What to do when your organization has been compromised by a cyber attack (ITSAP.00.009) – Canadian Centre for Cyber Security
Summary
This guidance from the Canadian Centre for Cyber Security outlines immediate actions organisations should take after detecting a compromise to reduce impact and preserve evidence. It covers first-aid steps for devices and users, verification procedures, containment options, evidence collection (volatile and non-volatile), stakeholder notification, and legal/reporting considerations for Canadian organisations (including PIPEDA requirements for the private sector).
Key Points
- Keep potentially compromised devices powered on and locked — do NOT shut down, reboot or log off to preserve volatile forensic evidence (eg. RAM).
- Contact your IT team immediately to verify the incident and provide details: when first noticed, affected devices, access lists, last updates, and suspected data exfiltrated.
- Contain the incident by isolating devices: network quarantine, VLAN separation, disable NIC/Wi‑Fi or unplug network cables, and revoke third‑party app access.
- Inform necessary stakeholders early — legal, finance, cloud or managed service providers — and follow reporting obligations (PIPEDA / Privacy Commissioner) where applicable.
- Collect evidence using a dedicated forensics workstation: acquire volatile evidence first (RAM), then non‑volatile evidence (disk images), and ensure secure external storage of collected artefacts.
- Check for full‑disk encryption like BitLocker and have recovery keys ready when collecting encrypted data.
- Document every action taken during the investigation and ensure authorised approval for forensic imaging to avoid contamination or legal issues.
Context and Relevance
Cyber attacks affect organisations of all sizes and sectors; this guidance is practical for IT teams, managers and decision makers needing a clear checklist in the immediate aftermath of a compromise. It ties into larger trends — ransomware, cloud and third‑party risk, remote working — and clarifies Canadian legal obligations for breach notification and record keeping.
Why should I read this?
Short version: don’t fumble the first few minutes — those minutes matter. This is a punchy, practical checklist that tells you what to do (and what not to do) right away so you preserve evidence and limit damage. If you’re responsible for systems or data, skim it now — you’ll thank yourself later.