The Day After a Cyber Attack: What’s Your Plan?

The Day After a Cyber Attack: What’s Your Plan?


Below is an example of an organization that was doing many cyber protection security measures, and still had an event. It has become a common saying that it is not if, but when will you have a cyber event. Are you ready to recover?


As reported by Steve Alder on March 19, 2024 in “The HIPAA Journal”.

Sycamore Rehabilitation Services, Inc. in Danville, IL, has reported a breach of its email system and the exposure of the personal data of 3,414 individuals. The breach was detected on September 21, 2023, with the forensic investigation confirming there had been unauthorized access to its network between July 29, 2023, and August 9, 2023. During that time, there may have been unauthorized access to names, dates of birth, Social Security numbers, driver’s license/state identification numbers, account numbers, routing numbers, medical information, and health insurance information. It was not possible to determine exactly what types of information were acquired in the attack.

Sycamore Rehabilitation Services said it had implemented security measures prior to the breach. Multi-factor authentication was enabled on all email accounts, a VPN was required for access to internal resources from outside the organization, critical patches were applied each month, email security solutions were in place, all endpoints were protected with Sentinel One anti-virus, Azure PowerShell access was off by default, and POP/IMAP was disabled by default. Those measures have now been augmented with Proofpoint email scanning and security, Breach Secure Now phishing testing, and DUO MFA on VPN accounts.

The affected individuals were notified by mail on March 1, 2024, and have been offered complimentary credit monitoring and identity theft protection services. Sycamore Rehabilitation Services said the delay in issuing notifications was due to the time taken to investigate the breach and identify the affected individuals.


Here is what the article indicated was implemented before the breach.

  1. Multi-factor authentication on all email accounts.
  2. VPN to access internal resources from outside the organization.
  3. Critical patches applied each month.
  4. Email security solutions in place.
  5. Endpoints protected by anti-virus.
  6. Azure PowerShell access off by default.
  7. POP/IMAP disabled by default.

Here is what the article indicated was implemented after the breach.

  1. Proofpoint email scanning and security.
  2. Breach Secure Now phishing testing.
  3. DUO multifactor authentication on VPN accounts.



  1. Do you have these security measures in place?
  2. Will it stop future attacks successfully?
  3. Do you have your cyber resiliency plan in place to efficiently respond and recover quickly?