Key Takeaways
- Isolate affected systems from the network, but do not power them off unless you have no other option.
- Notify your cyber insurance carrier within 24 hours, or you risk voiding the policy.
- Report the incident to the FBI (IC3) or your national cybercrime authority within 24 to 48 hours.
- Two workstreams run in parallel from minute one: technical containment and business communications.
- Do not pay a ransom, talk to the media, or wipe systems in the first 24 hours.
Two Clocks Are Already Running
If you are reading this in the middle of an incident, the most useful thing you can do in the next sixty seconds is stop and breathe. The damage that gets done in the first hour is almost always self-inflicted: someone powers off the wrong machine, someone emails customers prematurely, someone forgets to call the insurance carrier and quietly voids the policy.
There are two clocks running against you. The technical clock is about containment, every minute the attacker still has access, the blast radius grows. The business clock is about notification, insurance, regulators, customers, and the board all have windows you cannot miss. This guide walks both clocks, hour by hour, for the first 24.
Hour 0 to 1: Detect, Isolate, Do Not Panic
The first hour is about three things. Confirm what is happening, stop the spread, and preserve what you can.
Confirm. Look at EDR (Endpoint Detection and Response) alerts, file modification timestamps, and what users are reporting. Encryption in progress looks different from a single compromised mailbox. Ransomware notes on screens, mass file changes, and EDR triggers all confirm an active attack. A single phishing click does not.
Isolate. Disconnect affected hosts from the network. Disable the relevant switch ports, revoke VPN access for compromised accounts, and isolate VLANs if the spread is wider. If a domain controller is compromised, isolate it and start the decision about clean recovery early.
Do not power off. Powering a machine off destroys volatile memory, which often contains the attacker's tools, encryption keys, and active processes. Forensics teams need that memory. Network isolation gives you containment without losing evidence. The only exception is active encryption that you cannot stop any other way.
Hour 1 to 4: Assemble the Team and Preserve Evidence
By the end of hour one, you should be activating your incident response plan. If you do not have one, you are building it on the fly, which is the expensive way.
Stand up the Incident Response Team. You need four roles, even in a small business. An Incident Commander who runs the response, a Technical Lead who owns containment and forensics, a Communications Lead who owns internal and external messaging, and a Legal or Compliance contact who owns regulatory and contractual obligations. In an SMB, your MSP often fills two or three of these.
Preserve evidence. Snapshot affected systems before any cleanup. Keep firewall logs, EDR telemetry, email gateway logs, and authentication logs. Most are configured with short retention by default, so the first preservation step is "stop the auto-delete." Hand the evidence to your forensics provider or insurance-appointed responder when they arrive.
Stop the bleeding outside the perimeter. Reset credentials on any account suspected of compromise. Rotate the keys, tokens, and service account passwords the attacker may have touched. Force password resets across the directory if you cannot scope the access tightly.
Hour 4 to 12: Scope and First Notifications
By hour four, the question shifts from "are we under attack" to "how big is it." This is where the business clock starts to matter more than the technical clock.
Scope the incident. Identify which systems, accounts, and data sets are affected. The IR team is looking for the entry point, the lateral movement path, and any signs of data exfiltration. The Verizon Data Breach Investigations Report has shown repeatedly that exfiltration often precedes encryption by hours or days. Assume data left the building until you can prove it did not.
Notify your cyber insurance carrier. Most cyber insurance policies require first notice of a claim within 24 to 72 hours. Some require it sooner. Late notification can void coverage entirely. The call is not a commitment to claim, it is a notification. Make it.
Activate your insurance-appointed providers. Your policy almost certainly names a panel of approved forensics firms, breach coaches (specialist lawyers), and PR firms. Using providers outside the panel often means you pay out of pocket. Use the panel.
Hour 12 to 24: Legal, Regulatory, and Communications
The second half of the first day is mostly business workstream. The technical team is still contained and investigating, but the leadership decisions are about who you have to tell and what you have to say.
Brief the board or owners. Material incidents require leadership awareness. The board does not need every technical detail, they need scope, impact, decisions pending, and the timeline for the next update. Set a cadence (every 4 hours is normal for the first 48).
