Is it just an IT glitch, or are you experiencing a cyberattack?
Remember the days when, if you experienced a technical hitch, it was always due to an IT issue? You contacted the IT team, and they gave you a ticket, put you in the queue, and fixed it. You were back in business sooner or later, doing your job, and in no time you’d forgotten what the issue was in the first place.
For a long time, this feeling—that something out of your control has gone wrong, but you know who could put it right—was common in countless businesses in almost every industry around the world. But in just a few years, for so many people, that feeling has changed drastically.
Today, this is undoubtedly partly due to the media focusing on cyber threats more than they ever did, even five years ago. However, those threats are real and increasingly frequent, so when many people suddenly face a technical problem, they immediately worry a cyberattack is at fault. In most cases it’s ‘just’ an IT problem, and there’s nothing sinister to worry about.
But what if it is a cyberattack?
What should you do in the first hour? What should you avoid doing that will make the situation worse? And would you be able to tell the difference?
Time is of the essence if any organization is hit by a cyberattack, so it’s important that employees know what to do and take action as soon as possible.
Cyberattacks can be extremely stressful, cause confusion, and, in the worst-case scenarios, incite fear and panic. In the heat of the moment, it’s important for employees to remain calm, take a deep breath, and report the issue to the cybersecurity team or, if there isn’t one in the organization, to the IT team.
If the organization doesn’t have a cybersecurity team, how can they confirm the ‘IT problem’ is due to a technical fault or if an external cyberattack is to blame?
Follow these steps to determine the source of the issue:
- 
Engage IT Support: Involve your IT support team or service provider. They can conduct a more thorough investigation and may be able to identify issues that aren't immediately apparent. 
- 
Conduct Initial Analysis: Begin by assessing the nature of the outage. Is it localized to a specific system, or is it widespread? Does it involve systems that are typically targeted in cyberattacks? 
- 
Check System Logs: System and network logs can provide valuable information. Look for unusual or suspicious activity such as multiple failed login attempts, unexpected changes in file sizes or system configurations, or abnormal network traffic patterns. 
- 
Inspect Network Traffic: Use network monitoring tools to inspect the nature of your network traffic. Unusual traffic patterns could indicate a cyberattack. For example, a huge traffic spike could indicate a distributed denial-of-service (DDoS) attack. 
- 
Verify Updates and Patches: Ensure all systems are up-to-date and that all patches have been properly applied. An outage could be due to a system glitch or bug that's been addressed in a recent update. 
- 
Consult with a Cybersecurity Expert: If you're still unsure, an expert can perform a detailed analysis and help determine whether a cyberattack has occurred. 
- 
Initiate Incident Response Plan: If a cyberattack is suspected, activate your incident response plan immediately. This should include isolating affected systems, preserving evidence, notifying appropriate parties, and taking steps to prevent further damage. 
In the event of a cyberattack, the actions your team takes—or doesn’t take—can greatly impact the overall duration of recovery, cost, and the potential to uncover vital evidence left by threat actors within your infrastructure. Identifying a cybersecurity incident can be challenging. Many threat actors have mastered the art of quietly infiltrating IT systems and hiding their digital footprints.
The Dos:
1. Engage your dream team.
2. Be faster than the story.
3. Focus on the facts.
4. Take a break, make a breakthrough.
5. Avoid analysis paralysis.
6. When it’s time for recovery, focus on retrieving data, not entire systems.
7. Pivot to take advantage of a situation and improve the organization.
The Don’ts:
1. Let everyone ‘help.’
2. Anticipate resolution by Monday.
3. Downplay the impact or the prioritization of data security.
4. Jump steps.
5. Avoid legal obligations.
6. Buy more security tools.
7. Play the blame game.
Prevention is better than a cure
Of course, nobody wants to experience a cyberattack. For many people, it’s the worst day of their professional life. Cyberattacks can be devastating for any organization. They can disrupt business operations, shut down offices, reduce income, cause havoc with supply chains, and be seriously detrimental to the trust and confidence that customers, business partners, and stakeholders have in the business.
So, like anything else, prevention is much better than a cure in cybersecurity. But if an adversary does breach the company’s IT systems, then cyber resilience is essential. This is the ability to bounce back to business as usual, as quickly and as safely as possible.
Planning, preparation, and practicing cybersecurity emergency exercises are essential to minimizing the chances of the worst happening on any given day. By implementing strong cybersecurity hygiene practices, training employees to be aware of cybercriminals’ tactics and techniques, and implementing a good incident response plan, organizations of any size and complexity can get themselves into better positions to contain the situation, seek appropriate help, and communicate to all relevant stakeholders, including legal and insurance firms.
It’s often said that in today’s unpredictable and inhospitable threat landscape, it’s not if but when an organization will be compromised. This is why cyber resilience is arguably as important as cybersecurity.
About the Author

Mark Cunningham-Dickie
Principal Incident Response Consultant at Quorum Cyber
Mark Cunningham-Dickie is a Principal Incident Response Consultant for Quorum Cyber. He has over 20 years of experience in the technology industry including more than ten working in technical roles for law enforcement and other government funded organizations. Mark has an MSc in Advanced Security and Digital Forensics and a BSc (Hons) in Computer Science.
