Incident Response: What to Do When Something Goes Wrong
When a breach happens, the first 60 minutes determine everything. Having a plan before you need one is the difference between a controlled response and total chaos.
The first 24 hours
Every minute matters. Here's the timeline your team should follow when a breach is confirmed.
0-1 hours
Confirm the incident is real (not a false positive). Activate the incident response team. Begin documentation.
1-4 hours
Contain the threat — isolate affected systems, block malicious IPs, disable compromised accounts. Preserve evidence.
4-8 hours
Assess scope — determine what data and systems are affected. Notify legal counsel and cyber insurance carrier.
8-12 hours
Begin eradication — remove malware, close the attack vector. Start recovery planning for critical systems.
12-24 hours
Begin restoring critical systems from clean backups. Determine regulatory notification obligations. Draft communications.
A nonprofit discovers unusual account activity on a Friday at 4:30 PM. Nobody knows who to call. The IT contractor doesn't answer weekends. The executive director doesn't know if they need to notify donors, the state attorney general, or law enforcement. By Monday, the breach has spread to their entire donor database — 12,000 records with names, addresses, and payment info. They've now violated three states' breach notification laws because they didn't report within 72 hours.
An incident response plan isn't about preventing breaches — it's about making sure a bad situation doesn't become an existential one.
The 5 phases of incident response
Based on the NIST Incident Response framework — the industry standard used by organizations of all sizes.
Preparation
Build your incident response team, define roles and responsibilities, establish communication channels, and create playbooks for common scenarios before an incident occurs. Preparation is the most important phase — the middle of a breach is the worst time to figure out your plan.
Detection & Analysis
Identify that an incident has occurred, determine its scope and severity, and collect initial evidence. The faster you detect and classify an incident, the more options you have for containment and the less damage you sustain.
Containment
Stop the bleeding. Isolate affected systems to prevent the incident from spreading while maintaining enough evidence for investigation. There are two containment strategies: short-term (stop it now) and long-term (keep it stopped while you investigate).
Eradication & Recovery
Remove the threat from your environment completely, restore affected systems from clean backups, and verify that the attacker has no remaining access. Rushing recovery without complete eradication leads to re-infection.
Post-Incident Review
Conduct a blameless post-mortem to document what happened, what worked, what failed, and what changes will prevent recurrence. This phase turns every incident into an improvement to your security posture.
Breach notification requirements
HIPAA
Notify HHS within 60 days of discovery for breaches affecting 500+ individuals. Notify affected individuals without unreasonable delay.
IRS / FTC
Tax preparers must notify the IRS, state tax agencies, and affected clients. FTC Safeguards Rule requires a written incident response plan.
State Laws
Most states require notification within 30-60 days. Some require notification to the state attorney general. Requirements vary by state.
PCI-DSS
Notify your acquiring bank and payment card brands within 24-72 hours. Engage a PCI Forensic Investigator.
Your Checklist
Print this page or screenshot it. Do one step today — you'll be ahead of 90% of people.
- Write down who to call first — your IT contact, your insurance, your legal counsel
- Know where your backups are and verify they work before an emergency
- Keep a printed copy of your plan (you can't access digital files during a ransomware attack)
- Identify your most critical systems — what absolutely must come back online first?
- Document how to disconnect infected devices from your network
- Know your legal obligations — breach notification laws vary by state and industry
- Set up an alternate communication channel (personal phones, Signal) for emergencies
- Run a tabletop exercise once a year — walk through a fake scenario as a team
Ready to Strengthen Your Security?
Put this knowledge into action. Schedule a free strategy call with our cybersecurity experts to assess your current security posture.
Still Have Questions? We're Happy to Chat.
Book a free 15-minute call with our team. No sales pitch, no jargon — just straight answers about staying safe online.