Cyber-security requires not only technical preparations but also organizational practices that reduce the likelihood and severity of damage to the organization. Although user compliance to security policies has been examined in prior literature, user behaviour is only one facet of an organization’s cyber-security; the actions of the IT staff, crisis team, and the management are just as critical. Consequently, organizational practices in cyber-security are not understood very well. To address this gap, this research applied the concept of mindfulness, which has recently received attention also in the IT field. We collected data from a revelatory case – that of a government agency that was targeted by a large-scale cyber-attack – and applied the concept of mindfulness in analyzing the data. Our analysis uncovered a number of mindful practices related to cyber-security. These practices can serve as a building block to theorize on the activities to be taken by IT workers in promoting cyber-security. Our paper also suggests avenues for further research in the emerging topic, for instance, through the concept of cyber-security capability.