Most cybersecurity advice is about prevention, and that is right, prevention is where the real protection lives. But there is a question that sits quietly in the back of many owners' minds that almost no one answers plainly: what do I actually do if it happens anyway? If you walk in one morning and the screens are locked, or you realize money has been stolen, or you discover someone has been in your email, what are the first moves?
Not knowing is its own kind of stress. So I want to give you something genuinely useful: a calm, plain-English plan for the first hour and the first day after an attack. Keep this somewhere you can find it. The goal is not to make you a security expert in a crisis. It is to give you a clear order of operations so that a frightening moment becomes a series of manageable steps instead of a panic.
The single most important thing to know up front is this: the first hour matters more than any other. Quick, calm action in the early moments can be the difference between a contained incident and a catastrophe. So let me walk you through it.
The first hour: contain, do not erase
When you first realize something is wrong, every instinct screams to fix it immediately, to delete the bad thing, wipe the machine, make it go away. Resist that instinct. In the first hour your job is to contain the damage and preserve the situation, not to clean it up. Cleaning up too fast can destroy the evidence you will need and can make things worse.
Here is the order that actually helps.
Disconnect, do not power off. Isolate affected devices from the network by unplugging the network cable or turning off Wi-Fi on that device. This stops the spread to other systems and cuts off an attacker's access. But do not shut the computer all the way down if you can avoid it, because powering off can erase useful traces of what happened. Disconnect from the network, leave the device on.
Stop the bleeding on money and accounts. If money may be involved, call your bank immediately, because fast action can sometimes stop or recall a fraudulent transfer. If an account like email was compromised, change its password from a different, clean device and turn on multi-factor authentication if it is not already on. The faster you cut off access, the less an attacker can do.
Do not pay, do not negotiate, do not go it alone yet. If you are facing a ransom demand, do not pay it or respond on your own. Paying is risky, often does not restore your data, and is a decision to make with professional guidance, not in a panic. This is the moment to bring in help.
Call for expert help. Contact your cybersecurity provider, your IT support, or a professional incident response service. If you have cyber insurance, call your carrier early, because many policies require it and many provide a response team that guides you through exactly this. You do not have to figure this out alone, and you should not try to.
Write down what you see. Jot quick notes: what you noticed, when, on which devices, any messages on screen. Take photos of error messages or ransom notes. This simple record is genuinely valuable to the people who help you and to any claim you file.
That is the first hour. Disconnect, protect money and accounts, do not pay, call for help, document. Notice that none of it requires technical skill. It requires staying calm and moving in the right order.
The first day: assess, notify, and protect what is left
Once the immediate bleeding is stopped and help is engaged, the first day is about understanding what happened and protecting everything around the edges.
Work with your help to understand the scope. What was accessed, what was taken, which systems and accounts are affected. You do not need to do this analysis yourself, but you do need to know the answers, because they drive every decision that follows.
Secure everything adjacent. Change passwords on important accounts from clean devices, turn on multi-factor authentication everywhere it is not already, and assume that any password that touched the compromised system needs to be replaced. Attackers often use one foothold to reach others, so closing the surrounding doors matters.
Understand your notification obligations. This is the part owners often miss. Depending on what data was exposed and where you operate, you may have legal duties to notify affected people, and sometimes regulators, within certain timeframes. Professional guidance or your insurer can help you get this right, and getting it right matters, because the failure to notify properly can carry its own consequences.
Communicate carefully. Let your team know what is happening and what to do, especially if your accounts may be used to send fraudulent messages. If clients or partners are affected, plan honest, measured communication with them rather than silence. How you handle this human side often matters as much to your reputation as the technical fix.
Begin recovery from clean backups. If you have reliable, tested backups, this is where they earn their keep, letting you restore systems and get back to work. If you are not certain a backup is clean, restore with professional guidance so you do not reintroduce the problem.
The mistakes that make it worse
A few common reactions turn a bad situation into a worse one, and they are easy to avoid once you know them. Do not try to hide it or handle it quietly alone, because delay gives the attacker more time and can violate your obligations. Do not pay a ransom on impulse. Do not wipe or "fix" machines before anyone has looked, because you may destroy what is needed to understand and recover. And do not assume it is over the moment the obvious symptom stops, because attackers often leave themselves a way back in. Slow, calm, and guided beats fast and alone every time.
How we think about it
The reason we built Red Door Shield to include response, not just prevention, is that the bad day is exactly when a business most needs a partner who already knows what to do. We organize everything around a simple framework called KIT: Keep, Inspect, Trust. Keep what is valuable secure, which includes the tested backups that make recovery possible. Inspect what is coming in, so an attack is caught early, when it is small, instead of discovered after the damage. And trust through validation, so the response is deliberate and correct rather than panicked. When something does go wrong, having someone monitoring around the clock who can step in immediately turns the first hour, the one that matters most, from a scramble into a plan already in motion.
What ready looks like
Picture the worst morning, screens locked or money missing, and instead of panic there is a plan. You disconnect the affected device. You call your bank and your security partner. Help is already moving. You are documenting, communicating calmly, restoring from backups you know are good. The incident is serious, but it is handled, contained, and survivable, because you knew the steps and you were not alone.
That is what ready feels like. Not the fantasy that nothing will ever go wrong, but the real confidence that if it does, you know exactly what to do and you have someone in your corner who does too.
The best time to read this is before you ever need it. Save it. Better yet, make sure the prevention is strong enough that you rarely do, and that someone is watching so that if the bad day comes, the response starts in minutes, not hours. If you want help building both the protection and the plan, that is a conversation worth having now, on a calm day, rather than on the hard one.
Not sure where your business actually stands?
Take our free Business Security Assessment. In under 10 minutes, you will know exactly where your gaps are and what it would take to close them.
Get My Free Security Assessment
