What to Do in the First 24 Hours After a Breach
You just found out your firm has been breached. Maybe it was a phishing email that compromised a partner's email account. Maybe ransomware encrypted your file server. Maybe a client called to ask why their data appeared on the dark web.
Whatever the trigger, the next 24 hours will determine whether this is a contained incident or a catastrophe. Here is exactly what to do, in order.
Hour 0-1: Confirm and Contain
**Do not panic, but do move fast.**
First, confirm this is actually a breach and not a false alarm. A suspicious email is not a breach. An actual compromise of systems or data is a breach. The difference matters because your response needs to be proportional.
Once confirmed:
**Isolate affected systems.** Disconnect compromised machines from the network. Do not power them off (you may need the memory for forensic analysis), but remove their network connection. If a server is affected, isolate it at the network level.
**Disable compromised accounts.** If an email account or user credentials were compromised, disable them immediately. Force password resets for any account that may have been affected. Revoke active sessions.
**Preserve evidence.** Do not start "cleaning up" yet. Do not delete suspicious emails or reformat affected machines. Everything is potential evidence. Take screenshots, note timestamps, and document what you observe.
**Activate your incident response team.** If you have a breach response plan (and you should), now is the time to use it. Notify the designated incident commander and assemble your response team.
Hour 1-4: Assess the Scope
Now you need to understand what happened and how far it went.
**Determine the attack vector.** How did the attacker get in? Phishing email? Compromised credentials? Exploited vulnerability? Understanding the entry point helps you close it and assess what else might be affected.
**Identify affected data.** What data was potentially accessed, stolen, or encrypted? Client financial records? Tax returns? Legal documents? Personnel files? The type of data determines your notification obligations.
**Map the blast radius.** Did the attacker move laterally from the initial compromise? Check logs to see which systems were accessed using compromised credentials. Look for unusual data transfers, new user accounts, or configuration changes.
**Check your backups.** Verify that your backups are intact and have not been compromised. Ransomware operators increasingly target backup systems. If your backups are clean, you have recovery options. If they are compromised, your situation just got more complicated.
**Engage forensic investigators.** Unless your firm has in-house expertise (most do not), this is the time to call in professional incident response services. They have the tools and experience to conduct a thorough investigation while preserving evidence for potential legal proceedings.
Hour 4-8: Notify Key Stakeholders
**Internal notification.** Brief firm leadership on what is known so far. Be factual. Avoid speculation. Present what you know, what you do not know, and what you are doing to find out.
**Cyber insurance carrier.** Contact your cyber insurance carrier as soon as possible. Most policies have strict notification requirements, often within 24 to 72 hours. Late notification can jeopardize your coverage. Understand what your cyber insurance requires before an incident occurs.
**Legal counsel.** If you do not have in-house legal expertise on data breaches, engage external counsel experienced in cybersecurity incidents. They will advise on:
- Notification obligations under state and federal law
- Privilege considerations (especially for law firms)
- Regulatory reporting requirements
- Potential liability exposure
**Law enforcement.** Report the incident to the FBI's Internet Crime Complaint Center (IC3) and your local FBI field office. For ransomware, also notify CISA (Cybersecurity and Infrastructure Security Agency). Reporting does not mean you lose control of the situation. It opens access to resources and intelligence.
Hour 8-16: Remediate and Recover
With the scope assessed and stakeholders notified, shift focus to fixing the problem.
**Close the entry point.** Patch the vulnerability, close the compromised access point, or remediate the phishing infrastructure. Make sure the attacker cannot get back in through the same door.
**Reset credentials comprehensively.** Do not just reset the compromised accounts. Consider resetting all passwords across the organization if there is any chance the attacker has broader access. Reset service account passwords and API keys as well.
**Rebuild compromised systems.** Systems that were directly compromised should be rebuilt from scratch, not just cleaned. You cannot be sure that malware has been fully removed from a system that was actively compromised.
**Restore from clean backups.** If data was encrypted or destroyed, begin restoring from verified clean backups. Monitor the restored systems closely for any signs of reinfection.
**Enhance monitoring.** Increase monitoring across your environment. The days and weeks following a breach are high-risk because attackers sometimes maintain secondary access channels. Watch for unusual login attempts, data transfers, or configuration changes.
Hour 16-24: Plan Communication and Prevention
**Draft client notifications.** Depending on the data involved and applicable regulations, you may be required to notify affected clients. Draft these communications carefully with legal counsel. Be transparent about what happened, what data was affected, and what steps you are taking.
Most state breach notification laws require notification within 30 to 60 days, but some are shorter. Some require notification to the state attorney general as well.
**Prepare for regulatory inquiries.** If you handle data subject to specific regulations (IRS Publication 4557 for tax professionals, state bar requirements for law firms, HIPAA for firms handling health information), prepare for potential inquiries from regulators.
**Document everything.** Create a detailed timeline of the incident and your response. This documentation is essential for:
- Insurance claims
- Regulatory compliance
- Legal defense
- Improving your security posture
- Updating your incident response plan
**Begin root cause analysis.** Start asking the harder questions. Why did this happen? Was it a technical failure, a process failure, or a people failure? What controls should have caught this? Why didn't they?
What Not to Do
**Do not pay ransomware without expert guidance.** The decision to pay is complex and should involve your forensic team, legal counsel, and insurance carrier. Payment does not guarantee you will get your data back, and it may violate OFAC sanctions regulations.
**Do not communicate prematurely.** Rushing to notify clients before you understand the scope can cause unnecessary panic and may need to be corrected later. Get the facts first, then communicate.
**Do not blame individuals.** The person who clicked the phishing link is not the problem. The system that allowed one click to compromise the entire firm is the problem. Focus on systemic improvements.
**Do not go back to normal without changes.** If you resume operations without addressing the root cause, you are setting yourself up for a repeat. Use this incident as the catalyst for meaningful security improvements.
Building Resilience Before the Next Incident
The best time to prepare for a breach was before it happened. The second best time is right after one.
Once the immediate crisis is resolved:
1. Update your incident response plan based on lessons learned 2. Invest in the security controls that would have prevented or contained this incident 3. Implement regular security training for all staff 4. Review and strengthen your data protection practices 5. Conduct a thorough assessment of your security posture
For comprehensive guidance on building a resilient security program, visit our cybersecurity guide for professional services. The firms that learn from incidents and invest in prevention are the ones that come out stronger.
