroy valuable forensic evidence.
2. Document everything
Comprehensive documentation is essential during and after a cyber attack. It supports internal decision‑making, legal and regulatory reporting, cyber insurance claims, and technical remediation. Capture as much of the following as possible, in real time:
- When the incident was first observed, by whom, and how it was detected (for example, monitoring alert, user report, or third‑party notification)
- Which systems, applications, accounts, and data repositories appear to be affected
- The suspected attack vector (for example, phishing email, exploited vulnerability, stolen credentials, misconfigured cloud service)
- Any ransom notes, extortion demands, or attacker communications, including payment instructions and deadlines
- All actions you have taken so far—blocking IPs, disabling accounts, shutting down servers, restoring from backup, or engaging third parties
- Names and roles of all internal stakeholders and external partners involved in the response
This detailed timeline and evidence set allows digital forensics teams to reconstruct the attack path and helps leadership understand the scope, impact, and potential obligations arising from the incident.
3. Engage internal and external experts
Most organizations do not investigate and remediate serious cyber attacks using only internal resources. As soon as you confirm a likely incident, convene your internal response stakeholders: IT and security, executive leadership, legal and compliance, privacy, HR, and communications as appropriate. Establish clear ownership for technical response, regulatory analysis, and communications.
In parallel, consider engaging a qualified digital forensics and incident response (DFIR) provider and a cybersecurity consulting partner. These experts can help you preserve evidence correctly, identify the root cause, verify whether data has been exfiltrated, and guide containment and eradication in a way that aligns with recognized frameworks such as NIST, CIS, and ISO 27001. The right partner can also help you coordinate with cyber insurance carriers and evaluate whether you are meeting their requirements.
Regulatory, legal, and disclosure obligations
Cyber attacks are no longer only a technical problem; they carry significant regulatory, legal, and investor‑relations implications. Organizations must understand and satisfy applicable reporting and disclosure requirements to reduce downstream exposure.
4. Contact the appropriate authorities
Depending on the nature and severity of the incident, you may need (or choose) to notify law enforcement and relevant government agencies. For many businesses, this includes reporting cyber crime to the FBI Internet Crime Complaint Center (IC3) and, in certain circumstances, working with agencies such as the Department of Homeland Security or the Cybersecurity and Infrastructure Security Agency (CISA).
Publicly traded companies in the United States face additional obligations under the SEC’s cybersecurity disclosure rules finalized in 2023. These rules require registrants to disclose material cybersecurity incidents on Form 8‑K within four business days after determining the incident is material, and to provide annual disclosures about cybersecurity risk management, strategy, and governance. Coordinating with counsel early helps determine whether an incident is material and ensures disclosures are accurate and aligned with other regulatory communications.
5. Disclose the event and notify affected parties
If your organization collects or processes personal data, such as payment card information, personally identifiable information, or protected health information, you may be required to notify affected individuals and specific regulators under state or federal breach notification laws. Many state laws define reporting duties based on where impacted residents live, not solely where your organization is headquartered.
Click here for further information, or click here to see the individual requirements for all 50 states.
Healthcare organizations and their business associates, for example, must comply with HIPAA breach notification requirements, which include notifying the U.S. Department of Health and Human Services (HHS) and, in some cases, prominent media outlets. Across industries, working closely with legal counsel to develop compliant notification letters and public statements is essential.
Communications should be timely, clear, and consistent, and should explain what happened, what data may have been affected, what steps you are taking, and what support or protection you are offering. This approach helps maintain trust and reduces the likelihood that customers will first learn of the incident from media reports or third parties.
Building resilience to prevent future attacks
Once the immediate incident is contained and reported, the focus should shift to strengthening your defenses and resilience. The cost of prevention and preparation is significantly lower than the cost of repeated breaches and extended downtime.
6. Develop and test an incident response plan
Every organization should maintain a formal incident response plan aligned with the NIST incident response lifecycle. The plan should define:
- Roles and responsibilities for technical, legal, compliance, communications, and executive teams
- Escalation criteria, decision‑making thresholds, and communication channels
- Technical playbooks for common scenarios such as ransomware, business email compromise, lost or stolen devices, and cloud account compromise
- Procedures for involving external partners, including forensics, legal counsel, regulators, and cyber insurance providers
Integrate this plan with your business continuity and disaster recovery capabilities so that you can restore critical systems in a prioritized, controlled manner while meeting defined recovery time and recovery point objectives. Regular tabletop exercises and simulations help validate assumptions, train executives and responders, and expose gaps before real events occur.
7. Strengthen policies and cyber hygiene
Effective cyber risk reduction starts with strong governance and day‑to‑day practices. Many of these measures align directly with leading frameworks such as CIS Controls and ISO 27001. Organizations should:
- Enforce robust identity and access management, including unique accounts, strong passwords, and multi‑factor authentication for remote access and privileged roles
- Apply least‑privilege principles so users and systems have only the access they need to perform their duties
- Maintain secure configurations for endpoints, servers, and network devices, and regularly patch operating systems, applications, and firmware to remediate known vulnerabilities
- Ensure corporate email and collaboration platforms are protected with modern phishing and malware defenses and that remote connectivity is secured using appropriate encryption and access controls
- Security awareness training is also critical, as most attacks begin with phishing or other social engineering. Training should be ongoing, role‑based, and supported by simulated phishing campaigns and clear reporting channels for suspicious messages.
8. Enhance technical security controls
Beyond policies and awareness, organizations need technical controls that provide continuous visibility and protection. Modern security programs often focus on:
- Centralized log management and security information and event management (SIEM) to correlate events across systems and applications
- Endpoint detection and response (EDR) or extended detection and response (XDR) capabilities to identify and contain malicious activity on endpoints and servers
- Regular vulnerability assessments and penetration testing to proactively discover exploitable weaknesses in on‑premises and cloud environments
- Data protection measures such as encryption, network segmentation, and tested backup and recovery processes to limit lateral movement and ensure you can recover clean copies of data after an incident
Get Help FROM JANUS Today
Our mission is dedicated to improving the information security of our clients, and society at large.
JANUS Associates is the nation’s first and oldest independent IT security consultancy, providing cybersecurity consulting, IT risk assessment, and incident response services to public and private sector organizations. In business since 1988, JANUS offers a full range of high-quality cyber security, privacy, and regulatory compliance services at affordable costs. Organizations seek us out to assist them with improving their cybersecurity, compliance, and privacy programs.
- Assess cybersecurity posture and regulatory compliance, including SEC cybersecurity disclosure readiness, HIPAA, and other sector‑specific requirements
- Design, implement, and exercise incident response, disaster recovery, and business resilience plans
- Conduct vulnerability assessments and penetration tests to identify and remediate weaknesses in networks, applications, and cloud environments
- Provide expert guidance during and after incidents to reduce business disruption, regulatory exposure, and long‑term risk
If your business has suffered a cyber attack, or you want to evaluate how prepared you are for the next one, JANUS Associates can help you move from reactive firefighting to proactive, standards‑based cyber risk management that protects your data, your operations, and your reputation. View Our Cyber Security Solutions here or contact us today.
