You notice something off. A user is locked out, a server is suddenly “busy”, invoices are being emailed that nobody sent, or files have strange extensions. Your brain immediately wants to jump to fixes.

In the first hour, your job is simpler than that. You are trying to do three things: stop the bleeding, keep good evidence, and make sure the right people are involved.

First, decide who is in charge (and keep communication simple)

A breach gets messy when everyone starts doing “helpful” things at once. Before you touch systems, pick one person to coordinate. In a small business, that is often the owner, COO, or office manager, with your IT provider running the technical steps.

A few quick rules that save a lot of pain:

  • Name an incident lead. One person tracks what is happening, what has been done, and what needs approval.
  • Start an incident log. A shared doc is fine. Write down times, actions taken, and screenshots. This becomes gold later for insurance, legal, and recovery.
  • Use a safe channel. If you suspect email is compromised, do not coordinate in email. Use phone calls, SMS, or a separate chat tool your IT team confirms is safe.

Minute 0 to 15: contain first, then investigate

Containment means limiting spread. It does not mean wiping machines, “cleaning things up”, or reinstalling systems. You can do those later, after you know what you are dealing with.

Here is what containment looks like in plain English:

  • Isolate affected devices. If one laptop looks compromised, get it off the network (disconnect Wi-Fi, unplug Ethernet). CISA’s ransomware guidance specifically calls out isolating systems in a coordinated way to prevent spread.
  • Do not rush to power off unless you have to. Sometimes powering down is necessary if you cannot disconnect safely, but it can also wipe volatile evidence like system memory. That trade-off matters, so pause and get your IT team involved before you start turning things off.
  • Disable the “obvious” risky access. If you suspect an account takeover, lock the account, reset the password, and revoke active sessions where your platform allows it. The FTC notes that stolen credentials keep you vulnerable until credentials are changed.

A real example: if a staff member reports repeated MFA prompts they did not trigger, that is often an attacker trying to sign in. Your first move is to block the account and stop the sign-in attempts, not to start digging through every PC in the office.

Minute 15 to 30: preserve evidence you will wish you had later

Most small businesses lose the best clues in the first hour because someone “tidies up”. The problem is that the clues are often short-lived, like logs that roll over, or data sitting in memory.

Focus on quick, practical preservation:

  • Take screenshots and photos. Ransom notes, odd error messages, suspicious emails, admin alerts, and timestamps.
  • Preserve key logs where you can. CISA’s ransomware guidance calls out preserving volatile or limited-retention evidence such as system memory, Windows Security logs, and firewall log buffers.
  • Do not run cleanup tools yet. Avoid antivirus “quarantine everything” sweeps, registry cleaners, or deleting suspicious files until your IT team has captured what they need.

If you have an IT provider, this is where they may start collecting forensic images or exporting logs. If you do not, still capture what you can without poking around. Your goal is to avoid making the situation worse.

Minute 30 to 45: check the blast radius (without boiling the ocean)

Now you want to answer a few business-first questions:

  • What systems are affected?
  • Is it spreading?
  • What is the most likely entry point?
  • What data or money could be at risk?

Keep it tight. You are not doing a full investigation in the first hour.

A practical checklist:

  • Confirm what type of incident it is. Ransomware (files encrypted), business email compromise (weird inbox rules, changed bank details), stolen device, suspicious admin activity, or a vendor alert.
  • Identify the “crown jewels”. Email, accounting, file server, CRM, payroll, and anything with customer data. Prioritise checking those.
  • Look for more compromised accounts. Attackers often move from one mailbox to others. If you see unfamiliar forwarding rules or sign-ins from unusual locations, treat that as a sign the incident is bigger than one user.

If you are a Microsoft 365 shop, this is usually where you check sign-in activity and audit logs. If you are on a line-of-business app, it is where you check admin logins and recent configuration changes.

Minute 45 to 60: notify the right people (and avoid unhelpful noise)

In the first hour, you are not writing customer notifications or drafting press statements. You are making sure the people who can help you contain and recover are aware, and that reporting is started when appropriate.

Who to loop in depends on the situation:

  • Your IT and security support. If you have managed IT, pull them in early. NIST’s incident handling guidance is built around quick detection, analysis, and containment.
  • Your cyber insurance contact. Many policies have requirements about using approved vendors or calling a breach hotline early. Your incident log helps here.
  • Law enforcement reporting (when money or crime is involved). For cyber-enabled crimes like ransomware or business email compromise, the FBI’s Internet Crime Complaint Center (IC3) is a key reporting channel.
  • CISA (when you want federal help or broader reporting). CISA provides guidance on sharing cyber incident information, and their ransomware guidance includes reporting options.

One more practical point: keep internal messaging calm and specific. Tell staff what to do right now (for example, “Do not open suspicious attachments, report unusual MFA prompts, and leave affected computers alone until IT says otherwise.”) You do not need a dramatic all-hands announcement.

A simple first-hour script you can keep on hand

If you want a one-page incident response plan for a small business, this is a good starting script:

  • Stop spread. Isolate affected devices and disable suspicious accounts.
  • Preserve evidence. Screenshots, timestamps, and key logs before cleanup.
  • Coordinate. Name an incident lead and keep an action log.
  • Assess impact. What is affected, what is at risk, what is still safe.
  • Escalate. IT provider, insurance, and reporting channels as needed.

If you would like help turning this into a practical incident response plan for your business, the Flexnet Networks team can build it with you and run a short tabletop exercise so your first hour feels calm and organised.

Sources