Responding to a Cyber Breach: Expert Advice

In a previous post, we explored what work should be undertaken before a cyber incident takes place to contain the damage and increase the chances of a successful recovery. As stated by the FBI Cyber division, “One of the most effective ways to ensure you are prepared to respond to a cyber incident is to practice. Practiced organizations respond faster, contain incidents more effectively, and reduce impact. These exercises expose gaps and build trust. Preparation makes a difference in the middle of an incident.”

In this post we look at some of the steps that should be taken after a breach has been identified, and some that shouldn’t. I reached out to several cybersecurity insiders for their insights on a hypothetical scenario:

Your company has just detected abnormal activity in your network. You don’t know it yet, but a ransomware group has gained unauthorized access to your systems.

The experts who will help make sense of the situation are:

Michelle Micor: Director, Cybersecurity & Data Privacy Communication at FTI Consulting, the leading global expert firm for organizations facing crisis and transformation.

Sezaneh Seymour: VP & Head of Regulatory Risk & Policy at Coalition, a cybersecurity and cyber insurance company that helps businesses manage cyber risk before, during, and after an incident.

Tammy Harper: Senior Threat Intelligence Researcher at Flare. Flare is a cyber threat intelligence company that helps organizations detect risks exposed on the clear and dark web, including compromised credentials, leaked data, ransomware activity, and external attack surface exposures. Flare provides actionable intelligence that supports threat detection, incident response, and cyber risk reduction.

Upon detecting the unusual activity, what is the first thing that they should do, before all other responses?

MM: If you have an incident response plan – and you should – activate it immediately. This ensures a coordinated response rather than fragmented reactions that can worsen the situation. Your plan should designate clear roles, establish communication protocols, and guide containment efforts so you’re not making critical decisions on the fly. If you don’t have a plan in place, now is the time to create one.

SS: Treat it as a real cyber incident and engage incident response support immediately. The priority in the first hours is to contain the threat, understand what happened, and preserve recovery options. The biggest mistake is assuming it is a routine IT issue and losing time.

TH: The first priority should be containment and preservation of evidence. Companies should avoid making major changes to affected systems before understanding the scope of the intrusion, while immediately isolating impacted hosts or accounts to slow attacker movement and reduce further damage.

What does your firm do to assist companies in such situations (when unusual activity is detected or after they realize that a threat actor has gained access)?

MM: FTI Consulting helps organizations manage both the technical response and broader business crisis that follows a cybersecurity incident. Our expertise stems from experience managing complex cybersecurity incidents, including incident triage, forensics, cross-functional coordination, media relations and communications readiness.

SS: Coalition combines active cyber insurance with hands-on incident response. Before an incident, we help businesses reduce risk through security monitoring, alerts, and other risk management support. When unusual activity is detected or a threat actor gains access, our incident response affiliate, Coalition Incident Response, helps triage the event, investigate what happened, contain the intrusion, and support recovery. Our role is both operational and financial. We help companies respond more quickly and make better decisions under pressure, and our insurance helps them manage the financial consequences of the event. That model is reflected in outcomes: Coalition policyholders experience 73% fewer claims than the market average. In 2025, 64% of closed claims were resolved with no out-of-pocket loss, and Coalition incident responders and panel firms reduced initial ransomware demands by an average of 65% through negotiation.

TH: Flare helps organizations rapidly identify whether compromised credentials, stolen data, or internal systems are being discussed, sold, or leveraged across clear and dark web sources. During an incident, this intelligence can help defenders understand the threat actor involved, assess exposure, prioritize response actions, and identify downstream risks such as leaked credentials or extortion activity.

What’s a common mistake that companies make when unauthorized access is first discovered that can have a significant impact on their recovery?

MM: The biggest mistake I see companies make is communicating before they understand what’s happened. Businesses often rush to notify customers or partners with incomplete information, then are forced to issue corrections as new information emerges. That can damage credibility, create confusion and make stakeholders question whether you’re actually in control of the situation. You should communicate early, but carefully, sharing what is known without overstating certainty, downplaying the issue or making claims that may not hold up as the investigation develops.

SS: The most common mistake is improvising. Companies often wait too long to bring in specialist responders, or they make major decisions before they understand the scope of the intrusion, the condition of their backups, or their real recovery options. Another mistake is moving too quickly toward payment or restoration without enough facts. Responders need time to scope the event, preserve evidence, validate backups, and negotiate from a position of knowledge.

TH: One of the most common mistakes is responding too quickly without visibility into the attacker’s persistence or access methods. Organizations sometimes reset passwords or remove visible malware while the threat actor still maintains alternate access paths, which can complicate containment and prolong recovery.

What general advice do you have for companies when confronted with a cybersecurity incident?

MM: Don’t underestimate the power of response and communication. How a company handles a crisis often matters more to its reputation than the incident itself. Keeping employees, customers, and partners informed, even when you don’t have all the answers, shows that your accountability. Honest communication during a crisis builds trust and shows you’re in control of the situation.

SS: Move quickly, but do not panic. Bring in the right experts early so the company can contain the incident, understand what happened, and preserve recovery options. Focus on restoration and resilience. Companies with viable backups, a tested incident response plan, and the right support are in a much stronger position. Treat it as a business problem, not just a technical one. Effective response requires coordination across IT, legal, communications, finance, and leadership. Prepare before the crisis. Companies that have preexisting response relationships and tested plans generally recover better.

TH: Stay methodical and avoid panic-driven decisions. Early coordination between IT, security, legal, communications, and external partners is critical, and organizations should focus on understanding the scope of the compromise before rushing into remediation. Preparation before an incident — including tested response plans and visibility into external threats — often makes the biggest difference during recovery.

Recovery starts before the attack

While no organization wants to face a ransomware attack or network intrusion, the reality is that cybersecurity incidents have become a matter of when, not if. The companies that recover most effectively are not necessarily those that avoid incidents entirely, but those that prepare in advance, respond methodically, and rely on experienced partners when the pressure is highest.

As the experts emphasized, successful incident response depends on far more than technical remediation alone. Clear communication, coordinated decision-making, evidence preservation, and tested recovery plans all play a critical role in limiting damage and restoring operations. In the middle of a crisis, panic and improvisation can quickly become an organization’s greatest liabilities.
The lesson is clear: preparation before an incident, and disciplined execution during one, remain among the strongest defenses any company can have.