Name: What To Do When It Happens
Uploaded: 2026-03-17T20:15:59.874Z
Duration: 28 min 36 s
Description: What To Do When It Happens

Transcript for "What To Do When It Happens": Hello, and welcome to our March three tier three series event, what to do when it happens. I'm Alan Falcon, CEO of Cumulus Global. And I wanna thank you for joining us here live or if you're watching this on demand. We appreciate you taking time out of your day, your week to join us and hopefully get some valuable information when it comes around to cybersecurity and properly managing your IT and your cloud services so that they're productive, secure, and affordable. As always, we mute this session to avoid any background noise. There's a docs tab over to the right on your screen that lets you enter chat, look at docs, which are really a list of additional resources we're providing that are related to the topic at hand. As we go through the session today, feel free to check those out. We'll also send you the links to all of these resources in our follow-up emails. If you have a question for me, wanna make a comment about the content or what I'm discussing, feel free. There's a Q and A window that'll flag myself and Jordan, who's in the background, keeping an eye on things for me. We'll make sure we'll get those answered in line with the or at the end of the presentation. If And it's something very specific to you, we'll be able to follow-up with you one on one. As always, when we're recording the session, we generally get them up and posted within twenty four hours. We'll send you a link. Please feel free to share. And of course, our three tier three series is one of a series of many resources we offer to help you understand, manage, plan and execute your IT and your cloud services. Two of our latest resources are a landing zone for artificial intelligence, which collates a lot of content that we've pulled together or that we've created ourselves to help you, particularly small and mid sized business leaders and owners, take advantage of artificial intelligence. A lot of it has to do with operating within the Google Workspace and Google Gemini environments, as well as a cybersecurity landing zone around basically all things cybersecurity, which is a topic that we're obviously heading into today. So we look about what we're going to cover today, there's really three areas. This really we talk about what to do when it happens, it being a cybersecurity event that could well be an incident, and I'll get into the difference in just a moment. And we're gonna talk about boom. That's like the starting point. In fact, boom is becoming an industry standard term where we talk about left of boom, which is how the attack happens and what happens before the attack. Boom's the attack and right of boom is how you respond to what happens once you realize there's been a successful attack. We're gonna get right into it. We're gonna be very specific about what your first action should be and then the three big calls that you need to make when you think you've got a cybersecurity incident happening. But let's start right now with two really important definitions. The first is what is a cyber security event? So a cyber security event is an observable or measurable change in status of a network system, application, or your data. Most cyber security events are normal. Someone logging in properly with their username, password, and their two factor authentication is a cybersecurity event. Clearly, that doesn't indicate a problem. It's normal security operations. It actually means things are working. And so when you look at cybersecurity events, have to look at what's working and what's good and of course, what's not. Some events warrant an investigation or even a full response to determine if the event is a cybersecurity incident. And some events will obviously be an incident. Not all, in fact, most cybersecurity events will not become incidents. So, we're focused on now, when we talk about responding to the boom, to a successful attack. We're talking about looking for those cybersecurity events that appear to be or indicate or confirm that you have something more serious going on. And that's where we get into cybersecurity incident. A cybersecurity incident is a confirmed event or series of events that actually, imminently or likely jeopardizes the confidentiality, integrity or availability of data information or systems. Hey, you boot up your computer, you got a ransomware warning, you've got an incident. Someone lets you know that someone sent an email that looks like it came from you, but they weren't really sure. It was sort of sketchy, so they didn't respond to it. They were calling to let you know. Well, that could be indication. That's a secure cybersecurity event. You've been notified of a problem. It could be something as simple as, hey. They didn't look at the from address. It would be obvious that's not coming from you, but someone's pretending to be. Or it could be that actually someone is actively spoofing your identity or has accessed your account and sending from your account. And so that may or may not be an incident. So know that incidents are things that cause harm and or disruption and they require immediate formal investigation and response. Incidents also trigger legal, regulatory and contractual obligations, such as reporting that must be managed. And so it's very important that when you talk about what's happening with your cybersecurity environment or potential problem, that you don't use the word incident until