The previous post in this series covered what attackers do in the first 60 minutes after they get your credentials. This one covers what you need to do in the 24 hours after you find out it happened.
The asymmetry is brutal. The attacker had a script — automated tools, practiced playbooks, and a clear sequence from initial access to exfiltration. You have confusion, fear, and a phone full of notifications you don't know how to prioritize. The businesses that survive breaches aren't the ones who respond perfectly. They're the ones who had enough of a plan that they could respond at all.
Only 26% of small businesses have a formal incident response plan. The other 74% are figuring it out in real time — under maximum stress, with maximum financial exposure, while the clock runs. This post is for that 74%.
26%
of small businesses have a formal incident response plan — the other 74% improvise
VikingCloud / defend-id.com, April 2026
$2.66M
average savings from having a rehearsed incident response plan
IBM / Ponemon, 2025
61%
reduction in breach costs for organizations with rehearsed IR plans vs those improvising
IBM Cost of a Data Breach 2025
The businesses that recover from breaches are not the ones with the best security. They're the ones who had made decisions in advance — before the crisis — about who calls whom, what gets isolated first, and what gets communicated when. The $2.66M in savings from a rehearsed plan isn't magic. It's the cost of chaos avoided.
Hour by hour — your first 24 hours
Discovery — the moment everything changes
Start the clockThe moment you suspect a breach, one instinct is almost universally wrong: the urge to start cleaning up. Don't remediate yet. Don't delete files. Don't wipe systems. Don't change passwords on compromised accounts before the forensic process has begun. Evidence destroyed in the first minutes of panic has voided cyber insurance claims and triggered regulatory penalties.
Do immediately
Write down the exact time you discovered the issue. Screenshot everything visible. Note who discovered it and how. This timestamp is the start of your legal record. Regulators and insurers will ask for it. Do not touch anything else until you have documented what you found.
Containment — stop the bleeding, don't destroy evidence
Highest priorityIsolate affected systems from the network — disconnect them from the internet and from each other — without powering them off if possible. A powered-off system loses volatile memory evidence. A disconnected system stops the attacker from continuing lateral movement while preserving forensic evidence.
Specifically
Disable compromised accounts — don't delete them. Disable active sessions. If your email platform has a "sign out everywhere" option for the compromised account, use it. Change credentials on adjacent systems the compromised account could reach — but only after you've documented what those systems are.
Call your cyber insurance carrier — first, before legal
Non-negotiableYour cyber insurance carrier has a 24/7 breach hotline. Most policies require prompt notification as a condition of coverage — delay can reduce or void your claim. More importantly, your carrier has pre-approved forensic firms and legal counsel covered under your policy. If you hire your own forensics team before calling your carrier, that cost may not be reimbursed.
Before this call happens
Know your policy number, your carrier's breach hotline number, and your deductible. These should be written down somewhere other than your computer — which may be compromised. If they aren't written down anywhere right now, do that today.
Engage legal counsel with breach experience
Within 2 hoursYou need an attorney who understands breach response law — not your general business counsel. They will advise on notification obligations and help you avoid statements that create additional liability. Everything you communicate about the breach from this point forward should be reviewed by legal counsel.
Why this matters immediately
36 US states require breach reporting to the Attorney General. California requires notification within 30 days of discovery. PCI DSS requires notification to your merchant bank within 24 hours. HIPAA requires notification to HHS within 60 days. The clock on all of these starts at discovery — not at containment.
Preserve evidence — this is your legal protection
Do not skipThe FTC's Data Breach Response Guide explicitly states: do not destroy forensic evidence in the course of your investigation and remediation. Do not run antivirus scans that overwrite evidence. Do not re-image affected systems before the forensic team has imaged them first.
Preserve specifically
System logs for the past 30–90 days. Email server logs. Authentication logs. Network flow data. Any monitoring alerts that fired around the incident time. If you don't have these logs, document that you don't — absence of logs is itself evidence of your security posture at the time of the breach.
Scope the breach — what data, how much, whose
Determines everything downstreamYour legal and notification obligations depend entirely on what data was exposed. Four questions to answer with your forensic team and legal counsel: What systems were accessed? What data was on those systems? Whose data was it? Was the data encrypted?
Common scoping mistake
Assuming you know what was on a compromised system. Most SMBs discover during breach scoping that sensitive data was in unexpected places — shared drives, email attachments, CRM exports — accumulated over years without a formal data inventory.
Internal communication — carefully, deliberately
Controlled messaging onlyYour employees need to know what happened — but what you tell them matters. Everything communicated internally is potentially discoverable in litigation. Stick to confirmed facts. Avoid speculation about cause or scope. Instruct employees not to discuss the breach externally until the communication strategy has been reviewed by legal counsel.
Who to brief internally
Leadership first. Then IT, operations, customer-facing staff, finance, and HR if employee data is involved. Brief everyone on the same message at the same time to prevent rumour divergence.
External notification — only what's required, only when confirmed
Legal-reviewed onlyNotify affected individuals, regulators, and partners only after your legal counsel has confirmed the notification obligation, drafted the notification language, and cleared the timing. Premature notification before scope is confirmed creates liability if you later discover the breach was larger.
Do not notify yet if
You haven't confirmed what data was exposed. You haven't engaged legal counsel to review the notification. You haven't coordinated with your cyber insurance carrier. Rushing to notify customers before scope is confirmed isn't transparency — it's panic that creates additional legal exposure.
The four mistakes that cost businesses the most
✗ Deleting or wiping before forensics
The instinct to "clean up" destroys evidence needed for your insurance claim, regulatory defense, and understanding of what happened. Wiping a system before it's been imaged can void cyber insurance coverage entirely.
✗ Delaying the insurance call
Most policies require prompt notification. Every hour you delay accumulates costs outside your carrier's approved process — costs that may not be reimbursed. The carrier call should happen within the first hour.
✗ Communicating publicly before legal review
A well-intentioned social media post or customer email sent before legal counsel reviews it can create liability, contradict later findings, and complicate regulatory investigations. Nothing goes out without legal review.
✗ Assuming IT can handle it alone
Breach response is a legal, financial, communications, and operational event — not just a technical one. IT can contain the technical damage. They cannot simultaneously manage regulatory timelines, insurance claims, customer communications, and legal exposure.
The most expensive breach response mistakes don't happen during the attack. They happen in the first four hours after discovery — evidence destroyed in panic, communications sent without legal review, insurance calls delayed, and forensic firms hired outside the carrier's approved list. The $2.66M that separates rehearsed organizations from improvising ones is almost entirely in these first hours.
The one thing to do before you ever need this post
Write a one-page incident response document and put it somewhere that isn't your computer. It needs five things: your cyber insurance carrier's breach hotline number and policy number. The name and number of a breach-experienced attorney you've already identified. The name of a forensic incident response firm your carrier pre-approves. A list of the five most senior people to call and in what order. And a single sentence on what employees are told while the situation is assessed.
That document costs nothing to write. Rehearsing it — even once, as a 30-minute tabletop conversation — saves an average of $2.66M if you ever need it. The businesses that recover from breaches aren't lucky. They're the ones who made decisions in a calm room so they didn't have to make them in a burning one.
Platforms like Veriti Spottr help close the gap before you ever need this playbook — continuous visibility into your credential exposure, attack surface, and security posture gives you early warning when something is wrong, before the 72-minute attacker clock runs out and the 24-hour response clock begins. The best breach response is the one you never have to run.
Comments
Post a Comment