The scenario
A receptionist at a 200-person Dutch SaaS company sees an unfamiliar program window pop up on a colleague's monitor while passing by: 'Your files have been encrypted. Pay 1.5 BTC within 48 hours.' The colleague is at lunch. The receptionist's first instinct is to turn off the laptop to 'stop the spread'. Her second instinct is to call IT. She calls IT first. They tell her: do NOT power off, do NOT close the program, do NOT unplug from the network. Take a phone photo of the screen. Leave the device exactly as it is. They arrive within 12 minutes, disconnect the device from the network (not the same as powering off), capture forensic state from the live system, and find that the ransomware had not yet reached the file server because the network was segmented. The damage is contained to one laptop. If she had powered off, the encryption-key state in RAM would have been lost and the forensic team couldn't have determined the strain or the time of compromise. Her two-minute pause to call first saved the response.
How the attack works
When something feels wrong, the first decision is whether to report. Default: report. Reporting is free, fast, and tells security something they need to know — even if it turns out to be nothing. The four moves to make immediately: **(1) Stop interacting** with the suspicious thing — don't click further, don't type more, don't open more files. **(2) Capture context** — take a phone photo of the screen, note the time, note what you were doing when it started. **(3) Report** through your fastest channel — security email, Slack #security, the IT helpdesk, the 'Report Phishing' button in your mail client. **(4) Wait for instructions** — IR teams have playbooks for each scenario. The four moves NOT to make: **(1) Don't power off** the device — RAM holds forensic state. **(2) Don't run a virus scan** before security says so — it can wipe evidence. **(3) Don't delete the suspicious email/message/file** — it's evidence; move to a quarantine folder if you must. **(4) Don't tell external parties yet** — incident communication is coordinated by leadership and legal under NIS2 and GDPR. Reporting clocks: under NIS2 (in force for most NL/EU enterprises in 2026), early-warning notification to NCSC must happen within 24 hours of awareness; full incident report within 72 hours. Under GDPR, breaches involving personal data must be reported to the Autoriteit Persoonsgegevens within 72 hours, with affected individuals informed if 'likely high risk'. Non-technical staff don't run the reporting clock themselves — security and legal do — but a fast report from staff is what starts that clock correctly.
What to watch for
- Unexpected pop-ups demanding payment or claiming to be antivirus / law enforcement / Microsoft
- Files in your folders that you didn't create, or files suddenly inaccessible / encrypted
- Browser opening unfamiliar tabs, redirects to unfamiliar sites
- Unfamiliar mailbox rules, unfamiliar OAuth apps, sign-ins from unfamiliar countries
- Devices behaving unusually — slow performance, fan running constantly, unfamiliar processes in Task Manager / Activity Monitor
- Colleagues reporting they 'got an email from you' that you didn't send
What to do
- Stop interacting with the suspicious thing immediatelyDon't click further, don't type more, don't enter credentials, don't open more files.
- Take a phone photo of the screen and note the timePhoto + time is the simplest forensic capture any non-technical employee can do.
- Report through your fastest channelMail client's Report-Phishing button, security email distribution list, Slack #security, IT helpdesk phone. Faster channel beats fancier channel.
- DO NOT power off the device or run a virus scan until security says soBoth destroy forensic state. The damage you fear from 'leaving it running' is far less than the damage from losing evidence.
- Wait for instructions — don't escalate externally yetIncident communication is coordinated. Premature external statements can break legal reporting strategy.
- Preserve the message / file / email — don't deleteMove to a 'Quarantine' folder if you must. Security needs the artefact.
Defenses to deploy
Technical controls
- EDR / XDR on every endpoint with automated response capabilities
- Email-quarantine and mailbox-rule alerting that surfaces suspicious activity to security automatically
- Network segmentation so a single endpoint incident doesn't propagate
- Backups verified weekly — the actual recovery path if encryption succeeds
Policy controls
- Documented incident-response playbook with named owners and phone numbers — printed copy stored offline
- Tabletop exercises twice a year, including a 'reporting is slow' scenario where the clock starts late
- NIS2 + GDPR reporting workflow documented, with legal and DPO involved by default
- No-blame reporting culture — never punish staff for over-reporting
Training cadence
Annual tabletop including a 'what did the receptionist do' scenario. The lesson that protects the most evidence is the one that's easy to remember when adrenaline is high.
Quick check
Five questions. Answers and rationale appear after submission.
- Q1.
You see a ransomware demand on a colleague's screen. They are not at their desk. What is your correct first action?
- Q2.
Under NIS2, what is the early-warning notification window to NCSC after an organisation becomes aware of a significant incident?
- Q3.
You suspect you've been phished and you clicked a credential link. What should you do FIRST?
- Q4.
True or false: it's safer to delete a suspicious email immediately after reporting it.
- Q5.
Why does the 'first 30 minutes' matter so much in incident response?