The moment you realize your business has been breached is disorienting. Accounts are acting strangely, files are locked, or a client calls asking why they got a suspicious email from you. What you do in the first 24 hours has an outsized effect on how bad — and how expensive — it gets.
Here’s the calm, practical playbook we walk our clients through.
Hour 1: Contain, don’t panic
The instinct to start deleting things or wiping machines can destroy evidence and make recovery harder. Instead:
- Isolate, don’t power off. Disconnect affected devices from the network (unplug ethernet, disable Wi-Fi) but leave them on — memory can hold important clues.
- Lock down accounts. Reset passwords and revoke active sessions on any account that may be compromised, starting with email and admin accounts.
- Turn on or enforce MFA everywhere it isn’t already.
Hours 2–6: Assess the scope
You need to answer three questions: What did they access? How did they get in? Are they still inside? This is where having someone who can read the logs matters — email access records, sign-in history, and endpoint alerts tell the story. Guessing leads to either overreacting or, worse, declaring “all clear” while the attacker is still present.
Hours 6–24: Notify the right people
| Who | Why |
|---|---|
| Your IT/security provider | To contain, investigate, and begin recovery properly |
| Your cyber insurance carrier | Many policies require prompt notice — and provide expert resources |
| Affected clients/vendors | To stop the attack from spreading through your relationships |
| Legal counsel | Florida breach-notification rules may apply depending on the data involved |
The best time to plan is before it happens
Businesses that recover quickly aren’t lucky — they prepared. They have current backups, a written incident response plan, and a provider on call. Businesses without those spend the first 24 hours figuring out who to call while the damage grows.
Junopi helps Southwest Florida businesses put a response plan and tested backups in place before an incident — and we’re the team you call if one happens. Let’s make sure you’re ready.