What to Do in the First 24 Hours After a Cyber Attack on Your Business

It is a Tuesday morning. You walk into your McKinney office, open your laptop, and nothing works. Files have names like RESTORE_INSTRUCTIONS.txt and your accounting system will not launch. There is a phone number on the screen and a Bitcoin wallet address. Your employees are standing around asking what to do. You have less than an hour to make the most important decisions of your business career.

This is the moment every business owner thinks happens to someone else. In North Texas in 2026, it happens roughly every six minutes to a small or mid-sized company somewhere in the Dallas-Fort Worth area. The Federal Bureau of Investigation logged more than 880,000 cybercrime complaints last year, and the small business segment is where attackers focus most of their effort because the defenses are thinner and the ransoms arrive faster.

What you do in the first twenty-four hours after a cyber attack does more to determine whether your business survives than every dollar you have spent on security up to that point. Quick, calm, documented response can turn a six-figure disaster into a two-day inconvenience. Panicked, undocumented response can turn a two-day inconvenience into a six-figure disaster. The difference is not luck. The difference is having a plan and knowing what to do before the screen goes dark.

This guide walks through exactly what those first twenty-four hours should look like, written for the business owner, operations manager, or controller who needs to lead the room, not for the technical team doing the hands-on work.

What Incident Response Actually Means in Plain English

Incident response, sometimes shortened in industry materials to IR, is the formal process of detecting, containing, and recovering from a cyber attack on your business. It is a deliberate sequence of steps with defined roles and documentation requirements. It is not a tech team scrambling at a keyboard. It is a coordinated business response that involves leadership, legal counsel, insurance, communications, and the technical team, all working from the same playbook.

A good incident response plan answers four questions before an attack ever happens. Who picks up the phone and calls whom. What gets shut down first and in what order. What gets written down and where. Who talks to customers, employees, vendors, and the press. If any of those four questions does not have a one-sentence answer at your business today, you are operating without a plan. That is the case for roughly four out of five small and mid-sized businesses in Collin County and the wider DFW area, based on our intake conversations over the last twelve months.

Incident response is also a legal posture. The decisions you make in the first six hours after a breach decide whether your cyber insurance carrier covers your loss, whether regulators consider your response reasonable, and whether your business is exposed to class-action litigation from affected customers. The technical recovery matters. The legal record of your response matters at least as much.

The First Hour Is About Containment Not Heroics

The single most common mistake business owners make in the first hour is trying to fix it themselves. Someone reboots a server hoping it will come back clean. Someone deletes the suspicious file. Someone pays the ransom because they read online that paying is faster. Every one of those instinctive moves makes the situation worse, and most of them destroy the evidence your insurance carrier and your forensics team will need to actually save your business.

The first hour has one job, and that job is containment. Containment means stopping the spread, not undoing the damage. You assume the attacker is still inside your network and you act to wall them off. That means disconnecting affected machines from the network rather than powering them down. Powering down a compromised machine can erase the memory-resident evidence that tells the forensics team how the attacker got in, what they touched, and what they took. Disconnecting it from the network, by pulling the ethernet cable or disabling the wireless, isolates the machine while preserving every byte of that evidence.

The second move in the first hour is to call your incident response partner before you call anyone else. If you do not have one on retainer, you are calling cold, which costs roughly four times as much per hour and adds critical hours of delay while the firm onboards. This is why an incident response partnership built on a 24/7 managed security operations center matters so much. A managed SOC, short for security operations center, is a team that watches your network around the clock, detects anomalies in real time, and is already authenticated into your systems when something goes wrong. For a deeper comparison of how this looks against running detection in-house, read our breakdown of managed SOC versus in-house SOC.

The third move in the first hour is to start the written log. Use a notebook or a fresh document that is not stored on the compromised network. Write down everything. Time of first observation. Who reported it. What was visible on the screen. What you disconnected and when. Who you called and what they said. This log is the foundation of every legal, insurance, and regulatory action that will follow.

Hours One Through Six Are Where Legal and Insurance Decisions Get Made

Hours one through six are where the financial fate of the incident is usually decided. By hour two you should have your cyber insurance carrier on the phone. Read your policy now, before you need it, because most cyber policies have specific reporting windows, usually twenty-four to seventy-two hours, and missing that window can void your coverage entirely. Your carrier will assign a panel counsel, which is a law firm pre-approved by the insurance company to handle breach response. Use them. Going outside the panel often forfeits coverage of legal costs.

The moment panel counsel engages, your forensic investigation and most of your communications fall under attorney-client privilege. That means the technical findings, the assessments of what the attacker took, and the discussions about how to communicate the breach can stay protected from later legal discovery if a class action lawsuit appears. Without panel counsel involved early, every email and every report your technical team writes is potentially evidence in a future lawsuit.

By hour three you need a clear picture of what data was potentially exposed, because that drives every regulatory deadline that follows. If you handle health information, HIPAA, short for the Health Insurance Portability and Accountability Act, is the federal law that requires you to notify patients and the federal Department of Health and Human Services when their records are exposed, and the HIPAA reporting clock starts the moment you have a reasonable belief that protected health information was accessed. If you handle credit card data, the Payment Card Industry rules, which are the security standards every business that takes credit cards must follow, require notification of your card brands and processor. Texas resident data triggers state breach notification law, which gives you sixty days to notify affected individuals if more than two hundred fifty are involved. Federal Trade Commission rules for financial institutions and Securities and Exchange Commission rules for publicly traded businesses add their own timelines. A structured compliance posture before the breach makes this hour vastly easier because you already know what data you have and which regulators care.

