Skip to main content

Tip #15: Have a One-Page Plan for the First Hour of a Cyberattack

May 15, 2026

In a security incident, the first hour is the most important and the most chaotic. A one-page plan written in advance helps the right people make the right decisions under pressure.

What to do:

  • Work with your IT provider to build a one-page incident checklist covering who to call first, including your IT provider, cyber insurance carrier, and legal counsel.
  • Define what to isolate immediately, such as affected devices that need to be removed from the network.
  • Document what not to do, including not rebooting systems, not deleting files, and not paying a ransom without guidance.
  • Identify who is authorized to communicate externally with clients, vendors, insurance carriers, legal counsel, or the public.
  • Print a copy and store it somewhere accessible that does not rely on your systems being up.
  • Brief your leadership team on where the checklist lives and what each person’s role is.

Common mistake: When a breach happens, the instinct is to start unplugging things, rebooting computers, and calling everyone at once. Some of those instincts can destroy forensic evidence. Others can escalate the damage or create confusion when clear direction is needed most.

The plan does not need to cover every possible scenario. It needs to protect the first 60 minutes.

Businesses with a documented and practiced response plan contain breaches faster, spend less on recovery, and have better outcomes with cyber insurance claims. Everything after the first hour is easier when the right people are already on the phone.

How to know it’s done:

  • A one-page incident response checklist exists and is stored somewhere accessible without relying on your digital systems
  • Key people, including the owner, office manager, and IT lead, know where it is and what their role is