(773) 417-9994Free consultation
← Back to blog
incident responsebreachremediationchecklist

You're Being Breached Right Now. Here's Exactly What to Do.

Step-by-step incident response for small businesses. What to disconnect, who to call, what to preserve, and what NOT to do. Print this out and tape it to the wall.

Darius J Davis · May 17, 2026
Server room infrastructure
Server room infrastructure

Print this article. Seriously.

If you're reading this during an active incident, skip to the checklist below. Everything else can wait.

If you're reading this on a normal Tuesday, good. Print it out. Tape it to the wall in your server room or your office. Put it somewhere your team can find it at 2am on a Saturday when everything is on fire and nobody can think straight.

Because when a breach happens, the difference between a recoverable incident and a business-ending catastrophe is what you do in the first 60 minutes.

THE CHECKLIST: First 60 Minutes

Minute 0-5: CONTAIN

Do NOT turn off computers. Powering down destroys forensic evidence in memory. Instead:

  • [ ] Disconnect affected machines from the network. Pull the ethernet cable. Disable Wi-Fi. Do not shut down.
  • [ ] Disconnect your backup drive/NAS if it's network-attached. Ransomware specifically hunts for backup systems. Isolate them immediately.
  • [ ] Disable the compromised user account(s). If you know which account was breached, disable it in your admin panel right now. Don't delete it (evidence). Disable it.
  • [ ] Change the Wi-Fi password if you suspect the attacker has network access.
  • [ ] Document what you see. Take photos of ransom screens, error messages, or unusual behavior with your phone. Note the exact time.

Minute 5-15: CALL

In this order:

  1. [ ] Your security provider. That's us. (773) 417-9994. We can guide you through the rest of this in real time.
  2. [ ] Your cyber insurance carrier. If you have a policy, call the incident response hotline on your policy card. They'll assign a breach response team. Do this early because your policy may require it.
  3. [ ] Your attorney. Breach notification laws vary by state. Illinois has specific requirements. Your attorney needs to know immediately.
  4. [ ] FBI IC3 (ic3.gov) or your local FBI field office. Report the incident. They won't show up with a SWAT team, but the report creates a record and connects your incident to broader investigations.

Do NOT call:

  • Your regular IT person as a substitute for a security professional (unless they do security)
  • The attacker's "customer support" number on the ransom note
  • A random "data recovery" company you found by Googling in a panic

Minute 15-30: ASSESS

  • [ ] What systems are affected? Make a list. Email, file server, accounting, POS, website, cloud services.
  • [ ] What data was potentially exposed? Client PII, financial records, health data, payment data, employee records?
  • [ ] Are your backups intact? Check now. If backups are on an isolated system that wasn't connected during the attack, you're in a much better position.
  • [ ] How did the attacker get in? Phishing email? Compromised credentials? Vulnerable software? Don't investigate deeply yourself (that's for the forensics team), but note anything obvious.

Minute 30-60: COMMUNICATE

  • [ ] Brief your leadership team. CEO, partners, whoever makes decisions. They need to know the scope.
  • [ ] Do NOT post on social media about the breach. Not yet. Your attorney and insurance carrier will guide the public communication.
  • [ ] Do NOT email from compromised systems. If your email was breached, the attacker may still be reading it. Use phone calls, personal email, or a clean device for all incident communications.
  • [ ] Prepare a brief internal message for staff: "We're aware of a security incident. Do not use company email or log into company systems until further notice. We'll update you by [phone/text/personal email]."
Digital security shield
Digital security shield

After the first hour: Recovery

Day 1-3: Investigation and containment

A security professional (us or your insurance carrier's incident response team) will:

  • Conduct forensic analysis to determine what happened and how
  • Identify all compromised systems and accounts
  • Ensure the attacker is fully removed (not just the symptoms)
  • Preserve evidence for law enforcement and legal proceedings

Day 3-7: Remediation

  • Rebuild compromised systems from clean images, not by "cleaning" infected ones
  • Restore data from backups (assuming they're clean and tested)
  • Rotate every credential in the organization. Every password. Every API key. Every token. Assume everything is compromised.
  • Patch the vulnerability that allowed initial access
  • Implement the controls that were missing (MFA, EDR, email auth, etc.)

Day 7-30: Notification and recovery

  • Notify affected individuals per your legal and regulatory obligations
  • Notify relevant regulators (HHS for HIPAA, state AG for state breach notification laws)
  • Monitor for continued threats (attackers often try to re-enter through the same or similar vectors)
  • Conduct a post-incident review to document what happened, what worked, and what to improve

What NOT to do during a breach.

Do not pay the ransom without consulting your insurance carrier and legal counsel first. Paying doesn't guarantee data recovery. It funds criminal operations. It may violate OFAC sanctions. And it marks you as someone who pays, making you a target for repeat attacks.

Do not wipe systems before forensic analysis. You're destroying the evidence needed to understand what happened and prevent it from happening again.

Do not try to negotiate with the attacker yourself. If negotiation is necessary (sometimes it is), let a professional handle it.

Do not assume it's over because the symptoms stopped. Attackers establish persistence. They create backdoors. They come back. A professional investigation confirms eradication.

Do not hide the breach. Coverups always come out, and they're always worse than the breach itself. Be transparent, be timely, and follow the law.

Tools and resources for incident response.

Free tools:

  • CISA Incident Response Playbooks — federal playbooks adapted for any organization
  • Wazuh — open source SIEM for detecting indicators of compromise
  • Velociraptor — open source endpoint forensics and investigation tool
  • YARA Rules — pattern matching for malware identification
  • The DFIR Report — real-world intrusion analysis reports (learn from others' incidents)

Who to contact:

Cyber insurance (if you don't have it yet):

  • Coalition — cyber insurance designed for SMBs
  • At-Bay — cyber insurance with active risk monitoring
  • Talk to your existing insurance broker about adding a cyber liability endorsement

The best incident response is the one you never need.

Everything in this article is reactive. It's what to do after the fire starts.

The better investment is prevention: MFA, training, endpoint detection, tested backups, and a security assessment that finds the gaps before an attacker does.

We help businesses build both: the prevention program that stops most attacks, and the response plan that limits the damage when something gets through.

The assessment is free. The response plan is part of what we build. And this article is yours to print, share, and distribute to your team.

(773) 417-9994 or southsidechisolutions.com

Share this article
LinkedInX / TwitterEmail

Ready to secure your business?

Free 30-minute consultation. No sales script.

Call (773) 417-9994