A few years ago, I was pulled into an incident that started with a single customer call. The customer had logged into the platform that morning and noticed files were missing.

At first, everyone assumed it was a support issue.

Then a second customer reported something similar.

Then a third.

Within an hour, leadership was pulled into the conversation.

At that point, nobody knew whether the issue was operational, accidental, or security related.

The investigation was just getting started.

The questions started immediately:

  • Are customers impacted?
  • Do we know what happened?
  • Can we see what's going on?
  • What data is involved?
  • How many customers could be affected?
  • Do we need to notify anyone?

The security team was trying to determine the scope of the issue. Leadership was trying to understand what it meant for the business.

Neither side had enough information yet.

That's one of the hardest realities of a data breach. The questions start long before the answers do.

Most people wondering what to do when you get hacked imagine forensic investigators tracking attackers through logs and systems. In reality, the first few hours are usually spent trying to understand impact quickly enough for the business to make decisions.

Breach response

What happens in the first 24 hours

Hour
1

Detection & triage

  • Confirm it's a security event
  • Scope initial impact
  • Assemble the right people
  • Notify cyber insurer
Hour
4

Containment decisions

  • Isolate or keep running?
  • Engage IR partner
  • Preserve evidence
  • Loop in outside counsel
Hour
12

Business continuity

  • Can backups restore ops?
  • Customer notification?
  • Regulatory obligations?
  • Leadership communications
Hour
24

Path to recovery

  • Forensic investigation scope
  • Public comms decision
  • Recovery timeline set
  • Begin lessons-learned log

According to Unit 42 (2026), attackers moved from initial access to data exfiltration in an average of just 72 minutes. Every decision point above matters.

The First 24 Hours Reveal the Last 12 Months

After being involved in enough incidents, I've noticed something that doesn't get discussed often enough.

The first 24 hours of a breach are rarely defined by the attacker.

They're defined by the decisions the company made long before the breach occurred:

  • Did they purchase cyber insurance?
  • Do they have an incident response partner on retainer?
  • Have they conducted tabletop exercises?
  • Do they know who is responsible for communications?
  • Have they tested backups?
  • Do they understand the role their MSP, MSSP, legal counsel, and leadership team play during an incident?

The organizations that recover fastest are usually not making brilliant decisions under pressure.

They're executing decisions they already made months or years earlier.

Incident Response Speed Comes Down to One Thing: Preparation

One of the biggest differences I see between organizations is how quickly they can assemble the right people.

In mature organizations, the response begins almost immediately.

Cyber insurance is notified. Outside counsel joins the call. The incident response provider is engaged. Internal stakeholders know their responsibilities. The MSP or MSSP understands its role. Everyone starts moving in the same direction.

In less prepared organizations, valuable time is spent figuring out basic logistics.

Who owns the response? Who should be contacted? Who is responsible for customer communication? Does insurance require specific vendors?

Those questions can consume hours during a time when every minute matters.

According to Unit 42's 2026 incident response findings, attackers moved from initial access to data exfiltration in an average of just 72 minutes. Most organizations cannot afford to spend that time determining who should be on the bridge call.

This is true regardless of company size. Whether you run a 20-person professional services firm or a 500-person manufacturer, having a documented incident response plan - and knowing the data breach first steps your team will take - is what separates a contained event from a compounding one. For small businesses in particular, a lightweight incident response plan is not a luxury.

It is the difference between a recoverable incident and one that takes months to clean up.

The difference preparation makes

The first two hours: prepared vs. unprepared

⚠ Without a plan

Scrambling to find who owns the response

No pre-assigned roles = 30–60 min lost

Debating whether to call insurance first or legal first

Wrong order can void coverage

Discovering backups haven't been tested

Unusable recovery = weeks of downtime

MSP and internal IT pointing fingers at each other

No clarity on who does what

✓ With a plan

Incident commander identified before anything starts

Everyone knows their role immediately

Insurer, legal, and IR partner called in the right order

Decision made months before the breach

Backup restoration tested quarterly — timeline is known

Recovery starts in hours, not days

MSP role defined in the IR plan

Everyone moves in the same direction

The Breach Tests More Than Technology

One misconception I often hear is that incident response is primarily a technical exercise. It's not.

A breach quickly becomes a business event. Leadership needs answers. Customers may need communication. Legal obligations must be evaluated. Operational decisions need to be made. Technology teams are investigating the attacker while the business is trying to understand the impact.

This is where preparation becomes visible.

Organizations that have conducted tabletop exercises have already practiced these conversations. The scenario may not be identical, but the process of making decisions under pressure is familiar. The goal of a tabletop isn't to predict every breach. It's to ensure people know what to do when uncertainty arrives.

The Backup Question Always Comes Up

At some point during nearly every serious incident, someone asks the same question.

"Can we restore from backup?"

The answer is often less clear than people expect. Many organizations have backups.

Far fewer have tested them.

