Person in a dark hoodie typing on a keyboard with multiple screens displaying digital graphics in a dim room.

What to Do in the First 24 Hours After a Cybersecurity Breach

July 15, 2026

At 7:43 AM on a Tuesday, a construction company controller in St. Joseph opened what looked like a routine invoice from a supplier—by 9:15 AM, their accounting system was locked by ransomware and the attackers were threatening to publish employee Social Security numbers online. What happened in the next 24 hours determined whether this business survived the breach or joined the 60% of small businesses that close within six months of a major cyberattack. This hour-by-hour response plan gives you the exact steps to contain damage, preserve evidence, and protect your business when seconds count.

Hour 0-2: Immediate Containment and Assessment

The moment you confirm a breach, physically disconnect affected systems from your network by unplugging Ethernet cables and disabling Wi-Fi adapters—do not simply shut down machines, which can trigger encryption acceleration in some ransomware variants. Photograph all screens showing ransom notes, error messages, or unusual activity before touching anything, then identify which system was infected first to prevent further spread across your network.

Why Physical Disconnection Matters More Than Shutdown

Ransomware: Malicious software that encrypts business files and demands payment in cryptocurrency to restore access, often while simultaneously exfiltrating sensitive data to increase leverage against victims.

Some ransomware variants detect shutdown commands and accelerate encryption to lock as many files as possible before the system goes dark. Physical disconnection—pulling network cables and disabling wireless adapters—breaks the connection instantly without triggering these defensive routines. The ransomware can still encrypt files on the local drive, but it cannot spread to file servers, backup systems, or other workstations on your network.

Preserve Evidence Before You Touch Anything

Every screen showing abnormal activity is evidence that forensic specialists will need to trace the attack vector. Use your phone to photograph ransom notes, error messages, unusual login attempts, and any files or folders with changed names or extensions. These images become critical when cyber insurance adjusters and law enforcement ask exactly what you saw and when you saw it.

The Costly Mistake of Changing All Passwords Immediately

A manufacturing plant supervisor in Liberty discovered encrypted files on a production server and immediately reset passwords for every user account, believing attackers were actively logging in. This decision locked out forensic tools that could have traced the attack path and alerted the attackers to shut down backup corruption processes they had been running for weeks. Forensic specialists need access to unchanged systems to identify how attackers entered, what they accessed, and whether they planted additional backdoors.

Businesses with managed IT provider with documented response protocols avoid these mistakes because trained security teams execute containment while preserving evidence chains that insurance carriers and law enforcement require. Break-fix IT shops who answer calls at 9 AM on Tuesday but send you to voicemail at 6 PM leave you Googling 'what to do after ransomware attack' when most breaches are actually discovered—outside business hours.

Hour 2-6: Assemble Your Response Team and Document Everything

Within two hours of containment, you must assemble a response team that includes your CEO or business owner for legal and financial decisions, your IT contact or managed service provider, your cyber insurance broker, legal counsel familiar with data breach notification laws, and potentially a third-party forensic specialist. Document every action with timestamps, noting which systems are affected, what data types may be compromised, and the exact timeline from first discovery to current status.

Who Must Be on the Initial Response Call

  • CEO or Business Owner: Makes final decisions on ransom payment, public notification, business continuity measures, and legal strategy—decisions that cannot wait for committee approval
  • IT Contact or Managed Service Provider: Provides technical assessment of affected systems, backup status, and recovery timeline estimates
  • Cyber Insurance Broker: Explains coverage limits, documents required for claims, and timeline requirements that void coverage if missed
  • Legal Counsel Familiar With Breach Notification Laws: Determines which state and federal notification requirements apply based on data types compromised and your business jurisdiction
  • Forensic Specialist: Required by most cyber insurance policies to provide independent assessment of breach scope and attack methodology

What to Document With Timestamps

Cyber insurance carriers deny claims when businesses cannot prove they acted promptly and reasonably to contain damage. Your documentation must include:

  • Discovery Timeline: Exact time the breach was first noticed, by whom, and what they observed
  • Affected Systems Inventory: Specific servers, workstations, applications, and network segments that show compromise indicators
  • Data Types Potentially Compromised: Customer records, employee information, financial data, health records, or proprietary business information
  • Actions Taken: Every containment step, system disconnection, password change, and communication with timestamps and responsible party names
  • External Communications: When insurance carrier was notified, when legal counsel was engaged, when law enforcement was contacted

The $180,000 Delayed Notification Mistake

A Savannah accounting firm discovered ransomware encrypting client tax returns at 11 AM on a Thursday. The managing partner spent the afternoon calling their regular IT contractor, who was on-site at another client and promised to "stop by tomorrow." The firm finally called their cyber insurance carrier at 7 PM—eight hours after discovery. The insurance policy required notification "immediately upon discovery," which the carrier defined as "within one business hour." The carrier paid for forensics and legal counsel but denied the $180,000 claim for business interruption losses, citing the delayed notification clause.