By hour six the technical containment should be holding and the forensics team should be engaged. You should have a preliminary scope. Which systems are confirmed compromised, which are suspected, and which appear clean. This is also the hour where the question of ransom payment, if applicable, gets seriously discussed with counsel and the carrier. Federal Treasury guidance can make ransom payments to sanctioned criminal groups a federal crime, so this is never a decision the business owner makes alone.

Hours Six Through Twenty-Four Are About Communication and Recovery

The second half of the first day is about communication and the start of real recovery. By now you should have a recovery posture. Are your backups intact and reachable from a clean environment? Modern ransomware specifically targets backup systems before encrypting production data, so the question of whether your backups survived the attack is one of the most critical questions of the entire incident. Air-gapped or immutable backups, which means copies that cannot be modified or deleted by an attacker even with administrative credentials, are the single most powerful recovery posture a small business can adopt. Without them, you are negotiating with the attacker or rebuilding from scratch.

Communication in the first day requires three distinct messages. The first is internal, to your employees. They need to know what happened in plain language and who to talk to if a customer asks. Silence breeds rumor and rumor leaks to social media within hours. The second message is to your critical customers and vendors, under the guidance of counsel and limited to what is operationally necessary. The third message, if required, is public. In every case, the message is shorter than your lawyers wish and longer than your communications team wishes.

A small accounting firm in Plano that we worked with in late 2025 illustrates how this plays out. The firm was hit on a Friday afternoon, which is the most common attack timing because the response team is thinnest. Their managed security partner contained the incident within forty minutes. The owner, who had reviewed the response plan twice that year, called the carrier at hour two and panel counsel at hour three. Backups, which were immutable and stored off-site, restored the production environment by Monday morning. Total downtime was sixty-three hours, total customer-facing communication was a single email under attorney guidance, and the cyber insurance carrier covered the recovery cost in full. Three other firms hit the same weekend, who did not have plans, lost an average of eleven business days. One of them did not survive the year.

Most attackers do not break in by guessing passwords. They walk in through an email. A finance staffer clicks an invoice attachment from what looks like a known vendor, the attachment quietly installs a foothold, and forty-five days later the ransomware payload deploys. This is why hardening your email gateway and monitoring the dark web for credentials already up for sale are two of the highest-return cybersecurity investments a small business can make.

The Plan You Need Before It Happens

Everything described above only works if it is written down before the attack. A working incident response plan for a small or mid-sized business typically runs ten to twenty pages and answers, by name and phone number, every question the first twenty-four hours will raise.

The plan starts with a clearly named incident commander, usually the business owner or a senior operations leader, not the technology lead. The incident commander makes the business decisions, the technical team executes the technical work, and the legal team handles the legal posture. Confusing these three roles is the single most common reason for slow response.

The plan names the response partners by phone number. Your managed security partner with after-hours contact. Your cyber insurance carrier and policy number. Your panel counsel firm and lead attorney. Your forensics provider, either through the carrier or on direct retainer. Each of these needs a name, a number, and a clear understanding of what they do when called.

The plan documents your data inventory. What sensitive data you hold, where it lives, who has access to it, and which regulatory regimes apply. This is the question that takes weeks to answer in the middle of a breach and minutes to answer if it was answered last quarter. A vulnerability management program built around continuous scanning and a known asset inventory shortens this question dramatically because you already know what you have and where it lives.

The plan also documents your backup and recovery posture. Where backups are stored, how recently they were tested, how long full recovery takes from cold, and what your recovery time objective is for each critical system. A backup that has never been tested is not a backup, it is a hope. Most of the worst outcomes we see in McKinney and Frisco businesses involve owners who learn on day three of a breach that their backups have been silently failing for six months.

Finally, the plan is exercised. A tabletop exercise, which is a meeting where leadership walks through a hypothetical scenario step by step, takes two to three hours and exposes more gaps than any written audit. Pairing the tabletop with an annual penetration test, which is a hired expert trying to break in on purpose to find gaps before a real attacker does, gives you both the plan and the reality check that the plan actually holds up against a determined adversary.

Where Most North Texas Businesses Stand Today

Based on the engagements we run across Allen, McKinney, Plano, Frisco, and the wider DFW area, roughly one in five businesses we assess have a written incident response plan. Roughly one in ten have tested it in the last twelve months. Roughly one in twenty have both a tested plan and an established 24/7 detection partner who would actually catch the attack early enough for the plan to matter. The other nineteen out of twenty are running on the hope that it does not happen to them.

The math on that hope has been getting worse every year. The cost of a small business breach has roughly doubled in the last four years to an average of around 200,000 dollars in direct costs, with another two to three times that in indirect costs, business interruption, and lost customers. The full cost picture of a small business data breach in 2026 is worse than most owners realize until they live through one. The good news is that the cost of preparation is a fraction of the cost of one bad incident, and the preparation itself is straightforward work that can be completed over a single quarter.

Your Next Step

A cyber incident is the kind of business event that you only get one chance to handle well. The first call after the screen goes dark is the most important call your business will ever make, and the best time to identify who that call goes to is right now, while nothing is on fire. If you want a no-cost, no-pressure conversation about what a workable plan looks like for your business, the fastest way to start is to schedule a free cybersecurity assessment or reach our team directly. You can call us at 512-518-4408 or use our contact page to send a few details about your environment. We respond same business day. If you read this guide and made one phone call, you are dramatically better prepared than the eighty percent of North Texas businesses operating without any plan at all.