What To Do in the First 24 Hours After a Cyber Incident
The first day after a cyber incident can feel messy and uncertain, especially when you are not sure where the problem started. This is completely normal. Most businesses do not have a technical play-by-play ready to go, and even well prepared teams can feel overwhelmed. What matters most in those early hours is keeping things as contained as possible and working through the situation step by step.
Below is a simple, educational guide to help you understand what usually happens and what to focus on.
1. Identify and contain the issue
The aim in the very beginning is to stop things from getting worse. This might involve isolating the device that first showed signs of trouble, removing access from a compromised account or temporarily turning off certain systems. You are not trying to fix everything immediately. You are just creating space to work out what is going on while limiting further damage.
2. Notify your I.T. provider or internal team
Cyber incidents need technical eyes on them straight away. Let your IT team or external support provider know as soon as possible so they can start looking into what triggered the issue, what systems are affected and what needs to be secured. Clear information at this stage makes a big difference because the technical team can only act on what they know.
3. Contact your incident response team or cyber insurer's hotline
Many businesses wait too long before contacting their insurer, yet early notification is one of the most valuable steps you can take. The most valuable part of your cyber policy is access to incident response teams who specialise in managing these highly stressful and time sensitive situations. Their guidance helps structure the response, coordinate communication and ensure that no critical steps are missed in restoring your systems. This guidance also supports the remediation process and the improvements needed to prevent the issue from happening again. If you don’t have a cyber policy, ensure you have an agreement in place with a cybersecurity company so you know exactly who to call when something goes wrong.
4. Avoid deleting or modifying evidence
It’s natural to want to restart systems or clear out anything that looks suspicious. The problem is that doing this can erase important information that helps investigators understand what happened. Until you get advice from your I.T. or incident response team, it’s better to leave things as they are.
5. Review what data or systems have been affected
Once the situation is contained, the next step is understanding the scope. Has sensitive data been accessed or altered? Are operational systems impacted? Are any customer-facing tools affected? This information helps determine what needs to be restored first and whether there are any legal or communication requirements to address.
6. Communicate carefully and start internal first
Keeping your team informed helps avoid confusion and stops people from taking actions that could complicate the situation, such as trying to log into compromised systems. External communication should wait until you have a clear picture of what happened and only be done with guidance from your IT, legal or response team. This ensures the information shared is accurate.
7. Begin restoring essential systems with expert support
After containment and assessment, the focus shifts to recovery. This might involve restoring backups, rebuilding affected devices or reconfiguring systems. Recovery usually happens in stages so the most important parts of the business can get back online first. It can be tempting to rush this step but careful restoration reduces the chance of further issues.
8. Document everything
Keeping notes about what was done, when it was done and who made each decision is extremely useful later. It helps with internal reviews, support teams, regulators if needed and future training. Documentation does not have to be perfect. It just needs to be clear.
A calm, structured approach makes a difference
Cyber incidents are disruptive but they do not need to feel chaotic. Working through the first 24 hours in a structured way helps reduce confusion and sets the foundation for smoother recovery. Even if the cause is not obvious at first, steady and organised action gives your team the best chance to move through the situation efficiently.
Jasmin Gabrielli
Jasmin is an experienced insurance professional with over 11 years of general broking expertise across a diverse range of general and hard-to-place specialty lines specifically in commercial applications.
The first day after a cyber incident can feel messy and uncertain, especially when you are not sure where the problem started. This is completely normal. Most businesses do not have a technical play-by-play ready to go, and even well prepared teams can feel overwhelmed. What matters most in those early hours is keeping things as contained as possible and working through the situation step by step.
Below is a simple, educational guide to help you understand what usually happens and what to focus on.
1. Identify and contain the issue
The aim in the very beginning is to stop things from getting worse. This might involve isolating the device that first showed signs of trouble, removing access from a compromised account or temporarily turning off certain systems. You are not trying to fix everything immediately. You are just creating space to work out what is going on while limiting further damage.
2. Notify your I.T. provider or internal team
Cyber incidents need technical eyes on them straight away. Let your IT team or external support provider know as soon as possible so they can start looking into what triggered the issue, what systems are affected and what needs to be secured. Clear information at this stage makes a big difference because the technical team can only act on what they know.
3. Contact your incident response team or cyber insurer's hotline
Many businesses wait too long before contacting their insurer, yet early notification is one of the most valuable steps you can take. The most valuable part of your cyber policy is access to incident response teams who specialise in managing these highly stressful and time sensitive situations. Their guidance helps structure the response, coordinate communication and ensure that no critical steps are missed in restoring your systems. This guidance also supports the remediation process and the improvements needed to prevent the issue from happening again. If you don’t have a cyber policy, ensure you have an agreement in place with a cybersecurity company so you know exactly who to call when something goes wrong.
4. Avoid deleting or modifying evidence
It’s natural to want to restart systems or clear out anything that looks suspicious. The problem is that doing this can erase important information that helps investigators understand what happened. Until you get advice from your I.T. or incident response team, it’s better to leave things as they are.