you've determined or an expert or third party has determined that an incident has happened. The minute you say something's an incident, what you're required to do, what you're expected to do, changes dramatically. Whereas if it's a cybersecurity event, the expectation is you're going to determine whether or not it's an actual incident that requires that response. An important distinction. So what's the starting point? The starting point for us are cybersecurity events or an event or events that may or may not be an incident, that appear to be an incident, or that are clearly an incident. And so if anything happens in your environment, you gotta sort of make that determination. If it's any one of those three things, it's time to react. You'll react initially. You'll get help to determine. And if it's if it is an incident, you'll take actions from there. So what happens if you think you have a cybersecurity event? The first thing is you want to understand whether or not it's a risk. And if you're not sure, the scope of your response will be limited, but it's somewhat similar to if it's an incident. Oftentimes, if you have a cybersecurity event and you're not sure, you'll talk to your IT team internally, you'll contact someone like us, a partner that provides IT, have us take a quick look to see what we think and what an initial analysis indicates. You might say, hey, this happened. It's sort of fishy. We might look and say, hey, there's no indication that there's a breach or cyber attack or it's just someone pretending to be you, but they're not in your systems in any way and it's obvious that it's not you. We can help define that. Whether internally or yourself or concern, the minute you have a cybersecurity incident, there are actions you need to take. Action one, we'll call it stop, drop, and roll. Right? Basically, you're on fire, and you gotta put the fire out. You need to isolate the problem. You need to prevent extension of the problem, prevent it from spreading internally and to people you're connected with. Whether that connection is through document sharing, portals, emails, it can't happen. You will want to if you believe you have a cybersecurity incident, disconnect any devices potentially affected from not only your local area network and WiFi, but from Internet access as well. The network adapter for Wi Fi or shutting down the Wi Fi in your office, it's not just unplugging. It's making sure those systems aren't gonna access anything over cellular network. Or if you move those, they're not going to automatically connect to the guest network in the office next door. Right? They have to be disconnected. Similarly, you want to disable all accounts that may be compromised or that could unknowingly share or email infected files. So if you have a type of attack where you think there are files corrupted and those files are shared among your staff and the types of files that may be communicated to a client or vendor, you have to prevent that from happening. And that means forcing your team out of their systems or the impacted systems, logging them out and preventing them from logging back in, letting them know what's going on. You'll also want to discount any applications, including web and SaaS applications that could facilitate the spread. Stop using it if you think it's going to help the problem or could help the problem spread to other systems or accounts within your environment or to people you would interact with on the outside. Rule of thumb, when in doubt, lock it out. Just shut it down. It's better to be overprotective and then restore access than it is to leave something open, which opens yourself up to further spread of the problem as well as potential additional liability. The other thing you wanna do at this stage is you wanna communicate. You want to activate your incident response plan. Now we know that the vast majority of small, midsize businesses don't have an incident response plan. We can help you get one. Don't worry. But the very basic, you need to notify your internal leadership and any stakeholders. Everyone in your all of your IT resources should know. Executives at the company, people responsible for overseeing in the IT chain of command need to know. Key if you reach out to your c, you know, to your c level executives, they should be notifying heads of business units or leaders, folks in remote offices, whatever. They can help you spread the word that this is happening. When you do that, you want to share the known facts of what you know so far. You also want to say things you don't know. So, oh, we received this email. Someone clicked on it. We're not sure if there's an account compromise. We're acting out of an abundance of caution, and we're investigating. But until we make sure there's no breach and no danger, we're locking things down. You want to provide an initial assessment of the event with respect to being an incident. You want to update these folks as you learn more and make that determination. What you do not want to do is start doing any restore or recovery efforts. Why? In order for your cyber insurance carrier, if it is an incident, to pay on your claim, they may require that you do or that you allow a third party to come in and do forensics analysis so they understand what happened. If you start restoring and recovering, you may destroy the state of the machine or the information needed for them to do that analysis. You may also restore it in a way that doesn't fully clean the problem and it could reoccur weeks or months down the road without