What is their security posture like? (Don't answer here...)
Have they done any security audits or reports internally - even if they haven't, do they have someone in the company who is familiar with the security posture the company has across the board? This could be a person who has it as his formal job, or someone handling network and system operations who is familiar with their setup and had a general interest in security.
That person needs (I think) to have a sit-down with appropriate staff and then with the CIO to discuss what can be done to immediately perform any key hardening and tightening up some defenses. They should also check their system to see that their appropriate configurations are intact and haven't been compromised. There may be limits to what can be done immediately, but this would be the time to tighten up the easiest ways for their networks or systems to be compromised, and eliminate some unnecessary risk. The biggest risk may be if any systems were already compromised.
This company could bring in a consulting firm (and maybe it should), but I'd start by leveraging in-house knowledge and see if they immediately couldn't identify / review where they stand, what current risks exist, and what can be fixed in 24 hours, 48/72 hours, one business week, and longer. For now, the company shouldn't skimp on the overtime pay for these efforts, or at least let the people involved know their efforts are important and will be appreciated, and their efforts will be rewarded in some manner.
Let us know how things work out... Good luck...
-- Sam