What to do in the first 24 hours after a security incident.
When a security incident hits your business, the first 24 hours determine almost everything. How you respond in those critical hours decides whether the damage is contained to a single account or spreads across your entire organisation. It determines whether you preserve the evidence needed for investigation or inadvertently destroy it. It shapes whether your recovery takes days or months.
This guide is not a theoretical framework. It is a practical, step-by-step response plan designed specifically for small and medium businesses that may not have a dedicated security team or an incident response playbook gathering dust on a shelf somewhere. It is structured around four time phases, from the first frantic hour through to the point where you begin bringing systems back online. Every step is actionable. Every recommendation is something your team can execute under pressure.
If you are reading this during an active incident, skip straight to the First Hour section below. If you are reading this to prepare, work through the entire guide and make sure the people who would need it in a crisis know where to find it.
Immediate response
The first hour is about stopping the bleeding without making things worse. Every minute counts, but the wrong action taken in haste can cause more damage than the incident itself. These four steps establish control, preserve your options, and create the foundation for everything that follows.
Do not panic, and do not power off
The instinct to shut everything down is strong, but powering off systems destroys forensic evidence. Volatile memory contains traces of what the attacker did, which processes were running, and what connections were active. Once you cut power, that data is gone permanently. Unless you are watching ransomware actively encrypting files in real time, the correct response is to disconnect the affected machine from the network. Pull the Ethernet cable. Disable WiFi. But leave the system running. This isolates the threat without destroying the evidence your investigation will depend on.
Identify what you actually know
Before you can respond effectively, you need to separate confirmed facts from assumptions. What triggered the alert or discovery? Which systems or accounts appear to be affected? When did the activity start, or when was it first noticed? Is the incident still active or has it already been contained by existing controls? Write down only what you know for certain. Speculation at this stage leads to wasted effort. A clear picture of confirmed facts, even if incomplete, is far more useful than a panicked list of everything that might have happened.
Assemble your response team
You need the right people involved immediately, and the right people are not just technical staff. Your IT lead or managed IT provider brings the technical capability to investigate and contain. A senior decision maker, typically the CEO or managing director, needs to be present because incident response inevitably involves decisions about business continuity, spending, and risk tolerance that only leadership can authorise. If the breach involves personal data, legal counsel should be engaged from the outset. And if there is any chance the incident will become public, your communications lead needs to start preparing messaging now rather than scrambling later.
Start an incident log immediately
From this moment forward, every action taken, every decision made, and every observation recorded needs to go into a single, timestamped log. Note the time, the person responsible, the action taken, and the result. This log will prove invaluable in three ways. First, it provides the investigation team with a clear timeline to work from. Second, it serves as evidence for law enforcement if the incident is reported. Third, it satisfies the documentation requirements that regulators and insurance providers will demand. Use whatever tool is available. A shared document, a dedicated channel, even a paper notebook. The format matters less than the discipline of recording everything as it happens.
“The organisations that recover fastest from security incidents are not the ones with the most advanced technology. They are the ones that had a plan, knew who to call, and kept a clear head in the first hour.”
Containment
With the initial shock managed and your response team assembled, the next three hours are about stopping the incident from spreading any further. Containment is methodical, systematic work. You are drawing a line around the compromised systems and ensuring the attacker cannot expand their foothold.
Isolate affected systems from the network
Containment is about stopping the incident from spreading to systems that have not yet been compromised. Disconnect affected machines from the network, both wired and wireless. If you suspect lateral movement, where the attacker has moved from one system to another, consider isolating entire network segments rather than individual devices. Block compromised user accounts by disabling them, not deleting them. Deletion removes audit trails you will need later. Review and temporarily restrict any remote access methods, including VPN connections, remote desktop, and third-party remote support tools. The goal is to shrink the attacker’s ability to move or communicate while you assess the full scope.
Preserve all available evidence
Evidence degrades quickly in a digital environment. Logs rotate and overwrite themselves. Temporary files are cleaned up. Memory is reallocated. The window to capture critical forensic data is narrow, and once it closes, the evidence is gone. Take screenshots of any suspicious activity visible on screen. Export relevant logs from your security tools, email platform, and identity provider before they rotate. If phishing emails were involved, preserve them in their entirety. Do not delete, forward, or modify them. If you have the capability, create forensic images of affected systems before any remediation begins. This evidence will be essential for understanding what happened, for law enforcement, and for any insurance claim you may need to file.
Reset compromised credentials across the board
If accounts were compromised, you must assume the attacker has the passwords and potentially has set up alternative methods of access. Reset passwords for every affected account. Force the revocation of all active sessions so that any stolen authentication tokens become useless and require re-authentication. Review and revoke any suspicious application consents or OAuth permissions that may have been granted, as attackers frequently use these to maintain persistent access even after a password change. Check every mailbox involved for forwarding rules that should not be there. A common tactic is to set up silent forwarding to an external address so the attacker continues to receive copies of all incoming email even after you think the breach is contained.