necessarily a separate new breach. So you can't start that recovery and restore process. It's okay to understand like, hey, what's the restore point in my backup that's safe? But don't act on that. What you wanna do now is make your three big calls. And what are those calls? Call number 1, big call number 1, is your cyber insurance carrier. You're gonna let them know what's going on, that you have a cybersecurity event that may be an incident. They're gonna pepper you for details about the nature of the event. It's great to keep a timeline of everything that's happening, like when did you notice, what did you do, what steps have you taken, who's taken at what time. Share that with them. All those actions taken so far, as well as anything that leads you to believe this event could be an incident or, hey, it probably isn't, but you're acting on an abundance of caution. And that's sort of your damage assessment to date. How many systems do you think are affected? Do you know? You might say, gee, we know that there's three machines in our home office that are affected, but we haven't finished reaching out to people, our remote employees, to see if impacted as well. They need to know exactly where you are in the process, and they're going to want to discuss with you the event or events and incident possibility and help make that determination. They may have you do a couple of quick things to help make that determination. You So want to expect they're going to doing information gathering. They're going to want to investigate. It's not clearly an incident and it's likely they may assume and act. They may do additional investigation for event versus incident. They may want to involve a third party to do it. They may give you instructions to give to an IT provider or service provider like us, for you yourself. They may actually hire a company and dispatch them or ask you to provide them remote access to do that assessment. They're also, in many cases, and this is important, going to ask you for some sort of validation. Not validation that you've had a security event or it's a possible incident or you know it's an incident. They're gonna want you to validate evidence that you follow your security processes. We're aware of companies that report a potential cybersecurity incident to their insurance carrier. Excuse me. And the first question from the carrier is, can you send us documentation from the last time you validated that your backups were working and you were able to restore? Why do they do it? Cyber insurance companies don't want to pay the claim. If on your application, you said that you do regular backups and you periodically test them, they may ask you for documentation of the last test. And if you don't have it, it's in their right to tell you that you misrepresented your security protocols on your application and they will deny the claim and probably terminate your insurance policy as well. So if you're not following the processes that you committed to in your cybersecurity worksheets, audits, application, whatever, now is the time to make sure you are and to get that in place. So that when there's an incident, you don't give them an excuse to deny your claim. The other thing you're going to get is a set of instructions and directives. They may make some optional, but really these are going to be mandatory for you. Couple of things you should expect with that. They're going to instruct or require you to notify law enforcement. They may ask you to notify the law local police and have them, if they don't have a cyber crime unit, refer you to the local and give you a contact at the local FBI office. They may just tell you to go to the FBI general number for your area or to go to the center for infrastructure and security agents I'm sorry, the cyber cybersecurity infrastructure cyber infrastructure and security agent or cisa.gov and issue a cyber security incident report as a way of starting. That will notify the FBI and potentially other agencies. They might in most cases, cyber insurance is gonna want you to be interacting with law enforcement. They will probably request that you take specific investigative or diagnostic steps to understand what's going on. And again, they might want to bring in a third party to do it. They could very well ask you to hold any impacted systems for investigation and for detailed forensics analysis. Then yes. The downside, the good side is they're doing their work so they pay the claim and they help you recover. The downside is you can be holding those systems out of use for many days, in some cases weeks. They will probably ask you, or they may elect, I'm sorry, to select a specialized firm to manage, monitor, and or execute recovery efforts. So beyond the investigation and bringing in experts to do the forensics and the investigative work, they may elect to have that company or a different company oversee how you respond and how you recover to make sure the recovery is correct and complete and that you're protected from future attacks. There are other actions they may ask you to take as well. Don't treat these as optional. If the carrier wants you to do something, it's yes, how can we help? Additionally, depending on your coverage, your carrier may ask you and may assist you with actually required legal and or regulatory reporting. We'll get into that in a moment. Client communications. What are you gonna tell your customers about what's going on with your business and what's happened? Especially if there's a chance that you've infected them or you've