11
Incident Response & Recovery
What to do in the first hour, the first day, and the week after.
4 quiz questions
Preparation, not improvisation
In an incident, the team that performs best is not the most technical one — it is the one that has agreed in advance who decides, who acts, who communicates, and how. A 1-page plan beats a 50-page document nobody has read.
A minimal incident response plan
•A primary on-call contact and a backup (with phone numbers, not just email).
•A trusted external partner for help (e.g. Access Now Helpline, a specialised NGO security partner).
•A pre-decided communication channel that is NOT the potentially compromised one (e.g. a Signal group on personal numbers).
•A short checklist for the first hour (see below).
•A simple template for notifying staff, partners, donors and authorities, where required.
The first hour
•Do not panic. Do not delete anything yet.
•Isolate: disconnect the affected device from the network; sign out of other sessions on the affected account; for crypto, move surviving funds out of the affected wallet.
•Capture: screenshots, suspicious emails as full source / raw files, exact timestamps, the URL of any malicious page.
•Reach a trusted helper. You do not have to debug this alone.
The first day
•Reset credentials from a clean device, prioritizing email, password manager, finance, admin, treasury.
•Review and revoke active sessions and OAuth grants on critical accounts.
•For crypto incidents: revoke approvals on the affected wallet; check the entire wallet history; consider involving on-chain analytics support.
•Communicate factually: what you know, what you do not know yet, what people should do.
The week after
•Write a short, honest, blameless post-mortem: what happened, what worked, what did not, what changes follow.
•Assign owners and deadlines for each follow-up action.
•Share learnings within the team and, where appropriate, the wider NGO community.
An incident handled well — even one with real damage — can leave the organization measurably stronger than it was before.