Accounting firms need specialized breach response because they hold client tax data, financial records, and credentials for accessing bank and investment accounts—making them high-value ransomware targets. A managed IT agreement with documented response protocols and pre-mapped insurance requirements prevents the confusion and delays that cost the Savannah firm six figures in denied coverage.

Managed Detection and Response vs. Break-Fix Response Times

Response Element Managed IT Provider With MDR Break-Fix IT Shop
Initial Response Time 15-30 minutes (24/7 monitoring alerts security team automatically) 2-8 hours (depends on when you can reach them and their current workload)
Insurance Notification Pre-documented contacts, called within first hour per policy requirements Business owner responsibility, often delayed while waiting for IT assessment
Forensic Evidence Preservation Automated collection before containment, professional chain of custody Often lost or contaminated by well-meaning attempts to 'fix' the problem
Legal Counsel Coordination Pre-established relationships with breach notification attorneys Business owner must find and brief attorney from scratch during crisis
Documentation Quality Automated logging captures every action with timestamps and responsible parties Reconstructed from memory hours or days later, often incomplete or contradictory

Hour 6-12: Determine the Scope and Activate Backup Systems

Between hours six and twelve, your forensic team must determine whether data was accessed, encrypted, or exfiltrated—this distinction determines your legal notification obligations under state laws and federal regulations. Test backup integrity before attempting any restoration, because sophisticated attackers corrupt or delete backups weeks before deploying ransomware, leaving businesses with apparently successful backups that restore only corrupted files or incomplete data sets.

What Data Was Accessed vs. What Was Encrypted

Data Exfiltration: The unauthorized transfer of data from your systems to attacker-controlled servers, creating a second leverage point where attackers threaten to publish or sell your data even if you restore from backups without paying ransom.

Modern ransomware attacks typically involve two separate actions: encrypting files to disrupt operations and exfiltrating sensitive data to increase pressure for payment. Your notification obligations differ dramatically based on which occurred. Encryption alone may not trigger breach notification laws if no data left your environment. Exfiltration of customer records, employee Social Security numbers, health information, or financial data triggers mandatory notification under state laws and federal regulations.

Which Laws Require Notification Based on Data Type

  • Missouri Data Breach Notification Law: Requires notice "without unreasonable delay" when personal information—name plus Social Security number, driver's license number, or financial account number—is accessed by unauthorized parties
  • Kansas Personal Information Notification Law: Requires notification "as expeditiously as possible" for the same categories of personal information
  • HIPAA Breach Notification Rule: Requires notification within 60 days when protected health information is accessed or disclosed without authorization
  • FTC Safeguards Rule: Requires financial institutions to notify affected individuals and the FTC when customer financial information is compromised
  • Gramm-Leach-Bliley Act Safeguards: Requires notification to primary federal regulator for banks, credit unions, and other financial institutions

Businesses working with IT compliance frameworks have pre-mapped which data types they store, which regulations apply, and which notification timelines they must meet—eliminating the 6-8 hours most businesses spend researching requirements during a crisis.

The Backup Integrity Testing Process

A Kansas City professional services firm discovered ransomware encrypting their file server and immediately started restoring from their "tested" backup system. Twelve hours into restoration, they discovered the backup had been writing to a failed drive for six months—every restore attempt recovered corrupted or incomplete files. The firm had followed their break-fix IT provider's advice to "check the backup software dashboard weekly," which showed green status lights but never actually tested restore functionality.

Testing backup integrity requires these specific steps:

  1. Verify backup completion logs show successful jobs with expected file counts and data volumes
  2. Check backup dates to confirm recent backups occurred before the suspected initial compromise date
  3. Restore a small sample of files to an isolated test system completely disconnected from your production network
  4. Open and verify the restored files contain expected data and are not corrupted or encrypted
  5. Confirm that database backups include transaction logs necessary for point-in-time recovery
  6. Validate that backup retention allows you to roll back to dates prior to attacker presence in your environment

Compliant Backups vs. Inadequate Backup Practices

Backup Requirement Compliant Practice Common Inadequate Practice
Immutability Backup copies use object lock or air-gapped storage that prevents deletion or modification for specified retention period Backups stored on network-attached drives that ransomware can encrypt alongside production data
Offsite Protection Secondary backup copy maintained in different geographic location or cloud region All backup copies in same facility as production systems, vulnerable to fire, flood, or physical theft
Testing Frequency Full restoration test performed quarterly with documented validation of data integrity Monitoring dashboard checked weekly with no actual restore attempts
Retention Period Multiple generations spanning 30-90 days to allow rollback past attacker dwell time Single generation or 7-day retention that may only capture already-compromised data
Encryption Backup data encrypted in transit and at rest with keys stored separately from backups Unencrypted backup files vulnerable to theft if storage media is compromised

TS Conard's tested backup and recovery systems include quarterly restoration tests, immutable cloud copies, and documentation that satisfies cyber insurance requirements and compliance auditors—not the external hard drive your break-fix provider assured you was sufficient.

