Incident Response for Remote Teams
Security incidents happen. What matters is how quickly and effectively you respond. This guide covers the most common scenarios with step-by-step action plans.
Updated
Protect yourself
Our Top 4 VPN Picks
Chosen after real-world testing across speed, privacy, and streaming. Each ranking is independent — we buy every VPN at retail and test it ourselves.
EDITOR'S PICK
Best Overall
NordVPN
4.8/ 5
Fastest speeds, audited no-logs, 6000+ servers
Audited no-logs policyThreat Protection blocks malware10 devices per account30-day money-back guarantee
Best for Unlimited Devices
Surfshark
4.6/ 5
Unlimited devices, CleanWeb blocker, 100+ countries
Unlimited simultaneous devicesCleanWeb ad & malware blockerRAM-only server network30-day money-back guarantee
Best for Privacy
Proton VPN
4.5/ 5
Swiss privacy laws, open-source, free tier
Swiss jurisdiction (no data laws)Open-source and auditedSecure Core multi-hopFree tier available forever
Best Budget
FastestVPN
4.2/ 5
Lifetime plans, 10 devices, ad blocker
Lifetime deal available10 devices per accountBuilt-in ad blockerNo-logs policy
We earn a commission when you click “Get” buttons, at no extra cost to you. Read our affiliate disclosure
Compromised Account
Critical- 1Change the password immediately from a secure device
- 2Enable/verify 2FA on the compromised account
- 3Revoke all active sessions (force logout everywhere)
- 4Check for unauthorized changes (forwarding rules, recovery email, connected apps)
- 5Notify your team and IT — the attacker may have accessed shared resources
- 6Check if the same password was used elsewhere (change those too)
- 7Review account activity logs for the scope of unauthorized access
Lost or Stolen Device
Critical- 1Use Find My Device to locate, lock, or remotely wipe
- 2Change passwords for all accounts logged in on the device
- 3Revoke the device's access tokens (Google, Microsoft, Slack, etc.)
- 4Notify your company's IT department immediately
- 5Report to local police (needed for insurance)
- 6Monitor accounts for unauthorized activity for the next 30 days
- 7If encrypted (BitLocker/FileVault): data is protected even without wipe
Phishing Attack (Clicked a Link)
High- 1Disconnect from the internet immediately if malware is suspected
- 2If you entered credentials: change that password RIGHT NOW
- 3Run a full malware scan on the affected device
- 4Enable 2FA on the potentially compromised account
- 5Check for unauthorized activity on the account
- 6Report the phishing email to your IT team and the impersonated brand
- 7Alert colleagues who may have received the same phishing email
Data Breach Notification
High- 1Identify what data was exposed (email, password, financial, personal)
- 2Change the compromised password (and anywhere it was reused)
- 3Enable 2FA on the breached service
- 4Check haveibeenpwned.com for all your email addresses
- 5If financial data was exposed: contact bank, enable fraud alerts
- 6If SSN/ID was exposed: freeze credit at all bureaus
- 7Monitor affected accounts for 90 days
Suspicious Network Activity
Medium- 1Disconnect from the suspicious network immediately
- 2Connect via your phone's cellular hotspot instead
- 3Enable your VPN before reconnecting to any network
- 4Run a DNS leak test to ensure your VPN is working properly
- 5Check for unauthorized devices on your network (router admin panel)
- 6Change your Wi-Fi password if it's your home network
- 7If on public Wi-Fi: assume it's compromised and avoid sensitive activities
Prevention Is Better Than Response
Most incidents are preventable with basic security hygiene:
+ Password manager with unique passwords
+ 2FA on every account (authenticator app)
+ VPN on all networks
+ Full-disk encryption enabled
+ Software auto-updates enabled
+ Phishing awareness training
Frequently asked
Frequently Asked Questions
For compromised accounts and lost devices: immediately (within minutes). Attackers move fast — the sooner you change passwords and revoke access, the less damage they can do. For data breach notifications: within 24 hours. For suspicious activity: investigate within the hour.
Yes, if you use that device for work. Your employer needs to know so they can revoke access to company resources, check for unauthorized access to company data, and help you secure your accounts. Most companies have incident response procedures that include personal device compromises.
For stolen devices: yes, for insurance purposes. For identity theft: file at identitytheft.gov (US) or your country's equivalent. For financial fraud: report to your bank and local police. For corporate breaches: your company's legal team handles regulatory reporting.
Keep reading