Data Protection Academy » Data Protection Wiki » IT security incident: Responding correctly in an emergency

IT security incident

IT security incident: Responding correctly in an emergency

Cyber attacks have become highly professionalised in recent years and cause up to 220 billion euros in damage per year in Germany alone. They cause the failure of information and production systems or the disruption of internal processes, often through the use of ransomware via phishing attacks.

The aim of this paper is to help you proceed in an informed and considered manner in the event of an IT security incident. You will get practical tips on how to recognise IT security incidents and how to prepare and deal with them. Nevertheless, the topic is complex. Every company has different requirements and needs individually adapted measures. Therefore, this article does not go into technical depth and is not intended to be a conclusive examination of the topic. Rather, the article is intended to give you, as the person in charge of a company, the most important key points to take with you on your way.

What is an IT security incident?

An IT security incident is an event or emergency that has a negative impact on the information security of a company. In IT security incidents, the information security criteria (confidentiality, availability and integrity of information) in business processes and IT systems are compromised in such a way that major damage can occur. Malicious action, non-compliance with a security policy rule or generally any kind of information security breach fall under the definition of an IT security incident. IT security incidents have a greater or lesser impact in different contexts and situations.

IT systems play a central role for many companies. A failure of these systems can lead to a complete standstill, high claims for damages or even insolvency of the company. Furthermore, there is also the threat of damage to the company's image, loss of customers or infringements of the law.

Some IT security incidents are simple "glitches" while other incidents that can cause significant damage are emergencies. Each type of IT security incident needs a customised action plan to ensure a quick resolution of the problem. Therefore, it is important to know how to recognise and prepare for IT security incidents in order to react properly in case of an emergency.

How do I recognise an IT security incident?

Since not every event is a security incident, you should immediately check whether at least one of the information security criteria is affected:

  • Confidentiality: If your data has been stolen or confidential information has been sent to the wrong recipient, the confidentiality of your data is no longer guaranteed.
  • Availability: The availability of your data is affected if, for example, a hard disk with critical data is defective or important IT systems are no longer accessible.
  • Integrity: The integrity of your data is no longer guaranteed if, for example, one of your computers is infected by a Trojan or your bookkeeping is suddenly no longer correct.

Examples of IT security incidents

Three common security incidents are briefly presented below.  

Ransomware attacks

Ransomware is malicious software used to block access to a computer or mobile phones or to encrypt personal data. Most commonly, ransomware is operated through phishing. This happens by sending an email to the target organisation or individuals asking the recipient to open an attachment or download a file. Once the attachment is opened or the file is downloaded, the ransomware is installed on the computer and penetrates the victim's computer network. Cybercriminals often use ransomware to demand a ransom from the victim in exchange for a decryption key. If the victim refuses, the attackers may threaten to publish the confidential or critical information.

Phishing attacks

Phishing attacks are fraudulent activities by cybercriminals in which disguised emails or text messages are sent to individuals or organisations. Usually, readers are asked to divulge sensitive data (bank details or passwords for accounts) or to click links to dubious websites. These emails try to create a sense of urgency in you, urging you to act quickly to avoid losing your data or account, for example.

Information theft

Information theft is the loss of a laptop, USB stick or other IT equipment on which confidential documents are stored.

ISMS audit and ISO 27001 audit

Regular audits of your information security system contribute to the optimisation of your information security. By means of an ISMS audit, the current status of your information security management is analysed and documented by our TÜV / DEKRA certified consultants in your company. Open measures are recorded, prioritised and recorded in a concrete action plan. Find out about the benefits, process and costs with Robin Data.

How should one react in the event of an IT security incident?

In an emergency situation it is important to remain calm. First have the seriousness of the situation assessed before acting to avoid hasty and ill-considered action. If you have dealt with your information security before an attack, you will certainly have created security guidelines that drive the individual management of each security incident. In that case, refer to the documentation and follow the defined procedures and security policies to restore your business processes and IT infrastructure. To avoid reputational damage and liability to third parties, you should also follow the communication procedures described in your emergency response manual.

If you do not have an internal or external information security officer please feel free to contact us. Robin Data's experienced experts will be happy to set up an information security management system with you and create emergency concepts with you.

How do you prepare for an IT security incident?

Implement a system in advance that Information Security Management System (ISMS). Define in the ISMS which processes and policies are necessary to continuously improve the security of corporate information. Protect your critical business processes by setting up a business continuity management system (BCM). Appoint an information security officer to deal with issues related to the security of information. Information Security busy. You should also conduct regular penetration tests or vulnerability audits to create a constant and up-to-date overview of your information security. In addition, you can also take out cyber security insurance.

To ensure that you are as well prepared as possible for an IT security incident, you should answer the following questions in advance:

  • How can I tell that I am/was being attacked?
  • What is the fastest way to reach my IT service providers?
  • What is the treatment procedure?
  • Who can I get advice from?
  • What damage has occurred or can still occur?
  • How can I avoid further damage?
  • How to recover lost data?
  • How expensive are the damages?

External Information Security Officer

You are welcome to contact us as external Information Security Officer (ISB) order. We also offer individual consulting services as well as audits in the area of information security. We will be happy to provide you with a non-binding offer. You can find more information about our external information security officers on our website.

7 tips for the right approach

These tips will help you make appropriate decisions and react as quickly and safely as possible in the event of an incident.

  1. Respond swiftly: You should act thoughtfully but quickly in order to lose as little time as possible and not create any commotion in the company.
  2. Keep evidence and dataDo not alter or delete the data so that no traces are covered. Instead, work with copies until possible evidence has been forensically secured.
  3. Leave the system unchanged: Do not switch off the system and do not reboot the computer, this could lead to the destruction of important traces.
  4. Report the relevant internal bodiesInform the responsible or affected departments, such as the management, the legal department and the data protection officer as well as the IT security officer. Determine with the departments which other internal bodies need to be informed. Insofar as the perpetrator has not been caught, check which persons are trustworthy and do not unnecessarily expand the circle of informed persons. If necessary, form a crisis response team.
  5. Document the incident carefullyLog all steps taken and observations made and determine the exact facts (type, scope, date, time). Document the affected systems from which data has been lost and determine exactly what happened.
  6. Involve qualified experts in good timeGet external help, such as IT forensics experts, to ensure that the facts of the case are clarified and processed in a way that is legally compliant.
  7. Inform external bodiesClarify with your crisis response team whether external bodies such as supervisory authorities need to be informed. In some cases, the disclosure of information is regulated by law (e.g. the GDPR) and non-compliance may lead to a fine.


Threats are constantly evolving and to keep up, you should best prepare your company for them. Therefore, it is necessary to be aware of the risks and take concrete, preventive measures. With a mature and tested response plan, as well as an emergency response manual, the amount of damage and the attacker's success can be minimised.

Caroline Schwabe

This might interest you too:

IT security incident

TISAX requirements: Prepare certification step by step

TISAX® requirements: Information on the question catalogue, maturity levels and certification. Prepare the assessment level and audit.

ISMS: definition, implementation, standards

All information on the information security management system: delimitation of DPMS, notes on implementation, norms and standards

Protection of information and data

What is information security? Tasks of the information security officer and differentiation from data protection.