allowed, obviously unintentionally, the attack to extend to their environment and they're at risk and what steps they need to take. If you, you know, deal with consumers, there could be other response services your carrier provides, such as credit monitoring for people whose data might be compromised. And there are other response related services that could be covered by your policy. Some of these, it's good if it's they're covered because they can be quite extensive and expensive. I mean, if your carrier says, gee, we're gonna provide three years of credit monitoring for anyone affected and you've got 20,000 consumers, there's a significant cost around that. You want the carrier managing it and covering that cost for you. Your second big call is legal counsel. Call your business attorney or general counsel. That's a good place to start, but you need legal advice for someone with cybersecurity specialization. Why? Some of the things you need them to help you with are legal and regulatory reporting requirements. Potentially federal reporting, depending on your industry and your business. But, certainly, right now, most states, many, I think 29 states now, have specific cybersecurity laws that include reporting requirements for breaches or potential breaches or other hazards. Additionally, certain professions, whether it's medical, financial advisory, lawyers, CPAs, have specific response and reporting requirements mandated by their professional associations or by industry standards, rules, regulations. You have a breach that involves credit cards, you best be following the rules of your credit card provider and the industry for how you respond, or you could very well lose the ability to accept credit cards in the future. Additionally, your legal counsel can help you with stakeholder and client client slash customer notifications. Why? Because they can help you word things in a way that don't inadvertently increase any liability you have. Okay? So, for example, depending on the nature of the cybersecurity attack and what type of breach there may be, some states define when your customers can sue you individually for the impact of the breach. And if they do, what happens with damages? In Massachusetts, in some cases, in many cases, a breach can result in automatic triple damages. You, in the way you communicate what has happened and what you're doing, want to accurately and provide accurate and timely information to people who might be affected. But you wanna do it in a way that you're not increasing your legal or financial liability to your clients and customers or other stakeholders. They can also review your contracts with vendors and customers, make sure you're meeting your contractual obligations, as well as assist you with your interactions with law enforcement. And all of that's valuable advice. It's worth the money. Hopefully, cyber insurance policy covers these costs as part of the recovery. Hence, cyber insurance carriers call number 1. Call number 2 is legal counsel to let them know what's up and get them in the loop. Big call number 3 is law enforcement. You do wanna coordinate contacting law enforcement with your legal counsel and your cyber insurance carrier. And we talked about cisa.gov and the FBI as places to go to do it. We generally recommend contacting law enforcement even if legal counsel says, ah, we got you covered. You don't really need to. You know, your carrier says, we're not gonna require you to, but we think it's a good idea. We always recommend you do. Now why? Because law enforce depending on the type of attack and what's going on, law enforcement agencies may be able to assist with recovery. One example is that federal agencies actually have a database of decryption keys for ransomware attacks. If the agency can determine what type and the source of the ransomware attack or the set of sources that it might be from, they could very well have the decryption key for you, where paying the ransom becomes a non issue and data recovery can become much easier. Now, when you do contact law enforcement, are things they might do. They might just take a report and say thank you. This is similar to other attacks we're already investigating. We don't need any additional information from you. And that's great. They may initiate a new criminal investigation and they have to do their own technical forensics or work in conjunction with the forensics group and service that your insurance carrier brought in or is bringing in. They will likely, if they're doing any sort of investigation, want to gather evidence that can be part of a new one or an existing investigation. And that may include collecting computers and other devices as evidence. I warn you, The FBI takes computers as evidence. It's highly disruptive to your business. They're gonna hold on to those computers indefinitely. Well, not indefinitely. They're gonna hold it on till they no longer need it as an item of evidence. Meaning, they've not only completed whatever investigative work they wanna do on that machine, but they don't believe they're gonna need it as evidence for trial or grand jury or, you know, the legal process as it goes past the investigation. If they do need to hold on to it, there's a good chance you should be upgrading or replacing that machine because that machine will be out of date by the time you get it back. These cases can run years. So, yes, contacting law enforcement comes with some risk, small risk for small, mid sized businesses, very small risk that your equipment may be taken as evidence. You