You Just Found a Breach. What You Do in the First Hours Decides How Bad It Gets
Incident responders agree on the playbook: treat it as real, contain without destroying your own case, and avoid the three mistakes that turn a bad day into a bad quarter. Here is that playbook, sized for a small business.
By William Bradshaw | July 6, 2026 | 10 min read
It usually starts small. A login from a country where you have no staff. A server that reboots itself on a Friday afternoon. An employee who mentions, in passing, that a file share looks strange. Most days there is an innocent explanation, and that is exactly what makes the real thing dangerous: the moment of discovery is also the moment of maximum temptation to treat a breach as a routine IT problem. Every organization eventually runs this play. The ones that come through it well decided how they would run it long before the Friday afternoon arrived.
A recent expert roundup on the Emsisoft blog, Responding to a Cyber Breach: Expert Advice by Luke Connolly (Emsisoft is one of the anti-malware vendors we work with), put a blunt scenario to three practitioners: a ransomware group is inside your network. What now? The experts, Michelle Micor of FTI Consulting, Sezaneh Seymour of Coalition, and Tammy Harper of Flare, come at the question from communications, insurance, and threat intelligence respectively, and their answers converge on the same playbook.
This guide organizes that playbook for a small business: what to do in the first hours, the mistakes that reliably make an incident worse, and the preparation that determines whether recovery takes days or months. If you run IT for an Ohio township, fire district, or other political subdivision, statutory duties stack on top of everything here; our companion guide to incident response plans for Ohio public entities covers those clocks in detail.
Treat It as Real and Activate the Plan
The first decision is the one most organizations get wrong by default: whether this is an incident at all. Sezaneh Seymour, who leads regulatory risk and policy at the cyber insurer Coalition, is unambiguous on this point. Treat unusual activity as a genuine incident from the moment you see it, and engage expert responders immediately rather than waiting for certainty. The early hours are when containment is cheapest and recovery options are widest, and they are spent best by people who handle intrusions every week, not once a decade.
Michelle Micor of FTI Consulting gives the same instruction from the communications side: activate your incident response plan right away. The plan is what turns a panicked huddle into an organized response, because it already names who leads, who decides, and who calls whom. An organization improvising those answers at 5 p.m. on a Friday is already behind the attacker, who is not improvising at all.
One call belongs at the top of every contact tree: your cyber insurance carrier's breach hotline, before any outside vendor. Most policies require it, and the carrier will route you to approved incident responders and breach counsel, often at negotiated rates. Engaging your own vendors first can jeopardize coverage at the exact moment you need it most. If you do not have a written plan with that contact tree in it, that is not a reason to skip the steps below; it is the strongest possible argument for the preparation section at the end of this guide, and it is the first thing our security consulting practice builds with a client.
The First-Hours Playbook: Contain Without Destroying Your Own Case
Tammy Harper, a senior threat intelligence researcher at Flare, frames the first hours as a balancing act: restrict the attacker's movement without making changes that hide the scope of the intrusion from the people who have to investigate it. Containment and evidence preservation happen together, or the second one does not happen at all.
Isolate affected hosts from the network
Disconnect compromised machines from the network rather than powering them off. Pulling the network cable (or disabling the port or Wi-Fi) stops attacker movement while preserving the memory and disk state investigators need. Powering off destroys volatile evidence.
Disable affected accounts, do not delete them
Suspend compromised user and service accounts to cut off access. Deleting them erases the audit trail of what the attacker did with them, which is evidence your responders and your insurer will both need.
Preserve logs and system state
Firewall logs, authentication logs, mail logs, endpoint alerts: capture and protect them now, before rotation or a well-meaning cleanup overwrites them. The investigation, the insurance claim, and any legal obligation all rest on this evidence.
Do not wipe and rebuild yet
Reimaging a compromised machine feels like progress, but done too early it destroys the evidence of how the attacker got in, which means you cannot close the door they used. Rebuild after scoping, on the responders' schedule, not before.
Avoid sweeping changes before the scope is understood
Harper's central warning: do not make major changes until you understand how far the intrusion reaches. Big, visible moves made blind tend to alert the attacker and obscure the trail at the same time, the worst of both worlds.
Notice what every one of these steps assumes: that you know what is on your network. You cannot isolate a host you never inventoried, and you cannot scope an intrusion against an asset list that lives in one person's head. That inventory is the quiet foundation of the whole playbook, and it is exactly what a network assessment produces before you ever need it under pressure.
The Three Mistakes That Make a Breach Worse
Asked what organizations get wrong after discovering a breach, the three experts each named a different failure, and together they map the three ways a recoverable incident becomes an expensive one.
Communicating externally before you understand what happened
Micor's warning from the communications trenches: organizations under pressure to say something announce conclusions the facts have not caught up with, then spend weeks issuing corrections. Every correction erodes credibility and makes customers, partners, and regulators wonder what else leadership got wrong. Say what you know, be honest about what you do not, and let the facts lead the statements rather than chase them.
Rushing toward payment or restoration before scoping the damage
Seymour's warning from the insurance side: deciding to pay a ransom, or to restore from backups, before you know the intrusion's scope and whether those backups are intact is deciding blind. It weakens your negotiating position, and a restore onto a network the attacker still controls simply hands them the recovered environment. Validate the backups and scope the damage first; our business continuity practice exists so that validation happened months before the incident instead of during it.
