Learn how to recognize, respond to, and report security incidents effectively.
📚 Training Content
What is a Security Incident?
A security incident is any event that compromises the confidentiality, integrity, or availability of an organisation's information assets or violates security policies.
Examples:
- Clicking a phishing link
- Malware infection
- Unauthorised access to systems
- Data breach or leak
- Lost or stolen device with sensitive data
- Suspicious account activity
- Ransomware attack
Why Reporting Quickly Matters
Time is critical in cybersecurity incidents. The faster you report, the faster the security team can:
- Contain the threat before it spreads
- Prevent data theft or system damage
- Protect other users and systems
- Preserve evidence for investigation
- Meet legal and regulatory reporting requirements
Remember: It's always better to report a false alarm than to miss a real threat. Security teams would rather investigate something harmless than respond too late to something serious.
The Incident Response Process
1. Preparation: Have plans, tools, and trained personnel ready before incidents occur.
2. Identification: Recognize and confirm that a security incident has occurred.
3. Containment: Limit the scope and damage of the incident.
- Short-term: Immediate action to stop the spread (disconnect infected device, disable compromised account)
- Long-term: Temporary fixes while permanent solutions are developed
4. Eradication: Remove the threat from the environment (delete malware, close vulnerabilities).
5. Recovery: Restore systems to normal operations, verify they're clean.
6. Lessons Learned: Review what happened, what worked, what didn't, and how to improve.
What to Report
Always report these situations immediately:
- ✅ Clicking suspicious links or downloading suspicious files
- ✅ Providing credentials to a potentially fake website
- ✅ Lost or stolen devices with company/sensitive data
- ✅ Unusual system behaviour or performance
- ✅ Unauthorised access attempts
- ✅ Suspicious emails or messages
- ✅ Unexpected password resets or account lockouts
- ✅ Missing or encrypted files
- ✅ Unfamiliar software installed on your device
For serious incidents: You may also need to report to external bodies such as the Australian Cyber Security Centre (via ReportCyber at cyber.gov.au), IDCARE (for identity theft), or the Office of the Australian Information Commissioner (OAIC) if there's a data breach.
Immediate Actions If You Suspect an Incident
If You Clicked a Suspicious Link:
- Don't panic
- Disconnect from network immediately
- Don't shut down (may delete evidence)
- Report to IT/security immediately
- Document what you clicked and when
- Change passwords from a different, clean device
If Your Device is Acting Strange:
- Disconnect from network
- Document symptoms
- Don't delete anything
- Report to IT/security
- Don't reconnect until cleared by security
If Your Account May Be Compromised:
- Change password immediately (from secure device)
- Enable MFA if not already active
- Review recent account activity
- Report to security team
- Check for unauthorised changes to account settings
Post-Incident Review: Learning from Incidents
After an incident is resolved, the security team conducts a "lessons learned" review:
- What happened: Root cause analysis
- Timeline: How events unfolded
- Response effectiveness: What worked well
- Improvements needed: Gaps in detection, response, or recovery
- Action items: Changes to prevent recurrence
Your Role: Participate honestly in reviews. The goal is improvement, not blame.
Building a Security Culture
Everyone plays a role in cybersecurity:
- Stay vigilant and aware of threats
- Report incidents promptly without fear
- Learn from incidents (yours and others')
- Follow security policies and best practices
- Ask questions when unsure
- Support colleagues who report incidents