Incident Response for SMEs: What To Do in the First 24 Hours of a Cyber Attack
Imagine this:
It’s 8:30am on a Tuesday. Your team starts reporting that they can’t open files. A strange note appears on several screens:
“Your files are encrypted. Pay 3 Bitcoin within 72 hours or lose everything.”
Your email is still working, but your shared drive is full of unreadable documents. Your accounts team is asking if they can still run payroll. You call your IT person, but they’re tied up onsite with another client.
What you do in the next 24 hours will make a huge difference to:
- How much data you lose
- How long your business stays down
- Whether you need to notify customers, partners, or regulators
- How much the whole incident ultimately costs
This guide gives you a step‑by‑step playbook for those crucial first 24 hours, written for SME leaders and non‑technical managers.
Hour 0–1: Confirm the Incident & Stabilise
The first hour is about calmly confirming what’s happening and stopping things from getting worse.
1. Stay calm, take control
- Do not start randomly rebooting or unplugging everything.
- Appoint an Incident Lead (often the owner, MD, or senior manager) who will coordinate actions and decisions.
- Start a simple incident log: time, what was observed, who reported it, and what actions you take.
Common signs of an incident:
- Ransom note on screen or in files
- Unusual login alerts (e.g., logins from countries where you don’t operate)
- Customers receiving emails that you did not send
- Unexpected bank transfers or invoice changes
- Security software (antivirus/EDR) raising serious alerts
2. Confirm it’s likely a real incident
Ask your team:
- When did the issue start?
- Which systems are affected (email, file server, cloud apps, finance system, website)?
- Who else is seeing similar issues?
If you have an IT provider or Managed Service Provider (MSP), call them immediately. A good MSP can:
- Check alerts from monitoring tools
- Review suspicious emails or files
- Confirm whether it’s likely malware, account compromise, or something else
If you don’t have an MSP, assign your most technical person to help gather information, but keep the Incident Lead in charge of decisions.
3. Decide: pause critical activities
If there is a reasonable chance this is a real cyber attack:
- Pause high‑risk activities, such as:
- Online banking and payments
- Processing new sensitive customer data
- Large file uploads or downloads
- Tell staff:
“We’re investigating a possible IT security issue. Please don’t log into online banking or install any software until we give the all‑clear.”
Hour 1–4: Contain & Isolate
Your goal now is to stop the attack spreading while preserving evidence.
4. Isolate affected machines (without wiping evidence)
If a device appears infected (ransom note, strange pop‑ups, files changing, very slow and unusual behaviour):
- Disconnect it from the network:
- Unplug the network cable, or
- Turn off Wi‑Fi (using the hardware switch or system tray), or
- Move it to airplane mode
- Do NOT power it off unless your MSP or a specialist tells you to.
Powering off can sometimes destroy useful evidence in memory; it may also interrupt encryption in a way that causes more damage.
Apply this to:
- PCs or laptops showing obvious signs of infection
- Servers where files are suddenly encrypted or renamed
- Shared storage that is rapidly changing
Label these devices as “Do not use – under investigation”.
5. Isolate compromised accounts
If you suspect that an account (e.g., a staff email) has been misused:
- Immediately reset the password for:
- The suspected account
- Any other accounts using the same or similar password
- Enable Multi‑Factor Authentication (MFA) if not already in place.
MFA means a second step (like a code on your phone) in addition to a password.
For cloud services (Microsoft 365, Google Workspace, accounting systems):
- Temporarily block sign‑in for the suspected user account if you can.
- Review recent sign‑ins: look for logins from unknown locations or devices.
6. Temporarily disable risky remote access
If remote access might be involved:
- VPN (Virtual Private Network) – a secure connection staff use to access the office network remotely.
- Remote desktop tools (e.g., RDP, TeamViewer, AnyDesk).
Actions you can take:
- Ask your MSP or IT person to temporarily disable external remote access or change VPN passwords and keys.
- If you manage it yourself:
- Disable remote access on your firewall/router interface.
- Turn off any “remote management” features on your router, if enabled.
Do this in a controlled way so you don’t cut off your ability (or your MSP’s) to fix the problem. When in doubt, call your MSP and discuss the options.