Once you determine which data was compromised, you must immediately begin preparing legally required notifications while crafting clear messages for three distinct audiences: affected customers or clients who need to understand their risk and your response, employees who will field questions and must deliver consistent information, and business partners who need operational updates about system availability and data integrity.

Missouri Breach Notification Requirements

Missouri's personal information breach notification law requires businesses to notify affected state residents "without unreasonable delay" when personal information—defined as name combined with Social Security number, driver's license number, or financial account information—has been accessed or acquired by unauthorized persons. The law does not specify an exact timeframe, but courts have interpreted "unreasonable delay" as any period longer than necessary to determine the scope of compromise and prepare accurate notifications. Businesses must also notify the Missouri Attorney General when breaches affect more than 1,000 Missouri residents.

Kansas Breach Notification Requirements

Kansas requires notification "as expeditiously as possible and without unreasonable delay" following discovery of a breach affecting personal information, which Kansas defines using similar categories to Missouri. Kansas law explicitly allows businesses to delay notification if law enforcement determines notification would impede a criminal investigation, but only for as long as law enforcement maintains that determination. Unlike Missouri, Kansas does not have a specific threshold for notifying the Attorney General, but businesses must maintain documentation proving they met the "expeditious" standard.

Federal Notification Requirements by Data Type

  • HIPAA Breach Notification Requirements: Healthcare providers, health plans, and business associates must notify affected individuals within 60 days of discovering a breach of protected health information (PHI), notify the Department of Health and Human Services within 60 days if the breach affects fewer than 500 individuals or immediately if it affects 500 or more, and notify media outlets in markets where more than 500 individuals are affected
  • FTC Safeguards Rule Notification Requirements: Financial institutions covered by the Gramm-Leach-Bliley Act must notify affected customers as soon as possible when customer information has been compromised, notify their primary federal regulator, and maintain detailed records of the breach and response actions
  • Gramm-Leach-Bliley Act: Requires financial institutions to notify customers when security measures fail, even if no actual unauthorized access is confirmed—a more stringent standard than most state laws

Three Audiences That Need Different Messages

A Maryville transportation company discovered a breach affecting customer shipping data and employee payroll information. The owner emailed customers explaining "a security incident," but employees receiving customer calls had no script and gave conflicting information—some said "just a minor glitch," others admitted "hackers stole data," and one told a caller "I don't know anything about that." Three customers posted on social media that the company was hiding a major breach. Local news picked up the story. The company spent the next six months rebuilding trust that accurate, coordinated messaging would have preserved.

Each audience needs communication tailored to their relationship with your business:

  • Affected Customers or Clients: What specific data was compromised, what risk this creates for them, what you're doing to prevent recurrence, what services you're offering (credit monitoring, identity theft protection), and exactly how they should contact you with questions
  • Employees: What they should and should not say to customers, how to route questions they cannot answer, what changes in systems or processes they should expect, and where to find updated information as the situation evolves
  • Business Partners and Vendors: If their systems might be affected or if they need to implement additional security measures, what happened without disclosing sensitive investigation details, timeline for restoring normal business operations, and confirmation that your relationship continues

The Documentation Imperative

A Savannah manufacturing company experienced a ransomware attack. The IT director worked around the clock to restore systems, communicating verbally with the leadership team about progress. Three months later, their insurance company requested documentation of response activities to support the $127,000 claim. Without timestamped records of discovery, containment measures, or restoration efforts, the insurer questioned the timeline and severity, eventually settling for only $68,000. The IT director remembered everything he'd done—but memory isn't documentation.

From the moment you discover a breach, document everything:

  • Discovery and Initial Response: When the breach was discovered, who discovered it, what indicators were observed, who was notified and when, what immediate containment steps were taken
  • Investigation Progress: What forensic activities occurred, what evidence was collected and preserved, which systems were examined, what findings emerged at each stage
  • Communication Log: Every notification sent to customers, employees, regulators, or law enforcement, with timestamps and delivery confirmation where possible
  • Remediation Actions: Security measures implemented, system changes made, vendors engaged, costs incurred with receipts and invoices
  • Decision Rationale: Why specific choices were made, what alternatives were considered, what factors influenced timing of various actions

This documentation serves multiple purposes: supporting insurance claims, demonstrating regulatory compliance, defending against lawsuits, and creating the foundation for improving your response plan based on lessons learned.

