Incident Response and Reporting for End-Users

What to Do When Things Go Wrong


Published on 27/06/2025

Incident Response and Reporting for End-Users: What to Do When Things Go Wrong

Knowing how to react when you suspect a cybersecurity incident can help minimise damage and aid in recovery.

  • Recognise Signs of an Incident:
    • Unusual Behaviour: Unexpected pop-ups, slow computer performance, applications crashing, files being modified or deleted, unfamiliar icons appearing.
    • Account Lockouts or Unauthorised Access: Being locked out of your accounts, or seeing activity you don't recognise (e.g., sent emails you didn't write, social media posts you didn't make).
    • Ransomware Demands: Messages demanding payment to unlock your files or device.
    • Antivirus Alerts: Your security software reporting a threat.

  • Immediate Steps to Take:
    • Disconnect from the Network: If you suspect malware, immediately disconnect the affected device from the internet and any local network to prevent it from spreading or communicating with attackers.
    • Do Not Panic or Delete Files Randomly: Avoid taking rash actions that could hinder investigation or recovery.
    • Do Not Pay Ransoms (Generally): While this can be a difficult decision, paying a ransom does not guarantee you will get your data back and can encourage further criminal activity. Consult with authorities first.

  • Change Your Passwords:
    • If you suspect any of your accounts have been compromised, change the passwords for those accounts immediately, starting with the most critical ones (email, banking). Use a separate, trusted device to do this.

  • Scan for Malware:
    • Run a full system scan using reputable antivirus and anti-malware software. If your current software doesn't find anything, consider getting a second opinion from another trusted scanner.

  • Report the Incident:
    • To Your Organisation's IT/Security Team: If the incident affects a work device or work accounts, report it immediately according to your organisation's policies.
    • To CERT-SC: Report significant incidents (e.g., ransomware, major data breaches) to CERT-SC. We can provide guidance and help track threats. https://cert-sc.sc/cyber-incident-report/ 
    • To Law Enforcement: For incidents involving criminal activity, report it to the police cybercrime unit.
    • To Service Providers: Report compromised accounts to the respective service provider (e.g., email provider, social media platform).

  • Restore from Backup (If Necessary):
    • If your data has been lost or corrupted, restore it from your secure backups (as per guideline 1) after ensuring the system is clean.

  • Learn from the Incident:
    • Once the incident is resolved, try to understand how it happened and what steps you can take to prevent similar incidents in the future.
Back