The moment you realize something is wrong is terrifying. But the actions you take in the next 24 hours will have more impact on the outcome than almost anything else. Here's exactly what to do.
It might start with an employee noticing something strange. Or ransomware showing up on a screen. Or a call from your bank about transactions you don't recognize. Or — the worst way to find out — a customer telling you their credit card was compromised after shopping with you.
However you find out, the first feeling is panic. That's normal. But what you do in that initial window matters enormously. Businesses that handle a breach well come out the other side battered but intact. Businesses that handle it poorly — that delete logs, wait too long to notify, or ignore the problem hoping it goes away — end up in a much worse place: regulatory fines, lawsuits, and customers who never come back.
After 30+ years in IT, we've helped businesses of all sizes navigate the aftermath of security incidents. This is the playbook we wish every small business owner had on hand before they needed it.
The good news: a breach doesn't have to be the end. A lot depends on how you respond.
The instinct when something goes wrong is to fix it fast. But in a breach, "fixing it fast" can actually destroy evidence you'll need later for legal, insurance, and forensic purposes. The goal in the first 24 hours is to contain, not cure.
Isolate affected systems, but don't shut them down. Disconnect compromised computers or servers from your network — unplug the ethernet cable, disable the Wi-Fi connection. But resist the urge to power them off. When you shut down a machine, you lose volatile memory that may contain forensic clues about what happened. Leave them on, just isolated.
Document everything, right now. Write down (or photograph) what you're seeing, what time it is, who noticed it, and what actions have been taken. If this ends up in a legal or regulatory process, timestamps matter. Don't skip this step because you're in firefighting mode.
Make three calls: your IT provider, your attorney, and your insurance carrier. In that order, ideally within the first hour. Your IT team or an incident response specialist needs to get eyes on the situation immediately. Your attorney can help you understand your notification obligations and protect communications under privilege. Your insurance carrier — if you have cyber insurance — has resources to help and a process you need to follow to ensure your claim is valid. Calling them late can jeopardize coverage.
Change passwords — but do it smart. If you know which accounts were compromised, start there. But don't just change the password on the affected account. Assume the attacker may have used it to pivot elsewhere. Change passwords on all administrative accounts, your email system, and anything the affected user had access to. And enable multi-factor authentication everywhere you can, right now.
Don't delete anything. Not logs. Not emails. Not files that look suspicious. Preserve everything. You'll need it.
Once you've contained the immediate situation, you need to understand its scope. This is the investigation phase, and it's where most small businesses underestimate the work involved.
What data was accessed? This is the most important question. Customer information? Employee records? Financial data? Credit card numbers? Health information? The type of data involved determines your legal obligations. Don't assume the worst — but don't assume the best either. Get the facts.
How did they get in? Phishing email that someone clicked? Stolen credentials? A vulnerability in an unpatched system? A misconfigured remote access tool? You can't prevent a recurrence until you know the entry point. If your internal IT team can't determine this, bring in a forensic specialist. Many cyber insurance policies cover this cost.
Are they still in your systems? Attackers often establish persistence — backdoors, hidden user accounts, remote access tools — before you know they were ever there. A thorough investigation needs to check for this. Finding and removing an active intrusion is very different from cleaning up after one that's already over.
Audit all user accounts and access. Look for accounts you don't recognize. Look for accounts with new admin privileges. Look for email forwarding rules that shouldn't be there (attackers commonly set these up to silently copy email to an outside address). Review who has access to what — and revoke anything that's excessive or no longer needed.
This is also a good moment to revisit your overall security posture. Our Cybersecurity Essentials guide covers the layered protections that make these kinds of investigations much easier — because you actually have logs and monitoring in place.
Here's something that surprises a lot of small business owners: data breach notification is not optional. All 50 states now have breach notification laws. Depending on the data involved, federal regulations may apply too. And "I'm a small business" is not an exemption.
The specifics vary by state and by the type of data, but the general shape is this: if personal information about your customers or employees was compromised, you have to tell them — and you usually have a defined window to do it. Some states require notification within 30 days. Others give you 45 or 60 days. A few have 72-hour requirements for certain sectors.
If you take credit cards and cardholder data was involved, you have obligations under PCI DSS as well — including notifying your payment processor. If you work with health information in any capacity, HIPAA applies and the HHS Office for Civil Rights may need to be notified.
This is why you called your attorney in the first 24 hours. They can help you figure out exactly what you're required to do and by when, so you're not guessing.
When you notify affected people, be honest and specific. Tell them what type of information was involved, when it happened, what you've done to address it, and what steps they can take to protect themselves (credit monitoring, changing passwords). Don't minimize it. Don't be vague. People can usually handle hard news — what they can't forgive is finding out you knew and buried it.
Transparency isn't just the ethical choice here. It's often the strategically smart one. Businesses that communicate openly during a breach tend to retain more customer trust than businesses where the breach gets revealed by someone else later.
Once containment and notification are underway, you move into remediation. This is where you fix the underlying problem — not just the symptoms.
Patch and update everything. If the attacker got in through a vulnerability in unpatched software, patch it. But don't stop there — audit every system for pending updates. A breach is a hard wake-up call to get current on patches you've been deferring.
Rebuild compromised systems clean, don't just scan them. If a server or workstation was actively compromised, the only way to be fully confident it's clean is to rebuild it from a known good backup or fresh installation. Malware can hide in places that security scans miss. This is painful, but it's the right call.
Review your backup situation. If you lost data and needed to restore from backup, how did that go? Were your backups current? Did they restore cleanly? A breach is a real-world test of your backup and recovery plan. If it revealed gaps, now is the time to fix them. Check out our post on what a real backup strategy looks like — and specifically, why backups that have never been tested are backups you can't count on.
Document the incident thoroughly. Write up what happened, when, how you found out, what the investigation revealed, what notifications were sent, and what you did to remediate it. This documentation serves multiple purposes: it supports your insurance claim, it demonstrates good faith to regulators, and it's the foundation for making sure you don't end up in the same situation again.
File your cyber insurance claim. Do this promptly and thoroughly. Keep records of all costs related to the breach: IT forensics, legal fees, notification letters, credit monitoring services you provided to affected customers, lost revenue. Cyber insurance policies typically cover a significant portion of these if you've followed their incident reporting process.
Do a real post-mortem. Once the dust settles, gather the people involved and work through what happened. Not to assign blame, but to understand the chain of events and identify what changes would have prevented this or caught it sooner. Then actually make those changes.
Going through a breach response without a plan is like trying to build a fire escape while the building is burning. It's survivable, but it's much harder than it needs to be.
An incident response plan doesn't need to be a hundred pages. It needs to answer a few key questions: Who gets called and in what order? Who has authority to take systems offline? Where are the contact numbers for your attorney and insurance carrier? Who is the spokesperson for external communications?
Write that document. Put it somewhere people can find it when systems are down (hint: not only on the network drive that might be compromised). Review it once a year.
Beyond the plan, the investments that most reduce breach risk — and breach impact — are also the ones that make your daily operations more reliable: multi-factor authentication on every account that touches sensitive data, proper endpoint protection instead of just antivirus, regular patching, and monitoring that actually tells you when something is wrong. We cover all of this in our Cybersecurity Essentials guide if you want the full picture.
We've seen businesses devastated by breaches that would have been minor incidents with the right safeguards in place. We've also seen businesses navigate serious incidents gracefully because they had a plan, had backups, and had someone they trusted on the phone within the hour. The difference isn't luck — it's preparation.
If you don't have a written incident response plan, if you're not sure what data you'd need to notify people about, or if your security posture gives you any doubt at all: that's a conversation worth having now, not after something goes wrong.