The Cost of Doing Nothing

A Mound City retail business discovered a breach on a Friday afternoon. The owner decided to "think about it over the weekend" before taking action. By Monday, encrypted files prevented opening the store. By Tuesday, customers posted on social media about declined credit cards. By Wednesday, a TV station called about the "alleged data breach." By Thursday, a law firm sent a letter about a potential class action lawsuit. The breach that could have been contained in 24 hours with coordinated response became a business-ending catastrophe.

The first 24 hours aren't just about minimizing damage—they're about survival. Every hour of delay increases financial exposure, regulatory penalties, customer defection, and reputation damage. The businesses that survive breaches aren't necessarily those with the strongest security—they're the ones that respond immediately, comprehensively, and strategically when security fails.

Moving From Reactive to Proactive

Everything in this article describes reactive measures—what to do after a breach occurs. But the businesses that handle breaches most effectively are those that prepared before they needed to respond. That means:

  • Pre-identifying your incident response team with clear role assignments
  • Pre-selecting forensic investigators, legal counsel, and PR consultants so you're not researching vendors during a crisis
  • Pre-drafting notification templates for different audiences and breach scenarios
  • Pre-establishing documentation protocols that activate automatically when a breach is suspected
  • Pre-determining your regulatory obligations under various scenarios
  • Testing your incident response plan with tabletop exercises that reveal gaps before they matter

The difference between a manageable incident and a business catastrophe often comes down to preparation. The time to build your incident response capability is now—before you're running on adrenaline, facing angry customers, and fielding calls from reporters.

Frequently Asked Questions

Should I pay a ransom if attackers encrypt my files?

This decision involves multiple factors beyond simply recovering files. Law enforcement generally recommends against paying because it funds criminal enterprises and provides no guarantee of data recovery—many victims pay and never receive decryption keys. However, some businesses facing operational shutdown make the business decision to pay. Before deciding, consult with legal counsel about regulatory implications (some sanctions make payments to certain groups illegal), determine whether your cyber insurance covers ransom payments, and have forensic experts verify that paying would actually restore access. Many businesses discover they had sufficient backups to restore operations without paying, but only after conducting proper assessment. This is another reason why pre-breach preparation matters—businesses with tested backup systems rarely face this difficult choice.

If I discover a breach but no laws require notification, should I still tell affected customers?

Legal requirements establish the minimum standard, not necessarily the right business decision. Many breaches fall into gray areas where notification isn't clearly required—perhaps only email addresses were exposed, or the breach affected fewer people than state thresholds require. However, customers increasingly expect transparency about data security. If they later discover you knew about a breach and said nothing, the trust damage often exceeds what proactive notification would have caused. Consider that lawsuits and regulatory investigations often focus on the cover-up more than the breach itself. A business decision to notify voluntarily, accompanied by clear explanation of low risk and preventive measures, often strengthens customer relationships rather than damaging them. Consult legal counsel about your specific situation, but don't assume silence is always the safer path.

How long should we preserve evidence and documentation from a breach?

Plan for a minimum of seven years, though some situations require longer retention. Lawsuits related to data breaches can be filed years after the incident, particularly as damages become apparent over time. Regulatory investigations may not begin until long after the breach. Insurance claims can involve extended negotiations. Beyond legal requirements, breach documentation provides valuable lessons for improving security and response capabilities. Create a retention policy that specifies what gets preserved, in what format, with what access controls, and for what duration. Include forensic evidence, logs, communication records, remediation documentation, and legal correspondence. Work with legal counsel to determine appropriate retention periods for your specific regulatory environment and business circumstances.

What if we discover the breach occurred months ago but we're just finding it now?

Many breaches aren't discovered until long after initial intrusion—the average dwell time between compromise and detection is measured in months. Notification timeframes under most laws begin when you discover the breach, not when it occurred. However, you should still act with the same urgency. Begin your response process immediately, even though the breach itself is old. Your forensic investigation will need to determine the scope of the historical compromise, which data was accessed over what timeframe, and whether ongoing access continues. In notifications, be honest about when the breach occurred versus when you discovered it, what delayed detection, and what you're implementing to detect future incidents faster. Delayed discovery often points to inadequate monitoring—address this in your remediation plan and communicate the improvements you're making.

Don't Wait for a Breach to Build Your Response Plan

The businesses that survive cybersecurity incidents are those that prepared before crisis struck. TS Conard helps Northwest Missouri businesses develop incident response plans, establish documentation protocols, and identify their regulatory obligations before they're needed.

Whether you need to strengthen existing security, create an incident response plan, or ensure compliance with notification requirements, we provide practical guidance based on what actually works for businesses like yours.

Schedule a Confidential Consultation