Check for persistence mechanisms
Sophisticated attackers rarely rely on a single point of access. They create backdoors and persistence mechanisms so that even if you discover and close one entry point, they can get back in through another. Look for newly created administrator accounts or unexplained privilege escalations on existing accounts. Check whether any new multi-factor authentication devices have been enrolled, as adding a new MFA device to a compromised account is a common persistence technique. Review scheduled tasks, startup programmes, and services on affected machines for anything unfamiliar. Scan for remote access tools that should not be present, such as TeamViewer, AnyDesk, or similar utilities that the attacker may have installed to maintain a separate channel into your environment.
Assessment
Containment is holding. Now you need to understand the full picture. The assessment phase is about determining exactly what happened, how far the compromise extends, and what obligations you need to meet. The decisions you make here will be informed by evidence, not panic.
Determine the full scope and impact
Now that immediate containment is in place, you need a thorough understanding of what actually happened and how far the compromise extends. Work through every system the attacker could have accessed, not just the ones you know they touched. Identify what data could have been exposed, including customer records, financial information, intellectual property, and employee personal data. Establish how long the attacker had access to your environment, because the dwell time directly affects the scope of potential damage. Determine whether data was merely accessed or whether there is evidence of exfiltration, where data was copied and sent outside your organisation. The answers to these questions will drive every decision that follows, from regulatory reporting to customer notification to remediation planning.
Assess your regulatory obligations
Depending on the nature of the compromised data, you may have legal reporting requirements with strict deadlines. Under UK GDPR, if a personal data breach poses a risk to individuals, you must report it to the Information Commissioner’s Office within 72 hours of becoming aware. If you are regulated by the Financial Conduct Authority, material cyber incidents must be reported promptly under SUP 15.3. Other industry-specific regulators may have their own requirements. The clock on these obligations is already running, so this assessment cannot wait. If you are unsure whether your incident triggers a reporting obligation, err on the side of reporting. Regulators are far more understanding of organisations that report proactively than those that fail to report and are discovered later.
Notify relevant parties and stakeholders
Consider the full range of parties who need to know about the incident and engage them in the right order. Contact your cyber insurance provider early, as most policies have specific notification requirements and timeframes that, if missed, can jeopardise your coverage. Report to law enforcement through Action Fraud for UK businesses, particularly if the incident involves financial loss or could affect other organisations. If customer or partner data was involved, begin preparing notification communications. These do not need to go out immediately, but the drafting should start now. Brief your board or senior leadership with a factual summary of what is known, what has been done, and what decisions are still pending. Transparency within your organisation builds trust. Silence breeds anxiety and speculation.
The deadline for reporting personal data breaches to the ICO under UK GDPR
of UK businesses experienced a cyber attack or breach in the last 12 months
pounds: the average cost of a data breach globally in 2024, according to IBM
Recovery
With the incident contained and the scope understood, the final phase of the first 24 hours is about beginning the return to normal operations. Recovery is not a single event. It is a controlled, methodical process that prioritises safety over speed.
Develop a structured recovery plan
Returning to normal operations after a security incident is not something you should rush. Plan methodically. Prioritise systems by business criticality so that the most important functions come back first. Determine whether affected systems need to be completely rebuilt from scratch or whether they can be cleaned and returned to service. In many cases, rebuilding is the only way to be confident that no traces of the compromise remain. Plan verification steps that must be completed before any system is reconnected to the production network. Set realistic timeline expectations with stakeholders and resist pressure to bring things back online before you are confident they are clean. A premature recovery that leads to re-infection is far more damaging than a measured one that takes an extra day.
Implement fixes for the root cause
Recovery is not just about restoring what was lost. It is about closing the door the attacker used to get in so they cannot walk through it again. Patch the specific vulnerabilities that were exploited, whether that is a software flaw, a misconfiguration, or a gap in your access controls. Enable or strengthen multi-factor authentication across every system that supports it. Review and tighten your email filtering rules based on what you learned from the incident. Implement additional monitoring and alerting so that similar activity would be detected much earlier if it were attempted again. Each fix should directly address something the incident exposed. This is not the time for a general security overhaul. Focus on the specific weaknesses that were actually exploited.
Begin controlled, monitored recovery
Bring systems back online carefully and methodically, not all at once. Start with isolated testing before reconnecting any restored system to the production network. Monitor recovered systems closely for the first 48 to 72 hours, watching for any signs of re-infection or residual compromise. Restore from known-good backups where needed, but verify the integrity of those backups before relying on them. Attackers sometimes compromise backup systems as well, so restoring from a backup that was taken after the initial compromise began could reintroduce the problem. Verify data integrity after every restoration. Confirm that files, databases, and configurations are complete and uncorrupted before declaring a system recovered.
