Skip to main content
(226) 971-2731
Back to Blog
Cybersecurity8 min read

Your Incident Response Plan: The First Hour of a Cyber Breach

Brian Clayton|
In This Article

Most breach damage is not done by the attacker. It is done in the first hour by people trying to help. Someone wipes a laptop to make it clean. Someone emails the whole company to warn them. Someone pays an invoice that turned out to be the fraud. The difference between a contained incident and a business-ending one is usually whether you had a calm, written plan for the first sixty minutes before you ever needed it.

This is that plan in plain language. It is written for the owner or office manager of a Canadian small or mid-sized business, not for a security team. It covers what to look for, what to disconnect, who to call, what to say, and the notification duties Canadian privacy law puts on you. If you read our ransomware recovery playbook, treat this as the step before recovery: the hour where you stop the bleeding and set up everything that follows.

Why the First Hour Decides So Much

A modern attack is rarely a single dramatic moment. By the time you notice something, the attacker has often been in your environment for days or weeks, moving quietly. The first hour is not when you defeat them. It is when you stop their movement, protect what they have not reached yet, and avoid destroying the proof of what happened.

Three things make the first hour fragile. The decisions are irreversible (a wiped disk is gone), they are made under stress, and they are usually made by whoever happens to be standing there. A written plan removes the guesswork. It tells the person at the desk exactly what to do and, just as importantly, what not to do.

Step 1: Confirm Something Is Actually Wrong

Not every odd morning is a breach. Before you trigger a response, take sixty seconds to confirm you are looking at a real incident and not a slow update or a flaky internet connection. The signals that justify treating it as an incident:

  • Files renamed with strange extensions, or a ransom note text file on the desktop
  • Multiple people reporting the same problem at the same time, not just one machine
  • You are locked out of email, your accounting system, or your line-of-business app
  • Your security tool fired an alert about credential theft, unusual sign-ins, or malware
  • Money moved, a banking detail changed, or a vendor says they got a payment you did not send

If two or more of these are true, stop treating it as a help-desk ticket and start treating it as an incident. The cost of over-reacting for an hour is small. The cost of under-reacting is the whole point of this article.

Step 2: Contain by Isolating, Not Powering Off

This is the single most important rule, and the one most people get wrong: do not power off the affected machines. Pulling the plug feels decisive, but it destroys volatile evidence sitting in memory that a forensics team needs to find out how the attacker got in and how far they went. It can also corrupt files mid-encryption.

Instead, isolate. The goal is to cut the affected systems off from the network while leaving them running. In order of preference:

  • Disconnect the network cable, or turn off Wi-Fi on the affected device, so it stays powered but cannot reach anything else
  • If your security tool supports network containment, use it to quarantine the device with one click
  • If several machines are involved, isolate at the switch or firewall rather than chasing individual cables
  • Disconnect or isolate your backups from the network immediately, because attackers target backups first to take away your last clean copy
  • Disable the user accounts that look compromised, and reset their passwords through a known-clean device

The principle is simple. Stop the spread, keep the evidence, and assume more is compromised than you can prove. If you cannot tell how far it has reached, isolate more broadly, not less.

Step 3: Call Your IT Provider and Your Insurer

Once the bleeding is contained, the next move is two phone calls, in this order. First, your IT provider or managed security partner. They have the tools and the context to scope the damage and take over the technical response. If you do not have one on a retainer, this is the moment you discover you needed one, and the moment to engage one.

Second, your cyber insurance carrier. Most policies require you to notify within a tight window, often 24 to 72 hours, and many carriers run a 24/7 breach hotline. Calling that hotline does more than protect the policy. It connects you to a breach coach, usually a lawyer, who coordinates forensics, legal duties, and communications. Engaging your own preferred firm without telling the carrier first can mean those costs are not covered, so check the policy before you spend a dollar. Our guide on what insurers ask for explains how the hotline and the breach coach fit together.

Keep both numbers somewhere that does not depend on your email or your network being up. A breach that locks you out of Microsoft 365 also locks you out of the contact list saved in it.

Step 4: Preserve the Evidence

Resist the urge to clean up. The forensics work that follows depends on the systems being left in the state the attacker left them. Practically, in the first hour that means:

  • Do not wipe, reimage, or factory-reset anything, however tempting it is to get back to work
  • Do not delete the suspicious email, the ransom note, or the odd files; they are clues, not garbage
  • Take photos of any ransom screens or error messages with your phone
  • Write down a rough timeline as you go: who noticed what, when, and what action was taken
  • Note which systems you isolated and which accounts you disabled, so the responders know your starting state

That timeline matters more than it sounds. When the breach coach and forensics team arrive, the first thing they ask is what happened and in what order. A page of notes saves hours and sharpens every decision that follows.

Step 5: Decide Who Decides

Incidents stall when nobody knows who has the authority to make the call. Before an incident, name one person as the incident lead, usually the owner or a senior manager, and one backup for when the lead is unreachable. During the first hour, the incident lead owns the business decisions: whether to shut down operations, what to tell staff, when to bring in outside help.

The technical decisions belong to your IT provider and, once engaged, the breach coach. The line is worth drawing clearly. The provider decides how to contain and recover. The owner decides what the business does while that happens. Mixing the two, where the owner starts deleting files or the technician starts emailing customers, is how good responses go sideways.

