When to Call the Experts: Recognising a Cyber Incident

Something’s wrong with your systems. You’re not sure what. It could be a technical glitch. It could be an attack.

How do you tell the difference? And when should you call in professional help?

Signs Something Might Be Wrong

User-reported issues:

  • Accounts locked for no apparent reason
  • Unusual password reset requests
  • Strange emails sent from internal accounts
  • Files missing or renamed
  • Unexpected software prompts or errors
  • Systems running slowly for no clear reason

Technical indicators:

  • Failed login attempts from unexpected locations
  • New user accounts you didn’t create
  • Disabled security tools
  • Unusual network traffic or bandwidth usage
  • Unexpected software installed
  • Changed system configurations

Business indicators:

  • Suppliers reporting strange requests
  • Clients asking about suspicious communications
  • Unexpected financial transactions
  • Missing or altered records

Any single indicator might have an innocent explanation. Multiple indicators, or severe single indicators, deserve investigation.

The Triage Process

When you notice something concerning:

Step 1: Don’t panic Rushed decisions during potential incidents often make things worse. Take a breath.

Step 2: Document what you’re seeing Write down:

  • What was observed
  • When (specific times)
  • Who noticed it
  • What systems are affected
  • Screenshots if possible

Step 3: Initial assessment Quick questions to answer:

  • Could this be user error or a technical problem?
  • Are multiple people or systems affected?
  • Is there any obvious malicious activity (ransom notes, defacement)?
  • Is sensitive data potentially at risk?

Step 4: Contain if obvious If something is clearly wrong:

  • Disconnect affected systems from the network (don’t power off)
  • Don’t use affected systems to communicate about the incident
  • Preserve logs and evidence

Step 5: Escalate appropriately Based on severity and your capabilities.

When to Call Your IT Provider

If you have IT support (internal or external), contact them when:

  • You’ve noticed concerning indicators but aren’t sure what they mean
  • You need help investigating
  • You want to implement containment measures
  • You’re not sure whether this is a real incident

Most IT providers can do initial triage and determine whether escalation is needed.

When to Call Incident Response Specialists

Professional incident response (beyond regular IT support) when:

Confirmed compromise:

  • You’ve found evidence of actual attacker activity
  • Ransomware has deployed
  • Data has been stolen
  • Business email compromise has succeeded

Significant potential:

  • Multiple indicators suggest coordinated attack
  • Critical systems might be affected
  • Sensitive customer data might be exposed
  • Regulatory notification might be required

Uncertainty with high stakes:

  • You’re not sure what’s happening, but impact could be severe
  • Attacker might still be present
  • You need forensic evidence preserved

Insurance or regulatory requirements:

  • Your cyber insurance requires approved incident response
  • You need to demonstrate proper response for compliance

Incident response specialists cost money ($300-500/hour is typical) but they bring expertise you don’t have. For significant incidents, they’re worth it.

When to Contact Your Cyber Insurance

Immediately if:

  • You’re confident this is a real incident
  • There’s potential for significant loss
  • You might need incident response services
  • You think you might make a claim

Why early:

  • Many policies require prompt notification
  • Insurance often provides access to incident response resources
  • They can advise on response and coverage
  • Late notification might affect claims

Keep your policy number and claims contact accessible for exactly this situation.

When to Report to ACSC/Police

Report to ACSC via ReportCyber (cyber.gov.au/report) if:

  • You’ve experienced a cyber incident
  • Even if you’ve handled it yourself
  • Even if you’re not sure of the full scope

This isn’t primarily about getting help (though they may provide guidance) - it’s about contributing to national cyber intelligence that helps protect other businesses.

Report to police (ACORN) if:

  • Financial loss has occurred
  • Personal data has been stolen
  • You want formal investigation
  • Insurance or legal matters require it

What Incident Responders Will Do

If you engage professional incident response:

Triage and containment:

  • Assess the scope of the incident
  • Stop ongoing damage
  • Preserve evidence

Investigation:

  • Determine how attackers got in
  • Identify what was accessed or stolen
  • Find any persistence mechanisms
  • Map the full extent of compromise

Eradication:

  • Remove attacker access
  • Patch vulnerabilities that were exploited
  • Rebuild compromised systems

Recovery:

  • Restore systems to operation
  • Verify security of restored environment
  • Return to normal operations

Reporting:

  • Document what happened
  • Provide evidence for insurance/legal
  • Deliver recommendations for prevention

Common Incident Response Mistakes

Powering off systems: This destroys volatile evidence. Disconnect from network instead.

Investigating on compromised systems: Attackers might be watching. Use separate clean systems.

Contacting attackers yourself: If negotiation is needed, let professionals handle it.

Rushing to “fix” things: Cleaning up before understanding the problem can destroy evidence and miss persistence.

Not preserving logs: Evidence can be overwritten. Export and preserve logs early.

Communicating on compromised channels: If email is compromised, don’t discuss the incident via email.

Building Response Capability

Before an incident happens:

Have contacts ready:

  • IT support emergency line
  • Cyber insurance claims contact
  • Incident response firm (your insurance might mandate one)
  • ACSC ReportCyber URL

Know your systems:

  • What’s critical
  • Where data lives
  • How to isolate systems
  • Who has admin access

Document your environment:

  • Network diagrams
  • System inventories
  • Critical process documentation
  • Backup locations and access

Test your response:

  • Tabletop exercises
  • Know who makes what decisions
  • Practice communication chains

The Decision Framework

Simple framework for incident decisions:

Level 1: Monitor and investigate

  • Single suspicious indicator
  • No confirmed compromise
  • Normal IT support can investigate

Level 2: Contain and assess

  • Multiple indicators or single severe indicator
  • Possible but unconfirmed compromise
  • IT support with potential escalation

Level 3: Full incident response

  • Confirmed compromise
  • Data potentially affected
  • Regulatory implications
  • Insurance claim likely
  • Call the specialists

When in doubt, escalate. The cost of overreacting is much less than the cost of underreacting.

Final Thought

Recognising and responding to incidents is a skill. The more you think about it before an incident, the better you’ll handle one when it happens.

You don’t need to be an expert. You need to be prepared enough to recognise when experts are needed, and have the contacts to reach them quickly.

That preparation could be the difference between a contained incident and a business-ending breach.