Close this search box.

What to do in a cyber security incident or data breach: The Gridware Guide


Download the guide here

Maybe it’s the moment you’ve been dreading for years, or perhaps it’s a threat that you’ve been relatively oblivious to. Either way, your business has suffered a significant breach, and you’re not quite sure how to handle it.

It’s important to act quickly and carefully – making the right moves now can dramatically reduce the effects your organisation faces. The right decisions can help to limit the extent of the attack, minimise any disruptions to your business or clients, and control any potential legal ramifications.

The moments after a breach are stressful and confusing, so Gridware is here to help. We’ve come up with a rough guide for your organisation to follow so that it gets out of this mess with the least damage possible.

Point 0. Data Breach Response Plan

Ideally, your organisation will already have a data breach response plan that dictates how it should respond and recover from a breach. Having a plan in place makes the process much smoother and easier. If your organisation hasn’t already been breached yet, it should develop a comprehensive plan as soon as possible.

Let’s assume a worst-case scenario, that your organisation doesn’t have a response plan when a breach strikes. What should it do?

1. Contain the breach (0-3 Hours)

As soon as a breach is detected, the first step is to contain it. This will limit the damage, prevent things from getting worse, and ensure that your business can get back to normal as soon as possible.

How your organisation contains a breach will depend on the nature of the breach. Before you can properly contain it, you will need to find out how it occurred, whether data is still being accessed in an unauthorised manner, who is normally able to access the data and in what manner.

Once you have this preliminary information, you can begin to take steps to stop the unauthorised data access. This can range from simple measures like taking away access privileges from malicious insiders, or it may necessitate completely shutting down the system. It’s important that you don’t take any actions which may destroy evidence – this could be critical in the later stages.

If you organisation has cyber cover under an appropriate insurance policy, you should consider immediately notifying your Insurer in order to comply with the terms of your policy. Your Insurer will also help you assess the claim and appoint a cyber security vendor to assist you with containing the breach. Your policy may also cover you for legal advice as a result of a security incident.

2. Get Expert Assistance (3-12 Hours)

If your organisation has been breached, it may not have the right expertise to handle the situation appropriately. If this is the case, it’s generally best to engage outside security specialists such as Gridware.

We can use our experience to act swiftly and make sure the breach is handled properly. Our approach can help to limit the extent of the breach, speed up the recovery and minimise any disruptions to your business.

3. Assess the Data Breach (12-72 Hours)

Once you have contained the breached, your organisation can begin assessing it in more depth. This involves finding out as much information as you can about the breach, such as:

  • What logs are available in our systems, firewalls and emails?
  • What type of personal information was accessed?
  • What caused the breach and how extensive was it?
  • How could the breach harm the affected individuals?
  • How can this harm be mitigated?

Once your organisation has further insight into the breach, it will have a greater understanding of the risks and how these can be addressed in an ideal manner.

4. Review the Breach (72 hours – 1 Week)

Once these steps have been conducted, organisations should complete a thorough review of the breach. This can enhance your organisation’s understanding of the problems, lead to plans for preventing similar breaches in the future, and also result in new ideas for ways to improve its response.

It might be worth asking:

  • What controls are we implementing immediately to prevent the issue from reoccurring?
  • What are the long term initiatives that we will undertake to improve our security for the future?

Gridware recommends preparing a post incident review that can be used by management, or provided to financial institutions, legal counsel, authorities or regulators if requested.

5. Notify If Necessary (Up to 30 Days)

In certain situations, organisations covered by the Privacy Act (this includes government agencies, businesses and charities with annual turnovers of more than $3 million, among others) will be required to notify both the affected individuals and the Australian Information Commissioner.

Some regulations, such as those under the Notifiable Data Breach Scheme under the Privacy Act require reporting certain data breaches to the Privacy Commissioner within 30 days of being aware of the incident. In these cases, you may require the advice of a law firm that specialises in cyber security matters such as privacy and data breach notification legislation. More information on where to report can be found here at

It is also worth mentioning that you may have reporting obligations under the EU General Data Protection Regulations (GDPR).

If your organisation has suffered a misdirection of funds, or fraud that resulted in financial loss, you should also consider notifying your State Police and reporting the Cyber Crime to ACRON (Australian Cybercrime Online Reporting Network) at

Each breach should be considered on a case-by-case basis to determine whether there is a serious risk of personal harm to the affected individuals. If there is, they must be notified. Notifications should inform the individuals about what has happened, as well as how they may be affected. They should also include possible mitigation strategies, such as changing passwords or raising awareness of potential scams that may come as a result.

In cases where there is limited risk, such as if the data was encrypted, your organisation may not need to notify the individuals. These kinds of notification may cause unnecessary stress to those that receive them, or cause them to become desensitised to the risk. This is why an appropriate evaluation of the risks is so critical.

Work with us early

If your organisation has yet to suffer a breach, you’re in a good position to seek advice early about your capabilities response to a breach, security gaps and strength of processes before a cyber event.

Contact us today and learn why more Australia companies are choosing Gridware as their incident response partner.


Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →