Convene your incident response team this should include business service heads  PR,IT management, board representative(s), DPO, CRO and HR representative. Some organisations have failed at this point by not implementing and practising internal notification procedures

The initial discovery of a cyber incident can occur in several ways - as shown in the animation above. It may be that an employee discovers a phishing email and reports it. It may be that several employees have noticed that they cannot access their files or it could be a warning from an external agency (law enforcement, for example) that they are receiving reliable reports that data from your organisation has been exfiltrated and published in the public domain or the "dark web". Either way, you'll need to take initial actions to alert your incident team of a potential attack, confirm that an attack has taken place and take some steps to understand the damage.

Many organisations found that they did not not have the specialist resources required to investigate the attack and to manage their legal liabilities. These resources need to be in place before an attack - trying to secure them when you are on the "back-foot" creates delays and causes sub-optimal  decision making

Inform Insurers, industry regulators and any government agencies of the attack. Ensure that you have single points of contact within your cyber incident response team for each of these interested parties.  Don't be tempted to delay - organisations that do tend to get fined a lot more!

This is the first step in obtaining an understanding of what's happened and how. You It people ned to preserve system activity logs. Another stumbling block - do your people know what logs they need, how to get them & how to preserve them

Now it's really serious, you may now have to start locking down all or some of your IT infrastructure. You'll need to know what parts of your business might be affected by this, how it will affect your customers.  Common "trip wires" at this stage are how well practiced your IT people are in the lockdown procedures and how the organisation as whole responds to the  operational disruption and the effect that has on customers 

There are still many challenges to come - and many organisations have found that their plans need to extend way beyond a 24 hour horizon - you could be thinking in terms of days, weeks or even months. You could be asking much more of your colleagues, who may be forced to operate cumbersome workarounds to keep key activities operational, IT staff will be working under intense pressure, issues and challenges will continue to emerge

By now customers and other stakeholders will be "feeling the pain". You'll need to think about how you will communicate with customers (a dedicated call centre / help desk to deal with enquiries & concerns?). Some organisations have suffered considerable reputational damage by not anticipating   the need for this and likely volume of calls. Likewise call centre operators will be required to deal with unfamiliar situations and may need scripts to assist them

As the timeline and the impact of the incident extends a comprehensive internal communications strategy needs to be in place.to provide regular briefings aimed at keeping staff morale as high as possible - silence is often interpreted as failure.  Remember also, that you'll be relying on your people to operate any workarounds that may be needed during the IT recovery phase - these people really will be your greatest asset at this time.

Possibly the biggest job of all. If you have been hit by a cyber attack that has exfiltrated or corrupted large amounts of data, you'll have malicious code somewhere, possibly in multiple locations within your IT infrastructure. This means your IT infrastructure (networks, servers, workstations & laptops) all need to be restored to a "trusted configuration" - then and only then can you start to think about data restoration from whatever back-up solution you have.  Many organisations have run into significant issues at this stage, ranging from fundamental issues such as where do you go to recreate your IT infrastructure configurations? do your IT people know how to rebuild the infrastructure from the ground up? will your back-ups work as expected. The only way to be sure that these activities will work as expected is to test them - regularly

The aftermath of a major cyber cyber attack can go on for months. If Personally Identifiable Information (PII) has been exposed, you can expect a significant uptick in Data Subject Access Requests. Organisations have found that they need additional resources to support this (and the money to pay for it) for several months after the immediate effects of the attack have been remediated.