Reputation is shaped less by incidents and more by how teams respond. The difference between a rushed misstep and a calm correct sequence is a simple plan prepared in advance.
Preparation is pre-incident work; once the incident starts, anything done by improvisation raises the chance of mistakes.
First 4 hours
- Document the suspicion (what, when, who noticed).
- Isolate affected systems and accounts.
- Revoke any suspicious keys immediately.
- Notify accountable people.
- Start a timeline log.
First 24 hours
Gather access logs, audit records and last login info. Resist generalization; rely on concrete evidence to define scope. If GDPR/KVKK notification rules apply, the timeline becomes critical.
Communication
Internal communication first, then external. Customer messages should be clear, honest and action-oriented. Share verified information instead of speculation; avoid contradicting yourself later.
Kontrol listesi / Checklist
- Documented timeline exists.
- Suspicious keys revoked.
- Scope is defined.
- Authorities notified as required.
- Customer message draft is ready.
SSS / FAQ
What if I do not notify?
GDPR/KVKK frameworks impose notification duties; failing to comply can lead to penalties. Decide with legal counsel.
What changes after the incident?
A post-mortem identifies the root cause and adds checkpoints. This learning loop is what restores trust.