might need to replace it. Again, your cyber insurance policy should cover that, but it's additional inconvenience and issue for you. The benefit is you can help stop this by giving them the information they need in current or new investigations, and they may be able to help you with recovery depending on the nature and the depth of the attack. Now, in parallel to all of this, and I know folks might be feeling a little overwhelmed, there's some things you wanna do. First off, remain calm. It's not hard to feel the panic. We were contacted by, a business a couple weeks ago that had an event that they thought was an incident. They are a bookkeeper. We're in the middle of tax season. The type of incident they thought it might be is one where they could have impacted, their clients or in a way that could have, you know, their client's data, confidential information, could have been compromised. It's easy to panic in a situation like that. It's a perfectly natural human emotion. Remaining calm, if you can, will help you make clear, concise and effective decisions. You'll be able to process what you're learning from your technology resources, from your legal resources, from your insurance carrier and guide you through the process. And and, hopefully, as the emotion wears off, it becomes very matter of fact, cut and dry. We just got to do all these things. It's a pain in the butt. We'll do them and we'll move on and we'll be okay. As you do that in Purell and all this is going on, have everyone log all of the actions they're taking and all of the communications. Bob calls Dave, log it. Date, time, who called, who answered, who else was on the phone, and what would and the bullet points of what was discussed. You make a change in the system. I you know, Dave made x y z change on this system per instructions from so and so at this time. Track it all. The other thing you wanna do is track all expenses. Everything. Now granted, some things like dinner for your team who have to stay late to deal with all this may not be covered, but it might be. You wanna be able to outline for your cyber insurance company the entire physical hard costs for your business in responding to this cyber attack so that your claim has as much detail and as much accuracy as possible to get the payment, to get the claim processed and paid. And finally, and this sort of goes with remain calm and I understand no one in the history of calm down has ever calmed down by being told to calm down. In addition to staying calm or remaining calm or staying composed, if you will, you gotta take care of yourself and your team. You gotta manage stress. The first area where we see stress impacting teams in this situation is communications. Be mindful of your communications. Know that your technology team and resources are stressed. People whose jobs are impacted and can't do their jobs are stressed. Your CFO is gonna be stressed because of the financial impact. Your marketing team's gonna be stressed because of the communications they're gonna have to do and the reputation to your business. It's easy to start snapping, blaming. Have to avoid those if you can. Take a step back. Be mindful, respectful, calm and deliberate in your communications. People will have more clear instructions, they'll be comforted by that, and they'll be more effective. Nutrition. There could very well be some really long hours. Make sure people are eating and drinking, staying hydrated. They'll perform better, and they'll be more alert. And finally, make sure everyone's getting sleep. Sometimes you're gonna have to tell some people to go home and say, go home. Sleep. Don't come back for six hours or seven or eight hours. And give them breaks. Tell them to get up, walk around, get outside, get fresh air, cold water on the face, whatever. You want people in a very stressful time or potentially long hours in a very urgent, time sensitive way. Take a break, reset, refresh. They will be better, more accurate, and faster in the tasks you need them to do and will lower the stress. It also sends the message that you care about your team and the resources that are in place to work and help you through the situation. So I've covered a lot of ground. There are those resources in the side panel as well. Take a look at those. And, again, we'll send you links to those same resources when we send the follow-up email with the link to the on demand recording, as well as a follow-up sometime next week to see if there are any further questions you have about the session. At this point, we're approaching a half hour. I'm not seeing anything in the Q and A. If you do have questions, contact us here, infocumulusglobal dot com or use the QR code on the screen. That'll schedule a short call with one of our cloud advisors. You can ask your question, talk about your needs. We can talk about solutions or point you to other resources. Feel free to reach out to me directly as well. I should take my phone number off. Please send an email. I don't have an assistant. If I can't answer right away, I will have a member of my team get back to you and start conversation and get your questions or concerns answered. And on that note, I do want to thank everyone for joining us. Appreciate you taking time out of your day. Hopefully, you found this session valuable. And we look forward to speaking with you and hearing you and helping make sure that your IT services, your AI, your cloud services, the whole environment you operate in is productive, secure, and affordable. Thanks so much. Have a great day.