According to IBM, in 2020, it took organizations 207 days on average to identify a cyber security breach. That’s enough time for the perpetrator to infiltrate the systems and cause maximum damage. According to the same IBM research, these attacks cost $3.86 million on average.

So, how can businesses protect themselves?

By implementing strong cyber security incident reporting. 

Let’s dive into the specifics of a cyber security incident report and show you why drafting one should be your organization’s top cyber security agenda. 

First, let’s look at the different types of cyber security incidents.

Different Types of Cyber Incidents

Five cyber security incidents are the most prevalent in organizations. These are:

Phishing Attacks

Phishing is the unlawful gathering of personal data using deceptive emails and websites. Cybercriminals orchestrate phishing attacks to get private and confidential personal information such as passwords and banking details. 

They often masquerade as trusted websites or emails from individuals or organizations you know or have heard of. They’ll use links to solicit this information and then block the user from accessing services associated with the provided personal information. They may also perform unlawful operations with this data.


Malware combines trojans, worms, adware, file injectors, and ransomware. Malware often infiltrates machines through unauthorized installations. Users may also unknowingly install malware when installing freeware, antiviruses, and other applications. 

Cybercriminals embed malware with application code, making users install them unsuspectingly through the infected software.

Password Attacks

Hackers can manipulate accounts to steal passwords and access the account without the user’s consent. Cybercriminals use tricks such as brute force attacks, password cracking software, sniffing, password guessing, and dictionary attacks to gain access.

Password guessing is the simplest and requires little knowledge. This is why websites encourage you to create complex passwords for your accounts.

Drive-by Attacks

Drive-by attacks work by redirecting you to other websites when you click on a link on a website you’re visiting. These links typically have an enticing message such as “win gifts” or “dating tips.” 

Once redirected to the malicious site, a malicious script embedded in the code downloads or prompts you to download malware that corrupts your machine or steals data from it.

Man-in-the-Middle Attacks

A man-in-the-middle is an intruder to private communication between parties on a network. A man-in-the-middle attack happens when a cyber criminal gains access to communication over a network without the knowledge of the communicating parties.

Examples of man-in-the-middle attacks include session hijacking, eavesdropping, and email. It can be one of the hardest to detect.

So, how do you deal with these cyber security threats? By implementing robust cyber security incident reporting.

What is a Cyber Security Incident Report?

A cyber security incident report is a document detailing a cyber security incident and the measures IT and cyber security professionals should take or have taken to mitigate it. 

A cyber security incident report is usually filed under the context of a cyber security incident response plan that details the possible cyber security threats an organization can face and how the IT and cyber security teams should respond to them.

A cyber security incident report allows cyber security professionals to quickly and efficiently detect attacks, isolate affected systems or networks, and recover from any losses incurred.

Proper reporting, therefore, reduces the damages organizations face from a cyberattack. But is an incident report always necessary?

When is An Incident Report Necessary? 

Cyber security incident reporting is a matter taken seriously by the government. Generally, you want to file a cyber security incident report when the cyberattack:

  • Results in significant data loss, system unavailability, and lack of system control
  • It impacts a large number of victims
  • It affects critical IT infrastructure or core organizational functions
  • Impacts national, economic, or public health security

Ideally, you should not wait until the cyber attack leads to significant losses before filing an incident report. Once you’ve detected suspicious activity within the organization’s IT infrastructure or network, inform the IT team or cyber security professionals for immediate intervention.

Proper incidence reporting also ensures regulatory compliance for businesses and organizations. For instance, privacy laws such as GDPR require the public and, in some cases, affected users to be notified in case of a data breach in an organization storing their personal information.

So, what should you include in a cyber security incident report?

What You Should Include in a Cyber Security Incident Report?

Typically, you’ll want to report the type of incident that occurred, when and how the incident was detected, what response actions have been taken, and who’s aware of the attack. Regulation may also require you to disclose whether any personally identifiable information was compromised in the attack.

It is also important to specify which system or network the cyber attack took place in so that the response team may isolate it quickly. 

Let’s now look at different methodologies you can use to file a cybersecurity incident report. 

NIST and SANS Incident Report Methodologies

When responding to the incident report, cyber security professionals use different frameworks. Typically, they’ll use the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP 800-61) or the SANS institute Incident Handler’s Handbook. 

NIST Framework

According to the NIST framework, a cyber security incident report should be handled in four steps. These are:

  1. Preparation
  2. Detection and analysis
  3. Containment, eradication, and recovery
  4. Post-incident activity

Using this framework, the cyber security professional will assemble their team, detect and ascertain the infected systems or networks, identify the source, and try to contain and recover from the attack.

The next process is typically assessing damage and severity before notifying the relevant parties according to the organization’s structure or regulatory requirements.

Finally, the cyber security professional and IT team work to prevent such an attack in the future.

SANS Framework

According to the SANS framework, the following are the response steps a cyber security professional should take:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons learned

The key difference between the NIST and SANS framework is in step 3. NIST groups containment, eradication, and recovery in one activity while SANS spreads it across three distinct steps.

Get the Help of Cyber Security Professionals

A strong cyber security response plan and a detailed cyber security incident report will help contain the damages your organization will incur from a cyber threat. Ensure your employees are aware of the possible cyber security threats online and train them on how they can report such incidences to the cyber security team.

 Get in touch with a cyber security professional to detail the best response plan for your organization.