  • Can critical systems actually be restored?
  • How long will recovery take?
  • What gets restored first?
  • Are backups isolated from the attack?
  • Has anyone practiced the process recently?

A breach has a way of exposing the difference between having a control and knowing it works. The same applies to endpoint protection, logging, asset inventories, privileged access reviews, and countless other security controls.

During an incident, assumptions are replaced by evidence.

Quick check

Is your incident response plan actually ready to execute?

Most organizations think they have a plan. Very few have tested whether it actually works under pressure. Here's what a real plan accounts for:

Defined incident commander with backup
Cyber insurer notified in the right sequence
Backups tested and recovery time known
Tabletop exercise completed in last 12 months
Get a Breach Snapshot Call ↗ 30 min · No obligation · Specific to your environment

The Companies That Recover Best Aren't Perfect

The organizations that handle incidents best rarely have perfect security.

They have clarity.

They know who owns the response.

They know where their critical data lives.

They understand which systems matter most.

They have relationships with the partners they need.

They have tested the processes they expect people to follow.

Most importantly, they don't spend the first day creating a plan.

They're executing one.

The Question To Ask This Week

If your organization discovered a breach tomorrow morning, would the first few hours be spent responding to the incident or figuring out how to respond?

Because after enough incidents, I've become convinced of one thing.

Most organizations don't discover whether they're prepared during a breach.

They discover whether they prepared before it.

Frequently Asked Questions

Common questions about data breach response, incident readiness, and recovery.

What are the first steps after a data breach?
The first steps are to determine scope, contain active threats, engage the appropriate response teams, preserve evidence, and understand potential business impact. Organizations with a documented incident response plan typically move much faster through this process — the decisions are already made, and the team is executing rather than improvising.
What should a small business do when it gets hacked?
Small businesses should activate their incident response plan, engage internal and external response resources, assess affected systems, preserve evidence, and review notification requirements. Knowing who to call before an incident occurs — your cyber insurer, outside counsel, and IR partner — can significantly reduce recovery time and protect coverage.
How important are backups during a ransomware attack?
Backups are often critical to recovery, but only if they have been tested and can be restored successfully. Having backups and knowing they work are two very different things. Many organizations discover during an incident that their backups are incomplete, out of date, or not isolated from the affected environment. Quarterly restoration tests are the only way to know for certain.
Do tabletop exercises really help with incident response?
Yes. Tabletop exercises help leadership and technical teams practice decision making, communication, and coordination before a real incident occurs. They often expose gaps that would otherwise be discovered during a breach — gaps in roles, notification chains, backup readiness, and third-party coordination. The goal isn't to predict every breach scenario. It's to ensure people know what to do when uncertainty arrives.
What separates companies that recover quickly from those that struggle?
In most cases, preparation. Clear roles, tested backups, a documented incident response plan, third-party coordination, and practiced decision making typically have a greater impact on recovery speed than any individual security tool. The companies that recover fastest are rarely the ones with the most sophisticated technology — they're the ones that didn't spend the first day creating a plan.

Up Next in the Breach Series

This is Post 2 of 3 in TechCompass’s Breach Series. In the next post, we cover what happens after the dust settles — the hard lessons, the security gaps that get exposed, and how organizations rebuild smarter. If you missed Post 1, it covers the warning signs that are almost always present before a breach occurs.

Read Post 1 in Series Here: Before the Breach | Blog 3 coming next week.

Share

Related Articles

image
August 1, 2025

Cyber Essentials: 5 High-Impact Moves That Actually Work

Most cyberattacks do not start with elite hackers or advanced exploits. They start with simple gaps. A stolen password. A phishing email. A forgotten backup. For many organizations, the biggest threats are ransomware, email compromise, and credential theft. The damage can be significant.

Read More
arrow right
image
August 22, 2025

The Cybersecurity Maturity Path: From Startup to Enterprise

Security is not one size fits all. A 10-person startup with an MVP and a short runway should not be investing like a 5,000-person global SaaS company preparing for IPO. But too often, companies either underinvest early or throw money at tools without a plan later.

Read More
arrow right
image
May 18, 2026

Cyber Insurance Requirements 2026: How to Qualify, Reduce Exclusions, and Lower Your Premium

Cyber insurance used to be a checkbox. Today, it is a battleground. Carriers have tightened their requirements, premiums are on the rise, and coverage exclusions are more aggressive than ever. Many companies find themselves unprepared, with no clear roadmap on how to qualify or reduce their costs.

Read More
arrow right

What topic do you want
to hear about? Let us know.

Is your organization prepared to handle cyber threats? From ransomware readiness assessments to virtual CISO leadership, TechCompass offers comprehensive solutions to secure your digital assets.

Get Started
facebookfacebook

At TechCompass, we help businesses use technology securely and strategically. We guide teams through practical security decisions, prioritize the right investments, and deliver clear, effective solutions that reduce risk and support long-term growth.

Copyright © 2025 TechCompass All Rights Reserved.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy Policy.