What to Do During an Incident
A calm response method for the first minutes after a suspicious click, stolen account, lost device or exposed data.
Objectives and practical frame
At the end of this module, you will be able to:
- 01
recognize signs of an incident
- 02
avoid making things worse
- 03
preserve useful evidence
- 04
report through the right channel
13.1 Introduction
This section focuses on introduction in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
When something goes wrong, the first minutes matter. This module gives a practical response method: stop, preserve evidence, change channel, report, avoid improvising and reduce confusion while protecting accounts, devices and data.
13.2 What a security incident is
This section focuses on what a security incident is as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
A good incident response starts with calm containment, clear notes, preserved evidence and fast reporting through the right channel
A good incident response starts with calm containment, clear notes, preserved evidence and fast reporting through the right channel.
13.3 The first principles to remember
This section focuses on the first principles to remember in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
13.4 General procedure during an incident
This section focuses on general procedure during an incident as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
13.4.1 I clicked a suspicious link
This detail focuses on i clicked a suspicious link before the click. The useful skill is understanding where the action will really lead, not only what the visible text says.
For sensitive services, avoid relying on received links. Use the official app, a bookmark, a known address or an independently verified path.
13.4.2 I entered a password on a fake site
This detail focuses on i entered a password on a fake site as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
13.4.4 I opened a suspicious attachment
This detail focuses on i opened a suspicious attachment as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
13.4.5 The PC is behaving strangely
This detail focuses on the pc is behaving strangely in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
13.4.6 A ransom request appears
This detail focuses on a ransom request appears as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
13.4.7 I lost my smartphone or it was stolen
This detail focuses on i lost my smartphone or it was stolen as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
13.4.8 My account was stolen
This detail focuses on my account was stolen as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
13.4.9 I sent a document to the wrong person
This detail focuses on i sent a document to the wrong person as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
13.4.10 I suspect a banking scam
This detail focuses on i suspect a banking scam as a form of deception built around context, pressure and a requested action.
The safest response is to read the request as a whole: sender, channel, timing, link, attachment, payment instruction, code request and independent verification path.
13.5 What to document
This section focuses on what to document as an incident response situation where the first minutes matter.
The priority is to stop additional damage, preserve useful evidence, write down what happened and report through the right channel instead of improvising under pressure.
13.5.1 What to always avoid
This detail focuses on what to always avoid in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
13.5.2 First 10 minutes mini-procedure
This detail focuses on first 10 minutes mini-procedure in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
Deleting everything immediately can destroy evidence needed to understand what happened.
Trying random fixes under pressure.
Use a predefined incident contact and write down what happened.
Incident response card
Prepare a short incident card for three scenarios: clicked phishing link, lost phone and suspected account takeover.
A good incident response starts with calm containment, clear notes, preserved evidence and fast reporting through the right channel.