Reporting an IT Security Incident

Updated 2w ago 3 views 4 min read
security incident ransomware malware data loss phishing stolen device BEC
In This Article

A security incident is any event that may have compromised — or appears to have compromised — the confidentiality, integrity, or availability of your company's data, accounts, or systems. Reporting an incident quickly, with as much detail as possible, allows our team to contain the situation and minimize damage.

This article explains what counts as a security incident, what evidence to capture before reporting, how to submit the incident report, and what not to do while waiting for a response.

What Counts as a Security Incident

Report a security incident any time you observe or suspect any of the following:

  • Malware or ransomware — files renamed or encrypted, ransom notes, unfamiliar processes, antivirus alerts
  • Data loss including fire, flood, or theft affecting company equipment or storage
  • Phishing where credentials were entered or a suspicious link was clicked
  • Suspicious or unauthorized account activity — MFA prompts you didn't initiate, sign-ins from unexpected locations, mail rules you didn't create, sent items you didn't send
  • Lost or stolen company device — laptop, phone, tablet, USB drive, or any device with company data
  • Suspected data exposure or accidental disclosure — an email or file sent to the wrong recipient, a document left publicly shared, sensitive data posted somewhere it shouldn't be
  • Business email compromise, impersonation, or wire-fraud attempts — a request to change banking details, a vendor email that doesn't quite look right, an executive impersonation asking for an urgent transfer
  • Unauthorized physical access to your office, server area, or networking equipment
  • Unknown USB drive or device plugged into a company computer
  • Tampering with company hardware — opened cases, missing components, unfamiliar peripherals
    • If you're not sure whether something qualifies as a security incident, report it. It's always better to over-report than to miss something significant.

    Evidence to Capture Before Reporting

    Before submitting the report, gather as much of the following as you can. The more detail we have up front, the faster we can respond:

  • Date and time you first noticed the issue
  • Screenshots of error messages, ransom notes, suspicious dialogs, unusual browser address bars, or unexpected sign-in prompts
  • Do not delete suspicious emails — if email is involved, preserve the original message. For phishing emails specifically, follow the steps in How to Report a Suspicious Email to forward it as an attachment so headers are preserved.
  • Exactly what you were doing right before the issue appeared
  • Any unusual prior activity — a slow computer, popups, password changes you didn't make, unexpected MFA prompts, missing or renamed files
  • Affected files, accounts, and systems — which computer, which user account, which files or folders, which applications

    • How to Report a Security Incident

    To ensure your incident is reviewed as quickly as possible, submit the online request first. Our team is mobile-first, and online submissions are our primary intake — submitting through the support portal is the fastest way for an on-call technician to be assigned.

    1. Visit https://theitexperience.com/supportrequest
    2. Select IT Security Incident as the request type
    3. Provide the incident date (and time, if known)
    4. In the Security Incident Information field, describe what happened, who is affected, and the suspected cause — include the evidence you gathered above
    5. Submit the request
    6. After submitting, call (603) 505-4290 to notify the on-call technician that a security incident has been reported
    If circumstances require you to call before you've been able to submit, please do so — we'll still assist — but submit the online form as soon as you're able. Without the written record, the on-call technician is working from a verbal description alone.

    What Not to Do

    While waiting for our team to respond, please do not:

  • Pay any ransom under any circumstances — paying does not guarantee data recovery and can violate sanctions laws
  • Attempt to "fix" or clean the system yourself — running cleaners, AV scans on your own, or restoring from backups before we've assessed the incident can destroy evidence and make the situation worse
  • Notify customers, vendors, partners, or the public (including social media) before coordinating with company leadership and our team — premature disclosure can complicate response, legal, and insurance steps
  • Email or message the suspicious account asking "did you send this?" — if the account is compromised, you may be alerting the attacker. Verify by phone or in person instead.

Our team will guide you on the appropriate containment, notification, and remediation steps for your specific incident once we've assessed it.

Was this article helpful?