Powered by

# Emergency Do-Not-Do List

  • During a serious cybersecurity incident, the company should avoid rushed actions that may destroy evidence, increase damage, or make recovery harder.

  • Do not wipe, rebuild, or replace affected devices before evidence needs are considered.

  • Do not delete suspicious emails, files, logs, accounts, mailbox rules, or alerts before they are preserved.

  • Do not reset every password at once without understanding which systems, sessions, and accounts are affected.

  • Do not reconnect isolated systems until the cause of the incident has been addressed.

  • Do not restore from backups until backup safety and restore points have been checked.

  • Do not assume the first affected system is the full incident scope.

  • Do not communicate to customers, vendors, or the public without approved wording.

  • Do not say “no data was affected” unless that has been verified.

  • Do not contact attackers or discuss ransom decisions without leadership, legal, insurance, and qualified incident response guidance.

  • Do not let employees investigate, delete, forward, or clean up suspicious material on their own.

  • Do not use compromised email, chat, or devices for sensitive incident coordination.

  • Do not delay contacting the bank if payment fraud or bank-detail change fraud may be involved.

  • Do not wait too long to involve cyber insurance, legal counsel, the MSP, or qualified incident response support if the incident is serious.

# Objective

When in doubt, slow down, preserve evidence, contain the obvious damage, and escalate to qualified help.

A rushed cleanup can make the incident harder to investigate and harder to recover from.

© Copyright 2026. All rights reserved.