I don't want to talk about endpoint protection, next-gen firewalls, multi-factor authentication, or other security technologies.  I also don't want to scold you about what SHOULD have been in place.

Instead I want to offer you some helpful things to consider when managing a cyber-incident.

1. Identify the incident clearly.  Was there an incident even? What do we KNOW vs. what do we THINK vs. what might be coincidence?

2. Inform users that they are not in trouble if they are the source of the incident.  Cyber incidents can happen to anyone.

3. Secondary information is not useful.  Bring in the user(s) that witnessed the incident and speak to them directly.

4. Assign roles for the IRT (incident response team).  In smaller organizations, one person might have multiple roles. You should have the following:

   1. A single point of contact (SPOC) who will communicate internally and externally

   2. A single approver of purchases (mileage, overtime, overnighting devices, hiring cyber...