7. Preserve logs and evidence
Evidence will help in:
- Understanding what happened
- Demonstrating compliance to regulators
- Making insurance claims
Do:
- Save copies of:
- Ransom notes (screenshots or photos with your phone)
- Suspicious emails (do not click links; save as file or forward to IT/security)
- Ask your MSP to:
- Preserve server and firewall logs
- Preserve logs from email systems and security tools
Do not:
- Delete suspicious files or emails unless advised to
- Wipe or reinstall systems immediately (this can come later, in a controlled way)
Hour 4–12: Assess Impact & Document
Once the situation is stabilised, you need to understand what’s affected and start planning next steps.
8. Identify what’s impacted
Create a simple list:
- Systems:
- File servers / shared drives
- Accounting / ERP / CRM
- Website / e‑commerce platform
- HR or payroll systems
- Data types:
- Customer records
- Financial data
- Employee data
- Intellectual property (designs, source code, proposals)
For each, note:
- Working normally
- Partially affected
- Fully unavailable or clearly compromised
Your MSP can help by:
- Scanning devices for malware
- Checking what was accessed or changed
- Reviewing security alerts and logs
If you don’t have an MSP, do what you can:
- Log into key cloud services and confirm:
- Can you access the system?
- Has anything obviously changed (e.g., new admin users, mailbox forwarding rules, unknown apps connected)?
- Ask staff to report anything unusual they’ve noticed.
9. Decide: is this likely a data breach?
A data breach is when sensitive or confidential information is viewed, copied, or stolen by unauthorised people. It’s different from just “systems down”.
Ask, with your MSP and legal counsel if possible:
- Did attackers likely access data, or just encrypt it?
- Are there signs of:
- Unusual data downloads or exports
- New mailbox forwarding rules (emails secretly copied elsewhere)
- Files copied to unknown locations or cloud apps
If there is a reasonable chance that personal data (customers, staff, patients, students, etc.) was accessed, you may have legal obligations to notify regulators and affected individuals. These obligations vary by country and industry.
Important: This is general guidance, not legal advice. You must consult your local regulations and legal professionals to understand your specific obligations.
10. Document everything
Maintain your incident log with:
- Timeline of events (what happened when)
- Who was involved
- Actions taken and by whom
- Systems impacted and data types involved
This will:
- Support any regulatory or insurance processes
- Help you learn and improve your security later
- Be useful if law enforcement gets involved
Hour 12–24: Notify, Recover & Improve
By now you should have a clearer picture of:
- What happened
- What’s affected
- Whether data might be compromised
Now you focus on communication, recovery, and planning improvements.
11. Decide who to notify (and when)
Stakeholders you may need to notify:
- Internal:
- All staff
- Management/board
- External:
- Customers
- Key suppliers and partners
- Insurer (especially cyber insurance)
- Regulators or supervisory authorities (if required)
- Law enforcement (especially for fraud, extortion, or major breaches)
General principles:
- Be timely but accurate – don’t sit on serious issues, but avoid speculating.
- Be transparent but careful – share what you know and what you’re doing, avoiding overly technical detail or blame.
Reminder: Data breach and incident notification rules differ by country and industry. Always check with a lawyer or compliance adviser before making regulatory notifications or formal statements.
12. Communicate safely
Do not use channels that might be compromised.
For example:
- If your company email account was abused to send fake invoices, don’t use that same account to send incident updates until it has been secured and checked.
- For critical early communication, consider:
- Phone calls
- Video meetings
- Personal email accounts (if organisational email is untrusted), while being careful with sensitive details
Example: Internal incident update email
Once your email is safe, you might send something like:
Subject: Temporary IT Security Incident – Please Read
We are currently dealing with an IT security issue affecting some of our systems. At this stage, we believe the issue is limited to [brief description, e.g., “the shared drive on the main server”].
Our IT team/partner is actively investigating and working on containment and recovery. In the meantime, please:Do not open unexpected email attachments or click on unusual links.Do not install any new software on your work devices.Report anything suspicious immediately to [contact].
We will share further updates as we learn more. Thank you for your cooperation and please avoid speculation or blame – our focus is on resolving this safely and quickly.
