A cyber incident can hit like a storm—fast, disorienting, and potentially devastating. Whether it’s ransomware, a data breach, or a system compromise, the first 24 hours are critical. Decisions made in this window can mean the difference between swift recovery and prolonged disruption or, worse, reputational and legal fallout.
Small businesses, in particular, often lack formal incident response teams or round-the-clock IT support. Having a simple, clear, and executable action plan is essential. Here’s what to do—step by step—when the clock starts ticking.
Step 1: Isolate and Contain the Threat (Hour 0–2)
As soon as a cyber incident is suspected, focus on containment.
- Disconnect affected systems from your network. That includes servers, laptops, cloud accounts, or any potentially compromised endpoints.
- Avoid shutting down devices immediately—this could erase critical forensic evidence.
- Disable remote access if it’s not essential. This prevents attackers from further infiltrating your systems.
Step 2: Activate Your Incident Response Plan (Hours 2–4)
If your business has a response plan—even a basic one—it’s time to use it.
- Alert your internal response team (or designated leads). Assign clear roles: technical lead, communications lead, legal or compliance advisor.
- Secure administrative access to systems and review logs. Ensure your privileged accounts haven’t been compromised.
- If you have cyber insurance, notify your provider immediately. Some policies require notification within the first few hours of detection.
Don’t have a response plan? At a minimum, gather your leadership, your IT support (in-house or outsourced), and a decision-maker. Start documenting everything.
Step 3: Assess and Document What Happened (Hours 4–8)
You need to understand the what before addressing the how.
- What systems are affected?
- What data might be exposed or encrypted?
- Is customer or employee information at risk?
Sanguine Security recommends “taking forensic images of compromised systems, record logs (system, firewall, endpoint, email) and document every step of your response” to support later investigations and insurance claims.
At this stage, do not delete or alter anything. Preserve evidence. If you have access to digital forensics support, this is the time to engage them.
Step 4: Protect Communication and Prevent Panic (Hours 8–12)
Internal and external communication matters—a lot.
- Use secure channels to communicate with your response team. Avoid email if you suspect a phishing or account compromise.
- Draft internal updates to inform your staff of the situation, what to avoid (e.g., clicking suspicious links), and who to contact with questions.
- Do not rush external disclosures unless legally required. Premature or unclear statements can cause confusion and damage credibility.
Commvault reinforces the importance of “a clear communication plan. Keep employees, customers, and stakeholders informed with transparent and timely updates”.
Step 5: Evaluate Legal Obligations and Reporting (Hour 12–20)
If the incident involves sensitive customer data, legal obligations may kick in quickly.
- Check data breach notification laws for your region. Some jurisdictions mandate reporting within 24–72 hours.
- Consult legal counsel or compliance officers. If you don’t have one on staff, consult with a cybersecurity lawyer or legal advisor with breach response experience.
You may also need to notify:
- Affected customers or partners
- Regulators or governing bodies
- Law enforcement or national cyber response agencies
Keep in mind that what you say—and when—can have compliance and reputational implications.
Step 6: Restore Systems and Plan for Recovery (Hours 20–24)
Before jumping to full restoration, ensure the threat is neutralized.
Within the first 24 hours of a breach, it’s critical to identify and close the flaw or misconfiguration exploited, or attackers may use it to regain access.
- Validate clean backups before restoring systems. Don’t reinfect yourself by rushing the process.
- Change credentials for admin and privileged accounts across all systems.
- Create a short-term recovery plan, prioritizing business-critical functions.
Don’t skip the debrief. Document everything: what happened, what actions were taken, and lessons learned. This will feed into a long-term improvement plan and strengthen your future response.
Best Advice: Be Ready Before It Happens
The best time to prepare for a cyber incident is long before one happens. But if you’re reading this in the middle of a crisis—stay calm, follow a structured plan, and focus on containment, clarity, and communication.
As Pen Test Partners emphasize: “The first 24 hours are your best shot at controlling the damage and setting up a strong recovery. React well, and you’ll survive. React poorly, and you could be out of business.”
The first 24 hours after a breach don’t have to define your business. A clear head and the right steps can go a long way in limiting the damage.
References:
Chern, K., & Chern, K. (2025, March 28). Data breach crisis management: Steps to take within the first 24 hours. Sanguine Strategic Advisors. https://sanguinesa.com/data-breach-crisis-management-steps-to-take-within-the-first-24-hours/
Ibiok, E., & Ibiok, E. (2025, April 23). The first 24 hours of a cyber incident. A practical playbook | Pen Test Partners. Pen Test Partners. https://www.pentestpartners.com/security-blog/the-first-24-hours-after-a-cyber-incident-a-practical-playbook/
Unguyen. (2024, November 13). Ransomware attack! Your first 24 hours are critical. Commvault – English – United States. https://www.commvault.com/blogs/ransomware-attack-your-first-24-hours-are-critical
Need more info?
Take the next step—contact us today for a free cybersecurity strategy session and ensure your business is fully protected!
Our Cyntry experts can identify strategies to safeguard your data and systems. At Cyntry, simplifying the compliance journey and strengthening your security posture is what we do best.
Book a no-cost 30-minute compliance and cybersecurity strategy session at Cyntry.com.
