Blog You’ve Been Hit by a Cyberattack: Here’s Your Next Move

The modern battlefield of cybersecurity isn’t just about code and firewalls — it’s a high-stakes game of human psychology and strategic response. 

In a recent two-part podcast episode from Insight’s podcast, Insight On, Insight's CISO for North America Jeremy Nelson walked listeners through the hacker’s mindset and the crucial plays in a successful defense. His biggest warning? The most dangerous attacks often exploit human behavior, not just technology.

The hacker’s most powerful weapon isn’t code.

Imagine a band of master thieves meticulously planning a bank heist. They don’t just smash through the front door. They case the building, identify the weakest points, and look for the path of least resistance to the biggest payout. Hackers operate with the same calculated precision. “The human beings are the weakest link in the chain every single time,” says Nelson.

Social engineering is the art of psychological manipulation, and it’s devastatingly effective. You’ve seen it play out in the news multiple times: A hacker, posing as a CEO or other high-level exec, urgently emails an employee, requesting deposits or gift cards for clients or employees. In this scenario, the hacker targets “the rule follower” and preys on a sense of urgency. Under pressure and wanting to be helpful, the employee complies — unknowingly wiring funds directly to the attacker. 

The wildcard: How AI is changing the game

Seasoned security teams know the drill when a breach hits. The first step is often to assemble the incident response team on a secure bridge call. This “war room” is where plans are made, tasks are assigned, and mitigation begins.

But here’s the new reality: That war room is now a target.

AI-powered deepfakes have given attackers the ability to impersonate trusted colleagues — even high-ranking executives — convincingly enough to join these calls unnoticed. Once inside, they can listen to recovery strategies in real time, anticipate countermeasures, and stay one step ahead.

This is a fundamental shift. The very act of executing your “best course of action” can now feed the adversary.

Why is this happening now? The reasons include:

• Deepfake video and audio can mimic voices, faces, and mannerisms with frightening accuracy.
• Credential compromise means attackers can log in as legitimate team members.
• AI language models can replicate communication tone, making chat messages and emails indistinguishable from the real thing.

Adjustments security teams must make immediately:

• Out-of-band communication channels: Establish secure, pre-vetted platforms for incident response that are separate from everyday collaboration tools.
• Real-time identity verification: Require cameras-on and multi-factor validation for all participants joining a crisis bridge.
• Participant audits: Designate a security lead to verify every attendee against an approved incident roster.
• Compartmentalized communication: Keep technical recovery discussions separate from executive updates to limit exposure.
• Practice protocols: Run tabletop exercises that include simulated “war room infiltration” scenarios.

AI has raised the stakes. The war room is no longer automatically safe — and defending it is critical. 

Response is a marathon, not a sprint.

When a breach hits, the instinct is to panic and immediately try to restore operations. However, this is often the worst possible response. The single most detrimental action a victim can take is to ignore the suspicious activity, hoping it will resolve itself. But the second worst? Rushing to restore from backups without understanding the full scope of the attack. As Nelson puts it, “The worst thing that you can do is to just ignore it,” but also, “don't rush to restore.”

Immediately restoring systems from a backup can be a fatal move. Why? Because you may also restore the attacker’s tools, giving them instant access to relaunch the attack. In one case, Nelson shared, a company hit by a ransomware attack restored everything from backup without first removing the threat actor’s presence. Within 24 hours, the same group took them offline again.

Beyond the technical hurdles, a breach takes a profound human toll. The intense pressure and long hours can lead to staff burnout, negatively impacting the very team tasked with recovery. A robust incident response plan must account for flexible staffing, clear documentation, and realistic expectations to sustain your team through the crisis.

Build a resilient defense that goes beyond reaction.

The hacker's playbook is constantly evolving, driven by cunning psychology and advanced AI. But the defender's playbook can be just as sophisticated, provided it emphasizes human awareness, meticulous planning, and a proactive stance.

Effective cybersecurity today means:

• Prioritizing human-centric defenses against social engineering
• Implementing secure, out-of-band communication for incident response
• Investing in thorough forensics before any restoration
• Developing flexible staffing and documentation to prevent burnout
• Integrating robust third-party risk management into your overall strategy

Ready to turn your organization into a formidable defense?

Dive deeper into the specific steps a hacker would take and how Insight would respond in this infographic.