Help! I've been hacked

Author info
Cybersec 1Cybersec 2Cybersec 3Cybersec 4
Help! I've been hackedYour service provider goes down. What now?Who do I need to notify, what are my legal obligations?How can we help improve your cybersecurity?

Network and information systems play an essential role in many organisations nowadays. Therefore, it should come as no surprise that such systems are more than ever the target of cyber attacks by hackers and criminals from all over the world. How to prepare as an organisation and what do you need to do once a cyber attack occurs?

A. Identify the type of attack

First of all, it is crucial to find out what kind of attack was carried out on the organisation's network and information system.

Some common cyber-attacks are listed in the table below, but often a single incident consists of a combination of different types of attacks:

Type of attack

What is it?


Ransomware attacks such as WannaCry, CryptoLocker, and (Not)Petya consist of encrypting all of the organisation's computer files through a weakness in the system. The intention is that the hacker only gives the decryption key after a certain amount of ransom money has been paid. The victims are usually (listed) multinationals which, according to the hackers, have sufficient resources to pay the ransom. In any case, it is strongly advised not to pay a ransom. Paying the ransom does not guarantee that the criminals will give the decryption key or that they won't ask for more ransom.


Malware attacks consist typically of installing malicious software on the organisation’s systems, often accidentally by an employee without the employee even realising it. Such attacks come in various forms: ransomware, but for instance also spyware which steals and/or exposes the organisation’s trade secrets.


(Distributed) Denial-of-Service (DoS) attacks consist of hackers overloading the organisation's systems in a way that causes them to crash. As a result, the activities of the organisation will be at a standstill for a certain period of time. How long the downtime lasts usually depends on the type of attack. When it comes to a distributed DoS attack, it could be difficult for the organisation to detect the sources of the attack.


Phishing attacks consist of an employee being approached by a seemingly reliable person who tries to steal sensitive information in various ways. The criminals usually know in advance how the organisation works. A common example is CEO/CFO fraud, whereby criminals impersonate a director who seemingly asks for a very urgent payment to be made.

Brute force

Brute force attacks consist of the hacker trying to penetrate the organisation’s system by repeatedly guessing the username and password. This is done in an automated way. Such attack regularly turns out to be successful because of the use of weak or compromised passwords (credential stuffing). A password manager can offer both complexity and length to your passwords, giving you a layer of protection against hackers. 

In any case, it is strongly advised not to pay a ransom.

It is needless to say that hackers and criminals continuously improve, adapt and refine their attack methods, tools and technology so that attacks will (continue to) achieve relatively high success rates. This has led to a highly diverse and dynamic threat landscape, with many other types of cyber attacks than the ones listed above. Other possible cyber attacks are: 

Although some attacks require only a minor weakness in the network or information system, human error or flawed security practices, processes and procedures will often suffice for the attack to succeed. The threat may not always originate from an external source, but could also come from within the organisation itself, for example from a temporary employee or a (former) employee. 

1. Internal escalation

Every organisation will be faced with an attack at some point. When an attack occurs, it is important that

  • (a) the attack indicators are detected as quickly as possible and are identified as such and
  • (b) the right people are informed.

This means that the appropriate detection, notification and escalation procedures must be developed and implemented. 

2. Business continuity plan

In some cases, it will immediately be clear that your organisation has been hit by a cyber attack. In that case, an implemented incident response program, including a tested business continuity plan (BCP), should enable your organisation to continue essential operations during downtime of the network or information system. The intention is to minimise the damage and impact and return as quickly as possible to business-as-usual.

3. Disaster recovery plan

An important part of the business continuity plan is the disaster recovery plan (DRP). This plan determines how the network and information system can be restored after a cyber attack. An important part of such a plan revolves not only around drafting the required plans and policies, but also around testing such plans and policies and their associated processes and procedures beforehand. 

B. Appoint a task force 

In addition to putting in place technical and organisational measures to detect a cyber attack, your organisation must act swiftly and correctly should a cyber attack occur. Therefore, an indispensable part of your organisation's cyber incident response program is appointing a cyber incident task force consisting of the right people

Although the concrete composition of the cyber incident task force may vary from organisation to organisation, it typically includes people from higher management and representatives from the IT department, the legal department, compliance (including the DPO), and the marketing department.

The organisation’s cyber incident task force should be able to (e-)meet at very short notice to make decisionsin accordance with the cyber incident response plan. The organisation’s task force will play an important role in the way the cyber attack will be handled and communicated within the organisation and to the general public. Certainly for listed organisations, communication is absolutely crucial.  

C. Next steps

1. What do you have to do immediately if you haven't done it yet?

  • Assess your organisation’s current maturity level in the cybersecurity domain. 
  • Implement the required technical and organisational measures and capabilities to detect cyber-attacks as soon as possible and respond appropriately.
  • Develop, implement and test an adequate cyber incident response program, which includes among others the implementation of a BCP and DRP.
  • Appoint a cyber-attack task force consisting of the right people.
  • Raise awareness across the whole organisation with regard to indicators of potential cyber-attacks.
  • Monitor the cyber risk landscape continuously.
  • Periodically review the steps taken under the cyber incident response program, taking into account new cyber threats but also past experiences and lessons learned.

2. What do you need to do if a cyber attack occurs?

  • Get the cyber incident task force together immediately. Seek outside help when required. 
  • Follow the organisation’s cyber incident response plans and procedures.
  • Minimise the impact on the organisation by taking the appropriate mitigation measures.
  • Comply with applicable legal obligations (notification needed?).
  • Implement additional measures to prevent similar future cyber attacks.

Do you need immediate assistance? Call our cybersecurity hotline.


This article is part 1 of our cybersecurity series:

  1. Help! I’ve been hacked.
  2. Your service provider goes down. What now?
  3. Who do I need to notify, what are my legal obligations?
  4. How can help improve your cybersecurity?