You likely have heard the phrase ‘Stop, Drop & Roll’ frequently used during fire safety drills. In today’s cybersecurity world, there’s another phrase to become familiar with should you ever find your business faced with a cyberattack: Detect, Disconnect & Describe.

Estimated read time: 4 minutes

3 part image of magnifying glass, electrical outlet and person writing on paper with a pen.

The Three Ds of Cybersecurity

Most business owners and organizational leaders have heard the terms ransomware, cyberattack and phishing, but what happens when you are actually faced with a cyberattack?

Every business utilizing any technology is at risk of a cyberattack. This is a simple, yet daunting fact of today’s digital age. As you can imagine, a lot of discussion in businesses today centers around the topic of cybersecurity and the preventative measures needed to help prevent attacks. One item that doesn’t often get discussed is what steps are necessary if your network is breached. How would you find out about it and what should you do first?

Detect, Disconnect and Describe is an easy phrase to help you remember the first critical steps to take if you suspect or know your business data or network has received malware, ransomware or been breached. We recently shared the 3 Ds in a radio interview with Hamilton Division Manager, Dereck Djernes. Take a minute to listen to the interview here and become familiar with the 3 Ds that are critical to follow in the event of a breach.

Estimated watch time: 6 minutes, 3 seconds.


The first step and word to remember is ‘Detect.’ Should you receive a ransomware notice or discover a hacked system, you should immediately notify your IT department, Managed IT provider, or a trusted IT professional. This might go without saying, but notifying the proper people within your organization in a timely manner is absolutely critical. Time is of the essence and the right people need to be contacted as quickly as possible. This means that your staff and employees should know WHO that contact person is and HOW they can quickly get in touch with them.

Because IT team members have a vast array of work they handle each day, it is necessary to have automatic tools in place to help continuously monitor your company’s network and infrastructure, scouring for unwanted activity. Bad actors have become very sophisticated in their methods of accessing all types of systems and remaining hidden to cause the most damage.

Having the tools in place to identify suspicious happenings in your network will aid in the quick discovery of a breach, should one occur. Knowing which controls are needed can be difficult and most organizations choose to work with a third-party expert, like Hamilton, to ensure that they have the right controls in place. Keep in mind both the security of your network and data operations, as well as the security of your physical assets and facility.


Even when your organization has taken measures to mitigate the risk of security breaches, there is always some level of risk. Upon detecting a breach, the next step you should take is to ‘Disconnect’.

The first, most immediate action is that the affected machine or hardware needs to be turned off and disconnected from the network.

In the case where an employee identifies a problem, he or she should notify their internal IT team member and management. If the organization has outsourced its cyber solutions, the IT department will contact the external service provider who will begin to isolate the devices. Similarly, the provider will communicate any breach it detects to management and begin to quarantine infected machines.

Depending on the issue, you may need to contact your cyber insurance company to begin evaluating the situation. The impacted environments should not be restored until the IT team members have fully reviewed, assessed and mitigated the situation.


The investigating team will likely conduct interviews with employees as well as any outside vendors to recount the happenings in a clear and concise manner.  The results of the cyberattack investigation will show you the “what, when and where” of the breach.

The stigma of a cyberattack can complicate a business’s response but all information should be reported in detail as withholding details can delay mitigation and cause greater risk.  All parties involved must work together and be on the same page.

The consequences of a cyberattack sound scary and time-consuming to most business owners who are already stretched thin. An experienced managed service provider (MSP) like Hamilton, however, will carefully guide you through the chaos back to restoration.

Put yourself in a position to have both security and peace of mind. Contact our experts at 308.381.1000 for information on how we can help you with a response plan and more importantly help set your business up with putting preventative measures in place before a cyberattack happens.

Hosted phones for schools

You can get a better understanding of your cybersecurity posture with a risk assessment. For more information about what a CSRA means for your business, read our article “Cybersecurity Risk Assessment: A Test You Want to Take.”

Proactively secure your network and business with Hamilton.

Fill out the form below and one of our expert team members will be in contact with you very soon!

Feel free to call us directly at 308.381.1000.

Discover more about Hamilton Business Solutions here!