Notify law enforcement. In the US, file with the FBI Internet Crime Complaint Center (IC3) at ic3.gov, or call your local FBI field office. In the UK, report to Action Fraud and the NCSC. Reporting does not slow your recovery and often gives you access to indicators of compromise the agency has from related cases.
Map your regulatory clock. GDPR (General Data Protection Regulation) requires notification to the supervisory authority within 72 hours of becoming aware. HIPAA, state-level breach notification laws, PCI DSS, and sector-specific regulators all have their own windows. The breach coach quarterbacks this, do not improvise it.
Hold the line on external communications. Do not email customers, post on social media, or comment to press in the first 24 hours unless your breach coach approves it. Wrong information now becomes the headline forever.
What NOT to Do in the First 24 Hours
Most of the worst outcomes are caused by predictable mistakes. Avoid all of these.
Do not power systems off unless encryption is actively spreading and you have no isolation option. You destroy the forensic evidence you will need to scope the incident, satisfy your insurance carrier, and defend yourself in any later litigation.
Do not wipe and reimage affected systems early. Once they are wiped, you cannot prove what happened or what was taken. Recovery comes after scoping, not during it.
Do not pay a ransom in the first 24 hours. Even if you decide later to pay, paying early closes off options and may breach sanctions law (OFAC in the US, OFSI in the UK, depending on the threat actor). The breach coach assesses sanctions exposure first.
Do not talk to media or post to social media. Acknowledge nothing externally until you have facts and approved messaging. Premature statements get walked back, and the walkbacks become the story.
Do not email customers en masse. The legal threshold for notification is specific. Notify when you must, in the form your regulator requires, with messaging the breach coach has approved.
Do not skip the insurance call. Late notification voids coverage in many policies. The call is free. Make it.
Who to Call, in Order
The order matters because each call shapes the next one.
- Your MSP or internal IT lead (if you have not already) for technical containment.
- Your cyber insurance carrier, to open the claim window and trigger the panel of approved providers.
- The forensics firm named on your panel, to scope the incident.
- Your breach coach (specialist privacy or cyber lawyer), to map regulatory obligations.
- The FBI IC3 (US) or NCSC and Action Fraud (UK), to report.
- Leadership and the board, on a defined cadence.
- Regulators and customers, on the timeline the breach coach sets, with messaging the coach approves.
If you do not have a relationship with most of these before an incident, the first 24 hours is the wrong time to start. The CISA Incident Response Plan Basics guide is a free starting point for building the relationships in advance.
FAQ
What is the first thing to do after a cyber attack?
Isolate affected systems from the network. Disable switch ports or revoke VPN access for compromised accounts. Do not power machines off unless encryption is actively spreading. Network isolation contains the attack while preserving the forensic evidence your insurance carrier and incident responders will need to scope the incident.
Should you power off computers after a cyber attack?
Almost never in the first hour. Powering off destroys volatile memory, which often contains encryption keys, attacker tools, and active processes that forensics teams need. Use network isolation instead. The only exception is active encryption that you cannot stop any other way, and even then, isolate first if you can.
Do you have to report a cyber attack?
In most jurisdictions, yes, but the threshold and timeline vary. GDPR requires notification to the supervisory authority within 72 hours. HIPAA, PCI DSS, and state-level breach notification laws each have their own rules. Reporting to law enforcement (FBI IC3 in the US, Action Fraud and NCSC in the UK) is not always mandatory but is strongly recommended.
Should you pay a ransomware demand?
Not in the first 24 hours, and only after legal and sanctions review. Paying may breach sanctions law if the threat actor is on a sanctions list (OFAC in the US, OFSI in the UK). Many organisations that pay do not get a working decryptor, and paying signals to other groups that you are a payer. Your breach coach assesses the legal exposure before any decision.
Next Step
Most of this guide is impossible to execute in real time without preparation. Pull your cyber insurance policy and find the notification window, the panel of approved providers, and the contact number for first notice of claim. Save that one page somewhere you can find it offline. That single step is the difference between a usable policy and a voided one when the call actually matters.