5. Review what data or systems have been affected
Once the situation is contained, the next step is understanding the scope. Has sensitive data been accessed or altered? Are operational systems impacted? Are any customer-facing tools affected? This information helps determine what needs to be restored first and whether there are any legal or communication requirements to address.
6. Communicate carefully and start internal first
Keeping your team informed helps avoid confusion and stops people from taking actions that could complicate the situation, such as trying to log into compromised systems. External communication should wait until you have a clear picture of what happened and only be done with guidance from your IT, legal or response team. This ensures the information shared is accurate.
7. Begin restoring essential systems with expert support
After containment and assessment, the focus shifts to recovery. This might involve restoring backups, rebuilding affected devices or reconfiguring systems. Recovery usually happens in stages so the most important parts of the business can get back online first. It can be tempting to rush this step but careful restoration reduces the chance of further issues.
8. Document everything
Keeping notes about what was done, when it was done and who made each decision is extremely useful later. It helps with internal reviews, support teams, regulators if needed and future training. Documentation does not have to be perfect. It just needs to be clear.
A calm, structured approach makes a difference
Cyber incidents are disruptive but they do not need to feel chaotic. Working through the first 24 hours in a structured way helps reduce confusion and sets the foundation for smoother recovery. Even if the cause is not obvious at first, steady and organised action gives your team the best chance to move through the situation efficiently.
Jasmin Gabrielli
Jasmin is an experienced insurance professional with over 11 years of general broking expertise across a diverse range of general and hard-to-place specialty lines specifically in commercial applications.
The first day after a cyber incident can feel messy and uncertain, especially when you are not sure where the problem started. This is completely normal. Most businesses do not have a technical play-by-play ready to go, and even well prepared teams can feel overwhelmed. What matters most in those early hours is keeping things as contained as possible and working through the situation step by step.
Below is a simple, educational guide to help you understand what usually happens and what to focus on.
1. Identify and contain the issue
The aim in the very beginning is to stop things from getting worse. This might involve isolating the device that first showed signs of trouble, removing access from a compromised account or temporarily turning off certain systems. You are not trying to fix everything immediately. You are just creating space to work out what is going on while limiting further damage.
2. Notify your I.T. provider or internal team
Cyber incidents need technical eyes on them straight away. Let your IT team or external support provider know as soon as possible so they can start looking into what triggered the issue, what systems are affected and what needs to be secured. Clear information at this stage makes a big difference because the technical team can only act on what they know.
3. Contact your incident response team or cyber insurer's hotline
Many businesses wait too long before contacting their insurer, yet early notification is one of the most valuable steps you can take. The most valuable part of your cyber policy is access to incident response teams who specialise in managing these highly stressful and time sensitive situations. Their guidance helps structure the response, coordinate communication and ensure that no critical steps are missed in restoring your systems. This guidance also supports the remediation process and the improvements needed to prevent the issue from happening again. If you don’t have a cyber policy, ensure you have an agreement in place with a cybersecurity company so you know exactly who to call when something goes wrong.
4. Avoid deleting or modifying evidence
It’s natural to want to restart systems or clear out anything that looks suspicious. The problem is that doing this can erase important information that helps investigators understand what happened. Until you get advice from your I.T. or incident response team, it’s better to leave things as they are.
5. Review what data or systems have been affected
Once the situation is contained, the next step is understanding the scope. Has sensitive data been accessed or altered? Are operational systems impacted? Are any customer-facing tools affected? This information helps determine what needs to be restored first and whether there are any legal or communication requirements to address.
6. Communicate carefully and start internal first
Keeping your team informed helps avoid confusion and stops people from taking actions that could complicate the situation, such as trying to log into compromised systems. External communication should wait until you have a clear picture of what happened and only be done with guidance from your IT, legal or response team. This ensures the information shared is accurate.
7. Begin restoring essential systems with expert support
After containment and assessment, the focus shifts to recovery. This might involve restoring backups, rebuilding affected devices or reconfiguring systems. Recovery usually happens in stages so the most important parts of the business can get back online first. It can be tempting to rush this step but careful restoration reduces the chance of further issues.
8. Document everything
Keeping notes about what was done, when it was done and who made each decision is extremely useful later. It helps with internal reviews, support teams, regulators if needed and future training. Documentation does not have to be perfect. It just needs to be clear.
A calm, structured approach makes a difference
Cyber incidents are disruptive but they do not need to feel chaotic. Working through the first 24 hours in a structured way helps reduce confusion and sets the foundation for smoother recovery. Even if the cause is not obvious at first, steady and organised action gives your team the best chance to move through the situation efficiently.
Jasmin Gabrielli
Jasmin is an experienced insurance professional with over 11 years of general broking expertise across a diverse range of general and hard-to-place specialty lines specifically in commercial applications.
More
Two Years of Sage: What Building a Brokerage Taught Me About People, Leadership and the Power of Service
1 Dec 2025
Business Insurance and Employee Safety: What Every Owner Should Know
12 Nov 2025
Stronger Insurance for a Stressed Workforce
30 Oct 2025
Management Liability Insurance: The Cover Most Start-Ups Don’t Know They Need
30 Oct 2025
