We’ve all heard of businesses getting hit by cyber-attacks. The headlines come and go, but what actually happens after the breach? CBIZ’s Technology team has helped countless small and mid-sized companies recover in real time, and we’ve learned what truly matters in those critical early hours.
Picture this: Ransomware locks you out of everything. Has your IT team ever practiced a full system rebuild? Do they know how to recover from “bare metal”? Finding an uncompromised machine just to access backups can be the first hurdle.
Questions to Answer After a Cyber-Attack
- Should you pay the ransom? Legal and ethical factors vary by case. If a vendor was hit and you’re caught in the fallout, payment might not even be an option.
- Are you required to report this? Regulators and law enforcement might need to be notified, which could trigger reputational and legal consequences.
- What about cyber insurance? Notifying your carrier launches a process that involves legal counsel, breach coaches, and forensic firms. All while you’re trying to keep the business running.
- Who’s allowed to speak? Employees, customers, the media, everyone will want answers. A clear communication plan is essential.
That’s why tabletop exercises matter. They let your team walk through chaos in a controlled setting. One consistent question: if systems are down, how does your crisis team communicate securely? Secure, off-network options like Signal, WhatsApp, Proton Mail, or Tutanota should already be set up, tested, and known to the team. Many law firms and breach coaches insist on it.
Key Questions for IT Once Damage is Assessed
- Do secure, untouched backups exist?
- Are backups encrypted, and do we still have the keys?
- Who has the technical skill to run recovery if key staff are unavailable?
- Have we documented and tested our rebuild process?
And even with good backups, where do you restore them? If systems need to be preserved for forensic analysis, you may need replacement hardware. That hardware must be wiped and rebuilt to a “known clean” state, no shortcuts. That means reinstalling operating systems and endpoint protection, whether on-prem or in the cloud.
Every restored system passes through a digital quarantine. It’s scanned for infection before joining the new production environment. If legacy systems were part of the original breach, now’s the time to modernize. Restoring vulnerable infrastructure only invites a second attack.
Recovery is round-the-clock work. But if your procedures are sound, your systems clean, and your team is ready, you can do it.
Final Thought
Benjamin Franklin said it best: Failing to plan is planning to fail. Recovery from a cyber-attack is not an improvised effort. It’s a business-wide operation that must be tested ahead of time.
The average cost of a cyber incident is around $5 million, before considering long-term damage to reputation and trust. CBIZ Managed Security Services brings top-tier security monitoring to companies of any size, plugging into your existing systems and giving you access to our Security Operations Center and expert triage response.
Cyber resiliency isn’t just IT’s job. It’s everyone’s business.
Ready to strengthen your business resiliency with expert IT and security support? Reach out to CBIZ’s Technology team today.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.