Remediating so fast you tip off an attacker who is still inside
Harper's warning from threat intelligence: resetting every password and deleting the malware you can see feels decisive, but ransomware operators routinely hold secondary access paths precisely for this moment. Visible remediation tells them they have been found, and an attacker who knows that escalates, exfiltrates, or detonates. Coordinate remediation with your responders so every door closes at once, not one at a time with warnings in between.
A Breach Is a Business Crisis, Not an IT Ticket
The thread running through all three experts' advice is that a breach is a business problem that happens to have a technical cause. Seymour makes it explicit: effective response requires coordination across IT, legal, communications, finance, and leadership, each owning decisions the others cannot make for them. In a small business those may be five hats on three heads, but the roles still exist, and the plan names them.
| Role | First-hours job | Decisions they own |
|---|---|---|
| Leadership | Convene the response, clear obstacles, resist panic decisions | Business priorities, spending authority, ransom posture |
| IT / technical lead | Contain, isolate, preserve evidence with the responders | Technical containment actions and their sequencing |
| Legal counsel | Establish privilege, identify notification obligations | Regulatory and contractual notification decisions |
| Communications | Hold the line: one spokesperson, no premature statements | What is said, when, and to whom |
| Finance / operations | Track costs, keep payroll and critical operations moving | Emergency spending, manual-process fallbacks |
| Insurer + external responders | Forensics, negotiation, breach counsel coordination | Investigation scope, remediation sequencing, claim handling |
The table is the argument for writing the plan down. None of these assignments can be negotiated during the incident without burning the hours that matter most, and several of them (privilege, insurer notification, the ransom posture) go badly by default if nobody owns them.
Recovery Begins Before the Attack
All three experts land on the same closing point: the organizations that fare best in a breach made their most important moves before it happened. A tested response plan, backups that are known to restore, and expert relationships established in calm weather are what separate a disruptive week from an existential quarter. Everything in the first-hours playbook runs faster and cleaner when the preparation exists.
That preparation is a short, concrete list. A written incident response plan with the roles and the contact tree from the table above, walked through in an annual tabletop exercise so the people named in it have rehearsed their parts: that is the core of what our security consulting practice builds. Backups that are segmented from the production network and restore-tested on a schedule, so the "are the backups intact?" question already has a documented answer. A current asset inventory from a network assessment, so scoping starts from a map instead of a guess.
Add recurring visibility: a scheduled vulnerability scan finds the exposed services and unpatched systems attackers use to get in, before they do. The open-source netvuln-tool scanner produces that baseline at no license cost, and the managed collection portal keeps the reports current and reviewable so the evidence exists when the insurer or the responders ask for it. And train the workforce that will see the first signs: an employee who reports a strange email in minutes is worth more than any appliance, which is why security awareness training and phishing simulation sit alongside the technical controls rather than behind them.
Frequently Asked Questions
Should we pay the ransom?
Not as a first move. Scope the damage and validate the backups before any payment or restoration decision; deciding without those facts weakens your position and forecloses options. Payment is a business and legal call made with your insurer, counsel, and responders, and it guarantees nothing. Public entities face additional legal restrictions covered in our Ohio guide.
Who do we call first?
Your cyber insurance carrier's breach hotline, before any outside vendor. Most policies require it, and the carrier routes you to approved responders and breach counsel. Then the incident response firm and legal counsel from your contact tree.
Should we reset all passwords immediately?
Not network-wide, and not immediately. Mass resets before scoping tip off an attacker who may still hold hidden access, prompting escalation. Isolate the affected accounts and hosts, then rotate credentials in a coordinated sweep once the scope is known.
How fast do we have to notify anyone?
The insurer immediately. Regulatory and contractual clocks vary by state, industry, and data type, so confirm yours with counsel while writing the plan, not during the incident. And do not communicate externally ahead of the facts. Ohio political subdivisions have statutory clocks covered in our companion guide.
How do we prepare before an incident happens?
A written, exercised plan; an annual tabletop; restore-tested and segmented backups; a current asset inventory; recurring vulnerability scanning; established insurer and responder relationships; and a workforce trained to report early. All of it costs less before the incident than during one.
Have the Plan Before You Need It
Bullium helps small businesses build the preparation this guide describes: a written incident response plan sized for your team, a tabletop exercise that proves it works, restore-tested backups, and the asset inventory and recurring scans that make scoping possible. The first conversation costs nothing but the hour.
Related Reading
Incident Response Plans for Ohio Public Entities
Run a township or fire district? Statutory notification clocks stack on top of this playbook. The companion guide.
5 Common Security Mistakes SMBs Make
The gaps that let the breach happen in the first place, and how to close them before they are exploited.
Your Employees Are Your Biggest Security Risk
The workforce that reports a strange email in minutes is your best early-warning system. Building it.
What a Phishing Simulation Actually Reveals
Phishing is still the number-one way attackers get in. Testing how your team responds before an attacker does.
Related Services
Security Consulting
Write the incident response plan, run the tabletop that exercises it, and close the gaps it exposes.
Business Continuity & Disaster Recovery
Backups that are segmented, restore-tested, and documented, so the recovery question is already answered.
Network Assessment
The asset inventory scoping depends on: every host, device, and service documented before you need the map.
netvuln-tool Platform
Recurring vulnerability scanning that finds the way in before an attacker does, with reports kept current.