A data breach or cyberattack is one of the most stressful situations a business owner can face. The decisions made in the first 24–72 hours determine whether the incident is contained or becomes catastrophic. This guide gives you a clear, step-by-step response plan to execute under pressure.
Before the Guide: Build a Response Plan Before You Need It
Print this guide, store it somewhere accessible offline, and share it with your key team members. The goal is to eliminate decision-making paralysis when the pressure is highest.
Phase 1: Identify and Confirm (First 1–2 Hours)
Signs of a breach: unexpected account lockouts across multiple users, unusual login activity from unknown locations or at unusual hours, files encrypted with a ransom note (ransomware), customers reporting suspicious emails from your domain, unexplained data transfers, or antivirus/EDR alerts indicating a threat. Confirm before acting broadly. Is this real or a false alarm? What systems and data are confirmed affected? Is the attack ongoing? Isolate affected systems: disconnect compromised devices from the network (unplug ethernet, disable WiFi) — do NOT turn them off as this can destroy forensic evidence.
Phase 2: Contain (First 2–12 Hours)
Reset all credentials: change passwords on all business accounts, starting with email, banking, cloud hosting, and any systems the attacker may have accessed. Enable MFA on any accounts that don’t have it. Revoke active sessions: force logout on all active sessions in Google Workspace, Microsoft 365, and any SaaS tools the attacker may have accessed. Preserve evidence: before restoring any systems, capture system logs, network traffic logs, and file system snapshots. This evidence is essential for understanding the breach scope and may be required for legal or insurance purposes. Engage your IT professional or cybersecurity consultant immediately.
Phase 3: Assess (First 12–48 Hours)
What was accessed? Which systems did the attacker touch? What data was on those systems? Was data exfiltrated or only accessed? How did they get in — phishing, compromised credentials, unpatched software, open RDP port? How long were they in — review logs to identify when the attacker first accessed your systems to determine the full window of compromise.
Phase 4: Notify (Within 72 Hours)
HIPAA: notify affected individuals within 60 days, notify HHS, notify media if 500+ individuals affected. Most US states: notify affected residents within 30–60 days of discovery. GDPR: notify the relevant supervisory authority within 72 hours of discovering the breach. Also notify your cyber liability insurance carrier immediately, your payment processor if card data was involved, and business partners who may be affected. Engage a privacy attorney to advise on your specific notification obligations before sending any public communications.
Phase 5: Recover and Remediate
Restore from clean backups taken before the breach and confirmed to be malware-free. Rebuild compromised systems from scratch — cleaning infected systems is not sufficient. Close the vulnerability that allowed entry before reconnecting restored systems. Deploy enhanced logging and monitoring for 90 days post-incident to detect any reinfection.
Don’t wait for a breach to find out where your endpoint vulnerabilities are. An Endpoint Security Scorecard gives you a professional assessment of your device security posture — delivered in 48 hours for $17.