Incident Response for Remote Teams
Security incidents happen. What matters is how quickly and effectively you respond. This guide covers the most common scenarios with step-by-step action plans.
Compromised Account
Critical- 1Change the password immediately from a secure device
- 2Enable/verify 2FA on the compromised account
- 3Revoke all active sessions (force logout everywhere)
- 4Check for unauthorized changes (forwarding rules, recovery email, connected apps)
- 5Notify your team and IT — the attacker may have accessed shared resources
- 6Check if the same password was used elsewhere (change those too)
- 7Review account activity logs for the scope of unauthorized access
Lost or Stolen Device
Critical- 1Use Find My Device to locate, lock, or remotely wipe
- 2Change passwords for all accounts logged in on the device
- 3Revoke the device's access tokens (Google, Microsoft, Slack, etc.)
- 4Notify your company's IT department immediately
- 5Report to local police (needed for insurance)
- 6Monitor accounts for unauthorized activity for the next 30 days
- 7If encrypted (BitLocker/FileVault): data is protected even without wipe
Phishing Attack (Clicked a Link)
High- 1Disconnect from the internet immediately if malware is suspected
- 2If you entered credentials: change that password RIGHT NOW
- 3Run a full malware scan on the affected device
- 4Enable 2FA on the potentially compromised account
- 5Check for unauthorized activity on the account
- 6Report the phishing email to your IT team and the impersonated brand
- 7Alert colleagues who may have received the same phishing email
Data Breach Notification
High- 1Identify what data was exposed (email, password, financial, personal)
- 2Change the compromised password (and anywhere it was reused)
- 3Enable 2FA on the breached service
- 4Check haveibeenpwned.com for all your email addresses
- 5If financial data was exposed: contact bank, enable fraud alerts
- 6If SSN/ID was exposed: freeze credit at all bureaus
- 7Monitor affected accounts for 90 days
Suspicious Network Activity
Medium- 1Disconnect from the suspicious network immediately
- 2Connect via your phone's cellular hotspot instead
- 3Enable your VPN before reconnecting to any network
- 4Run a DNS leak test to ensure your VPN is working properly
- 5Check for unauthorized devices on your network (router admin panel)
- 6Change your Wi-Fi password if it's your home network
- 7If on public Wi-Fi: assume it's compromised and avoid sensitive activities
Prevention Is Better Than Response
Most incidents are preventable with basic security hygiene:
+ Password manager with unique passwords
+ 2FA on every account (authenticator app)
+ VPN on all networks
+ Full-disk encryption enabled
+ Software auto-updates enabled
+ Phishing awareness training