Loading...
safety

Cyber incident — Stop work

Cyber-incident stop-work dispatch with do-not-click guidance and acknowledgment tracking.

See it in MangoApps
Live preview →

Trusted by frontline teams 15 years of frontline software

Overview

This cyber incident — Stop work template is a short alert for telling employees to pause activity when a security event is underway. It is designed to stop people from opening suspicious files, logging into affected systems, or continuing work that could spread the incident. The template is useful when you need a fast, plain-language instruction that creates immediate containment and points people to the right reporting channel.

Use it when there are signs of compromise such as malware, phishing, account takeover, unusual system behavior, or a confirmed incident that requires people to avoid certain devices, accounts, or applications. It is also useful when the response team needs to freeze activity while they verify scope. Do not use it as a general outage notice or a routine maintenance message; this template is specifically for security events where interaction with a system could worsen the situation.

The alert should clearly state what to stop using, who is affected, what to do instead, and where to report suspected exposure. It should also avoid technical jargon that non-specialists may misread. The goal is not to explain the incident in detail, but to prevent further damage and keep employees aligned until the response team gives clearance.

Standards & compliance context

  • This template supports incident containment practices commonly expected in security and privacy programs by limiting further access during an active event.
  • If the incident may involve regulated data, the alert should route employees to the approved incident reporting process rather than asking them to investigate on their own.
  • For healthcare, financial, education, or other regulated environments, align the wording with internal breach response procedures and access-control policies.
  • Do not include unnecessary personal or customer data in the alert, since broad distribution can create avoidable privacy exposure.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

How to use this template

  1. 1. Fill in the incident name, affected system or team, and the exact stop-work instruction so the alert is immediately actionable.
  2. 2. Assign the message owner, reporting contact, and approval path so employees know the alert is legitimate and where to escalate.
  3. 3. State the required behavior in plain language, such as stopping use of a device, avoiding a link, or not signing in again until cleared.
  4. 4. Send the alert through the channels employees will actually see, such as email, chat, SMS, or an internal status page, depending on urgency.
  5. 5. Review responses, collect reports of suspicious activity, and issue a follow-up only after the incident team confirms the next step.

Best practices

  • Name the affected system, account group, or device class instead of saying only that there is a security issue.
  • Use direct verbs like stop, avoid, report, and wait for clearance so the instruction cannot be misunderstood.
  • Include one clear reporting path and one backup path so employees do not guess where to send incident details.
  • Tell people what not to do as well as what to do, especially around reopening files, reconnecting devices, or retrying logins.
  • Keep the message short enough to read on a phone, because stop-work alerts are often received away from a desk.
  • Separate employee instructions from internal investigation notes so sensitive details do not leak into broad distribution.
  • Send a follow-up only when there is a real change in status, not on a fixed schedule that creates alert fatigue.

What this template typically catches

Issues teams running this template most often surface in practice:

Employees keep using the affected system because the alert does not say exactly what to stop.
People reply to the wrong channel because the message does not identify the incident owner or reporting path.
The alert is too technical, so non-IT staff do not understand whether they should stop work immediately.
The message is too broad, causing unaffected teams to shut down work that could safely continue.
Staff reopen suspicious attachments or links after the first warning because the alert did not explicitly say not to retry.
The response team loses time because the alert was sent without a clear approval or escalation workflow.
Sensitive incident details are shared too widely, creating unnecessary exposure beyond the response team.

Common use cases

Ransomware containment for operations staff
Use this alert when a ransomware event is suspected or confirmed and employees need to stop using specific devices, shared drives, or applications. The message should focus on immediate containment and direct people to the approved reporting channel.
Phishing follow-up for a compromised mailbox
Use this template when a mailbox or account may have been accessed through a phishing attack and staff should avoid interacting with related messages or login prompts. It helps prevent repeated credential exposure while the security team resets access.
Endpoint isolation for field teams
Use this alert when laptops, tablets, or shared endpoints used by field staff may be infected or compromised. The template helps tell users to stop work on the device and wait for device-specific instructions.
Unauthorized access to a business application
Use this when an internal app, admin console, or customer-facing system shows signs of unauthorized access and employees need to stop using it until cleared. It is especially useful when multiple departments rely on the same tool.

Related templates

Alerts

Active threat — Lockdown

Lockdown dispatch for an active threat — secure-in-place instructions, mandatory acknowledgment, ...
Alerts

Building evacuation

Building evacuation order with muster-point instructions, acknowledgment, and "I'm safe" roll-call.
Alerts

Imminent Health Hazard – Voluntary Closure Decision Tree

Use this alert template to notify staff, managers, and health authorities when a sewage backup, f...
Alerts

IT outage — Critical system down

IT outage notice with affected system, restoration estimate, and workaround steps.
Alerts

Medical emergency on-site

Medical emergency dispatch directing responders and clearing the area.
Forms

Customer Feedback Survey

Capture post-interaction customer feedback on overall satisfaction, specific touchpoints, and ope...
Inspections

Cooling Log (135 to 70 in 2hr, 70 to 41 in 4hr)

Cooling log for verifying PHF cool-down from 135°F to 70°F in 2 hours, then to 41°F in 4 more hou...
Sop

Cash Drawer Open & Count

Cash Drawer Open & Count is the SOP for verifying a drawer, counting the starting bank, recording...

Ready to use this template?

Get started with MangoApps and use Cyber incident — Stop work with your team — pricing built for small business.

Get Started
Ask AI Product Advisor

Hi! I'm the MangoApps Product Advisor. I can help you with:

  • Understanding our 40+ workplace apps
  • Finding the right solution for your needs
  • Answering questions about pricing and features
  • Pointing you to free tools you can try right now

What would you like to know?

AI-generated responses may not be 100% accurate