Communicate the recovery clearly
Your staff, your clients, and your partners need to understand what happened, what has changed, and what they need to do differently going forward. Update all employees on the nature of the incident at an appropriate level of detail. Provide clear guidance on any new security measures that have been implemented and what is expected of them, such as new authentication requirements or changed procedures. Communicate a realistic timeline for full restoration of all services. Be transparent about what happened while being careful not to disclose details that could compromise an ongoing investigation or give useful information to the attacker. People are remarkably understanding when they are kept informed. What erodes trust is silence and the suspicion that things are being hidden.
Common incident types
Not every security incident looks the same, and each type demands a slightly different response. Understanding the most common scenarios helps your team recognise what they are dealing with and prioritise the right containment actions from the outset.
Email account compromise
This is the most common incident type affecting SMEs. An attacker gains access to a business email account, typically through a phishing attack or credential stuffing, and uses it to send emails as the compromised user, intercept sensitive communications, or set up silent forwarding rules to monitor all incoming messages. The immediate priorities are resetting the password, revoking all active sessions, checking for and removing any mail forwarding rules that should not be present, and reviewing the sent items folder for messages the attacker may have dispatched. Email compromise is often the starting point for more serious attacks, including invoice fraud and data theft.
Ransomware
Ransomware encrypts your files and demands payment for their return. What many businesses do not realise is that the encryption event is usually the final stage of an attack that began days or even weeks earlier with initial access, reconnaissance, and lateral movement across your network. The immediate priority is isolating affected systems to prevent further spread. Check the integrity of your backups before assuming you can restore from them. Do not pay the ransom without consulting legal and specialist incident response advisors first. Payment does not guarantee data recovery, it funds criminal operations, and it marks your organisation as willing to pay, making you a target for repeat attacks.
Invoice fraud and business email compromise
Criminals intercept legitimate business communications, typically invoices or payment instructions, and alter the bank details so that funds are redirected to accounts they control. Alternatively, they impersonate senior executives to request urgent payments that bypass normal approval processes. The financial impact can be devastating and recovery of funds is time-sensitive. Contact your bank immediately if a fraudulent payment has been made, as there is a narrow window in which transactions can sometimes be recalled. Preserve all email evidence, including headers, as this will be critical for any investigation. Going forward, implement callback verification procedures for all payment changes, where bank details are confirmed via a phone call to a known, pre-agreed number.
Malware infection
Malware encompasses a broad range of malicious software, from keyloggers that capture every keystroke to remote access trojans that give an attacker persistent control over the infected machine. A malware infection may be the attack itself, or it may be the staging ground for something larger. Isolate the affected system from the network immediately. Scan with multiple detection tools, as no single product catches everything. Check for evidence of lateral movement to other systems on the network. Assume that any credentials entered on the compromised machine have been captured, and reset them across all services. The presence of malware on one machine should prompt a wider investigation into how it arrived and whether other systems were also affected.
Key contacts to have ready before an incident happens
The middle of a security crisis is the worst possible time to be looking up phone numbers. Every organisation should maintain a printed, up-to-date contact sheet that lives in a known location, not buried in a digital system that might be inaccessible during the very incident you need it for.
On the internal side, you need the emergency contact details for your IT lead or managed IT provider, a senior decision maker who can authorise spending and business continuity decisions, your legal counsel, HR if staff data could be involved, and your communications or PR lead if there is any possibility the incident becomes public.
On the external side, you need the claims line for your cyber insurance provider, as most policies have strict notification windows that start the moment you become aware of an incident. You need the contact details for the Information Commissioner’s Office in case the breach involves personal data. You should have the Action Fraud reporting number (0300 123 2040) readily available for reporting to law enforcement. The NCSC incident reporting portal should be bookmarked. And if your industry has a specific regulator, their notification procedures and contact details should be documented as well.
Compile this information now. Print two copies. Keep one with your IT documentation and one with your senior leadership team. Review and update it quarterly. The ten minutes this takes could save hours of frantic searching during an actual incident, hours your organisation cannot afford to waste.
“Every incident we have helped a business recover from has reinforced the same lesson. The cost of preparation is a fraction of the cost of improvisation. Organisations that planned ahead recovered in days. Those that did not recovered in months.”
Want help preparing for incidents before they happen?
We help UK businesses build practical incident response plans, run tabletop exercises with their teams, and implement the monitoring and security controls that detect threats early enough to contain them before they cause serious damage. If you do not have a plan in place, or if the one you have has never been tested, now is the time to address that.
Book a call to discuss your current readiness. We will give you an honest assessment of where you stand and a clear path to getting the right protections in place.