Step 6: Control Internal and Customer Communication

Communication in the first hour should be deliberate and narrow. Tell your staff enough to stop them making things worse, and tell them through a channel that still works. If email is down or possibly compromised, use phone or a text group. A simple internal message: stop using the affected systems, do not turn anything off, do not discuss this outside the company, and direct any questions to the incident lead.

Do not contact customers yet. It is natural to want to get ahead of it, but a message sent in the first hour is almost always wrong: too early, too vague, or admitting things you do not yet know are true. Customer and public communication should wait until you have facts and, ideally, until the breach coach has reviewed the wording. Premature statements can create legal exposure and erode trust faster than the breach itself.

The one exception is active fraud in progress. If money is moving or a bank account is exposed, call the bank and any affected party right away to stop the transaction. That is containment, not public relations.

Notification Duties Under PIPEDA

Canada's federal privacy law, PIPEDA, places real obligations on most private-sector businesses when personal information is involved in a breach. You do not need to memorise the statute, but you should know the shape of the duties so you do not miss them in the rush.

Under PIPEDA, if a breach of security safeguards creates a real risk of significant harm to an individual, you are required to notify the affected individuals and report the breach to the Office of the Privacy Commissioner of Canada, in both cases as soon as feasible. You also have to keep a record of every breach involving personal information, even the ones that do not meet the harm threshold. Significant harm is read broadly: it includes things like identity theft, financial loss, damage to reputation, and humiliation.

Two practical points. First, the obligation is yours as the organisation that controls the data, even if a vendor or your IT provider was where the breach happened. Second, the assessment of risk and the wording of notifications is exactly the kind of thing the breach coach exists to guide, which is another reason to make that insurer call early. If you want to understand your standing baseline before any incident, work through our PIPEDA compliance checklist. Provinces add their own rules on top, and sectors like health carry further duties, so treat this as the floor, not the ceiling.

A Simple Plan Outline You Can Adopt

An incident response plan does not need to be a binder. For most SMBs, one printed page taped inside a cabinet is enough. Fill in these blanks and you have a plan you can actually use at 2am:

  1. Incident lead and backup: names and personal mobile numbers
  2. IT provider emergency line: number, account or client ID, and after-hours contact
  3. Cyber insurance hotline: policy number and the 24/7 breach number
  4. Bank fraud line: for stopping payments and freezing accounts
  5. First moves: isolate, do not power off, do not wipe, do not email customers
  6. Internal message template: the short note you send staff to stop the spread
  7. Privacy duties reminder: assess for real risk of significant harm, keep a record, notify if required

Print it. Store a copy offline, because a copy that lives only in the system you just lost access to is no copy at all. Then test it once a year by reading it aloud and asking whether each number still works and each name is still the right person. That single hour of rehearsal is the cheapest cyber insurance you will ever buy.

Where ClayGen Helps

For our managed clients, the first-hour playbook is not a document you write alone. We are the IT provider on that printed page, with monitoring that often catches an incident before you do and a team that takes over containment when minutes matter. We help map the plan to your cyber insurance requirements and your privacy duties, and we keep the offline copies current so they are there when the network is not.

If you do not have a plan yet, that is the most common situation and an easy one to fix. Our managed cybersecurity service and managed IT service build the response capability in alongside the day-to-day support, so the first hour is rehearsed, not improvised. If you want to talk it through with no pressure, reach out, or browse the rest of our security and IT articles to keep building the baseline.

Incident Response FAQ

What should I do first if I think we have been breached?
Confirm it is real, then isolate the affected systems from the network without powering them off, and call your IT provider and your cyber insurer before doing anything else. Powering machines off or wiping them destroys evidence forensics needs, and contacting customers too early usually causes more harm than waiting for facts.
Why should I not just turn off the infected computer?
Powering a machine off destroys volatile evidence held in memory that a forensics team uses to determine how the attacker got in and how far they spread, and it can corrupt files that are mid-encryption. Disconnect it from the network instead, leaving it running, so it cannot reach anything else while the evidence is preserved.
Who should I call first after a suspected breach?
Call your IT provider or managed security partner first to scope and take over the technical response, then call your cyber insurance carrier, which usually runs a 24/7 breach hotline. The insurer call protects your coverage and connects you to a breach coach who coordinates forensics, legal duties, and communications.
When do I have to notify customers or regulators in Canada?
Under PIPEDA, if a breach creates a real risk of significant harm to an individual, you must notify the affected individuals and report it to the Office of the Privacy Commissioner of Canada as soon as feasible, and you must keep a record of every breach involving personal information. The risk assessment and the wording of notifications are exactly where a breach coach helps, so make the insurer call early.
How big does an incident response plan need to be?
For most small and mid-sized businesses, one printed page is enough. List your incident lead and backup, your IT provider and insurer emergency numbers, your bank fraud line, the first moves (isolate, do not power off, do not wipe, do not email customers), a short staff message, and a reminder of your privacy duties. Store a copy offline and rehearse it once a year.

Related Articles

Cybersecurity

Ransomware Recovery for Canadian SMBs: A Practical Playbook

9 min read
Compliance

Cyber Insurance Documentation: What Insurers Ask For

6 min read
Compliance

PIPEDA Compliance Checklist for Ontario Businesses

8 min read

Need Help With Your IT?

ClayGen provides managed IT services, cybersecurity, and Microsoft 365 management for Ontario businesses.

Get a Free ConsultationRead More Articles