13. Start technical recovery (with your MSP)
Recovery should be methodical, not rushed:
With an MSP, they will typically:
- Confirm which devices are safe, which need cleaning or rebuilding
- Remove malware from affected systems
- Restore data from backups, prioritising:
- Finance and billing
- Core operations (orders, bookings, production)
- Customer service
- Check that restored systems are patched and protected (antivirus/EDR, firewall, MFA)
If you don’t have an MSP:
- Start by restoring the minimum needed to resume operations.
- Use clean backups that pre‑date the incident.
- Before reconnecting a device to the network, ensure:
- Antivirus is updated and runs a full scan
- Default passwords are changed
- Unnecessary remote access is disabled
14. Engage the right external support
Depending on severity, you may need:
- MSP (Managed Service Provider):
- First‑line incident triage and containment
- Coordinating with specialist security partners
- Restoring systems and backups
- Implementing improved security controls afterward
- Specialist incident response firm:
- Deep forensic investigation
- Advanced malware analysis
- Support with complex ransomware or large‑scale breaches
- Legal counsel:
- Advice on regulatory obligations
- Guidance on communications and liability
- Input on difficult decisions (e.g., ransom demands)
- Insurer:
- Confirm what’s covered and required documentation
- Access to approved incident response partners
- Law enforcement:
- Particularly for fraud, extortion, or significant personal data breaches
On ransom payments:
Paying a ransom is not guaranteed to get your data back and can have legal and ethical implications. Treat it as a last‑resort decision, made only with input from legal counsel, law enforcement, your insurer, and experienced incident responders.
15. Capture lessons and improve
Even within the first 24 hours, start noting:
- What worked well (e.g., quick reporting by staff)
- What slowed you down (e.g., no up‑to‑date asset list, weak passwords, missing backups)
- Where you need stronger controls (e.g., MFA, security awareness training, endpoint protection)
Your MSP (or internal IT) can help you:
- Create or refine a formal Incident Response Plan
- Improve backup strategy (including regular testing)
- Implement endpoint protection and 24/7 monitoring where appropriate
- Set up user security training and phishing simulations
- Review and improve policies for passwords, access control, and remote work
For SMEs, using a Managed IT Services or IT Department‑as‑a‑Service model can be a cost‑effective way to have this level of readiness and support without hiring a full in‑house team.
Quick‑Reference Checklist: First 24 Hours After a Cyber Attack
Print or save this as a one‑page guide.
Hour 0–1: Confirm & Stabilise
- Appoint an Incident Lead (owner/MD/senior manager)
- Start an incident log (time, what happened, actions)
- Gather initial info from staff (what’s affected, since when)
- Call your MSP / IT support (if you have one)
- Pause risky activities (online banking, major data processing)
Hour 1–4: Contain & Isolate
- Disconnect clearly affected machines from the network
- Do not power off devices unless advised
- Reset passwords for suspected compromised accounts
- Enable or enforce MFA where possible
- Temporarily restrict or disable remote access/VPN if suspected abused
- Preserve evidence: screenshots, suspicious emails, logs (via MSP/IT)
Hour 4–12: Assess & Document
- List affected systems (email, files, finance, website, etc.)
- Identify types of data potentially involved (customers, staff, financial)
- Work with MSP/IT to check logs, access, and unusual activities
- Consider whether a data breach is likely (possible exposure of personal data)
- Consult legal counsel or compliance adviser as needed
- Keep updating your incident log with all findings and actions
Hour 12–24: Notify, Recover & Improve
- Decide who to notify (staff, board, customers, partners, insurer)
- Avoid using compromised channels for sensitive communication
- Prepare clear, calm, factual internal and external messages
- Begin controlled recovery with MSP/IT (clean systems, restore from backups)
- Contact law enforcement if fraud, extortion, or major breach involved
- Note lessons learned; plan for improvements (MFA, backups, training, monitoring)
- Schedule a full post‑incident review once things are stable
You don’t need to become a cybersecurity expert to respond effectively to an incident. With a clear plan, the right people to call, and some basic preparation, your SME can survive and recover from a cyber attack – and come out stronger and more resilient on the other side.
