Discovering that your business has been breached is one of the most stressful situations a business owner can face. The instinct is to panic, to delete everything, to pretend it didn't happen — or to freeze entirely and wait for it to go away. None of those responses help.
What you do in the first 24 hours will determine how much damage you can limit, what your legal exposure looks like, and whether you can recover properly. Here's what should actually happen, step by step.
Hours 0–2: Contain the breach
The single most important thing you can do in the first two hours is stop the bleeding. If you've identified a compromised system, isolate it from the rest of your network immediately. Unplug it from the network — but do not power it off. Shutting down a machine can destroy volatile forensic data that investigators need to reconstruct what happened. If you've identified a compromised user account, revoke its access and reset credentials. If it's a cloud service, revoke API keys and active sessions.
Critically: do not delete files, wipe drives, or reinstall operating systems. Every piece of evidence you destroy now could be needed later — by insurers, investigators, regulators, or your legal team. The cleanup comes later. Right now, contain and preserve.
If you have an IT contact or security professional on call, bring them in at this stage. Decisions made under pressure, in isolation, are rarely the right ones.
Hours 2–6: Assess the damage
Once immediate containment is in place, shift focus to understanding what actually happened. Key questions to work through:
- What data was accessed, modified, or exfiltrated?
- How did the attacker gain access — phishing email, compromised credentials, unpatched vulnerability, something else?
- How long had they been inside before detection? Days? Weeks?
- Are there other systems that may have been affected that you haven't identified yet?
This stage requires methodical thinking, not speed. Rushing to conclusions leads to incomplete remediation — which means the attacker, or a second one using the same entry point, can return. Document everything you find. Timestamps, usernames, file names, IP addresses. This record matters.
Hours 6–12: Legal obligations
This is where many businesses make a critical mistake: they focus entirely on the technical recovery and forget the legal clock is running.
Under UK GDPR, if the breach is likely to result in a risk to the rights and freedoms of individuals — for example, if customer personal data was accessed, stolen, or exposed — you have a legal obligation to report it to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. That clock starts the moment you know about the breach, not when you've finished investigating it.
The report doesn't need to be a complete forensic analysis. It should cover what happened as best you currently understand it, what categories and approximate volume of personal data were involved, how many individuals are likely affected, and what steps you're taking to address it. You can submit an initial report and update it as you learn more. What you cannot do is wait until everything is resolved before reporting — the 72-hour window is a legal requirement, and missing it without good reason is itself a compliance failure.
Take legal advice before making decisions about notifying affected individuals. In many cases it will be required; in others, it will depend on the nature and severity of the breach.
Hours 12–24: Communicate
By now you should have a clearer picture of the scope. You need to communicate — deliberately, carefully, and through the right channels.
Staff: Brief relevant team members on what happened, what actions are being taken, and what not to do (particularly: don't discuss it publicly or on social media, don't speculate, don't make unilateral decisions about systems).
Customers or affected individuals: If their data was compromised, they may have a legal and ethical right to know — particularly if there's a risk of fraud, identity theft, or other harm. The content and timing of this communication should be agreed with legal counsel and coordinated with your ICO notification.
Board or leadership: They need to know. This is a business-level event — it affects liability, insurance, client relationships, and public reputation. It should not be managed entirely at the operational level.
What NOT to do
A few things that feel tempting in the moment but cause serious, avoidable harm:
- Don't pay the ransom. It doesn't guarantee you get your data back. Many businesses pay and receive nothing. UK authorities, including the NCSC, recommend against it — and it funds further attacks.
- Don't cover it up. Concealing a notifiable breach from the ICO is a separate regulatory offence that compounds the original problem. Regulators look more favourably on organisations that report promptly and transparently.
- Don't wipe evidence. Even if a clean reinstall feels like the safest, fastest path forward, destroying forensic evidence can undermine your insurance claim, any criminal investigation, or legal action you might want to take.
The bottom line
A breach is survivable. Businesses recover from them every day. Customer relationships survive them. Reputations are rebuilt. But how you respond in the first 24 hours shapes every outcome that follows — legal, financial, and reputational.
The businesses that manage breaches best are rarely those with the most sophisticated security. They're the ones that had a plan before it happened, knew who to call, and moved calmly through a process rather than improvising under pressure.