// Blog / Guide

Your first hour after a cyberattack: an incident response plan for small business

Cybersecurity 8 min read intrasec

Most small businesses have a fire evacuation plan but no plan for the more likely emergency: a ransomware screen, a drained bank account, or a staff member who realizes they just clicked the wrong thing. When that day comes, the first hour usually decides whether it's a bad afternoon or a bad month. Here's a plan you can write now and actually follow under pressure.

Why the first hour matters most

In a security incident, speed beats perfection. The faster you contain it, the less an attacker can steal, encrypt, or wire out, and the cheaper the cleanup. The catch is that the first hour is exactly when panic, guesswork, and well-meaning mistakes happen. That's why you decide what to do before you're in it, not during.

The one decision to make in advance: who's in charge

When something breaks, the worst outcome is five people doing five different things, or everyone assuming someone else is handling it. Name, in advance, one person who runs an incident (and a backup), plus the short list of who they can call: your IT or security provider, your bank, your insurer, and a lawyer if personal data is involved. Put the names and phone numbers on one page, printed, because if your systems are down or your email is compromised, you won't be able to look them up.

Contain first, investigate later

The instinct is to figure out what happened. Resist it. The first job is to stop the bleeding:

  • Disconnect affected devices from the network (unplug the cable or turn off Wi-Fi), but don't power them off, because shutting down can destroy evidence that lives in memory.
  • Change passwords and sign out all sessions on affected accounts, from a device you know is clean, not the compromised one.
  • If money or banking is involved, call your bank immediately to try to stop or recall transfers; minutes matter for wire and payroll fraud.
  • If it's an email account takeover, remove any malicious inbox rules the attacker set up to hide replies, and re-secure the account with new credentials and MFA.

Disconnecting is reversible. Letting an attacker keep working is not.

What NOT to do

A few common reactions make everything worse:

  • Don't wipe or rebuild the machine yet. You'll destroy the evidence you, your insurer, and possibly the police need to understand what happened and prove what was or wasn't taken.
  • Don't pay a ransom on impulse. It's a business and legal decision with no guarantee of recovery; talk to your provider, insurer, and counsel first.
  • Don't go quiet. Hiding an incident from your insurer, or from the people whose data was exposed, can turn a recoverable event into a legal and reputational one.
  • Don't use the compromised system to coordinate. Assume the attacker can read your email and chat; organize the response by phone or on personal devices instead.

Notify the right people (it's often required)

Some notifications are not optional. Under PIPEDA, and Quebec's Law 25, if a breach of personal information creates a real risk of significant harm, you are legally required to report it to the Privacy Commissioner and notify the affected individuals. Your cyber-insurance policy almost certainly requires prompt notice too, often within a defined window, and reporting late can jeopardize the claim. For fraud, report to your bank and the Canadian Anti-Fraud Centre. Know these obligations before an incident, because the clock starts the moment you discover it, not when you're ready. (Our piece on the privacy regulator's priorities is a useful primer here.)

Recover, then actually learn from it

Once you've contained the incident, recovery means restoring from clean, tested backups, rebuilding affected systems, and confirming the attacker is fully out before you reconnect anything. Then do the part everyone skips: a short, blameless review of how it happened and the one or two changes that would have stopped it, which is usually MFA, a missing patch, or a bit of training. An incident you learn nothing from is one you've only half-paid for. This is where good backups earn their keep, turning a potential closure into a bad week.

Write the one-page plan now

You don't need a binder. One page covers it: who's in charge (and the backup), the call list (provider, bank, insurer, lawyer), the first few containment steps, your notification obligations, and where your backups are and how to restore them. Print it, and keep a copy off your systems. The goal is that on the worst day, the plan tells a stressed, non-technical person exactly what to do in the first hour.

// Free 2-minute quiz

Could you handle a cyber incident?

Twelve quick questions to score your incident response readiness and see what to fix before you need it.

Take the quiz

Want an incident plan in place before you need it?

Talk to us

Related

Guide Cybersecurity

Backup and recovery for small businesses

The 3-2-1 rule, why an untested backup is just a hope, and how good backups turn a ransomware hit into an inconvenience.

Read article →
Guide Cybersecurity

Cybersecurity basics for Canadian small businesses

The handful of basics that actually protect a small business: MFA, backups, updates, passwords, and more.

Read article →
Service

Managed Security

We build your incident plan and answer the call when it's needed: containment, recovery, and the notifications.

Learn more →