The first hour after discovering a cyber attack is chaos. Phones ring, systems fail, and everyone looks to leadership for direction. What you do in those 60 minutes can mean the difference between containment and catastrophe.
This is your quick-reference guide for that moment. Print it. Share it with your leadership team. Know it before you need it.
Key insight: The goal of the first 60 minutes is not to solve the problem. It's to stop the bleeding, assemble the right people, and preserve your options. Resolution comes later.
Minutes 0-15: Immediate Containment
Your first priority is preventing the attack from spreading further.
Immediate actions:
✓ Isolate affected systems from the network (don't power off)
✓ Disable compromised user accounts
✓ Block known malicious IPs at the firewall
✓ Preserve logs and system state for forensics
Critical: Keep affected systems powered on but disconnected. Shutting down destroys volatile memory that forensic investigators need. The attacker may still be active, so isolation is about cutting their access, not destroying evidence.
Minutes 15-30: Activate Your Response Team
You cannot handle this alone. Get the right people engaged immediately.
1Internal Leadership
- CEO/Executive sponsor
- IT/Security lead
- Legal counsel
- Communications/PR
2External Partners
- Cyber insurance carrier (claims hotline)
- Incident response firm (if on retainer)
- Outside breach counsel
- Law enforcement (FBI, CISA) if appropriate
Call Your Insurance First
Your cyber insurance policy likely includes access to pre-approved incident response firms and breach counsel. Using these approved vendors ensures coverage. Call the claims hotline immediately, even before you know the full scope.
Minutes 30-45: Establish Communication Controls
What you say and how you say it matters enormously. Establish controls before information starts leaking.
Internal Communication
- Designate a single point of contact for employee questions
- Issue a brief holding statement to employees: "We are aware of a security incident and are actively responding. Please do not discuss externally. Updates will follow."
- Instruct employees not to post on social media or discuss with customers
External Communication
- Prepare a holding statement for any media or customer inquiries
- Designate one spokesperson (usually not the CEO unless necessary)
- Do not make any public statements until you understand what happened
Key insight: In the first hour, your message should be simple: "We are aware, we are responding, and we will share more when we can." Anything more specific risks being wrong.
Minutes 45-60: Preserve Evidence and Document
Everything you do from this point forward may be examined by investigators, regulators, insurers, and potentially lawyers. Document accordingly.
Evidence preservation checklist:
✓ Start an incident timeline with exact times
✓ Screenshot any ransom notes or attacker messages
✓ Preserve all system and security logs
✓ Document who did what and when
✓ Save all communications about the incident
✓ Note any systems that were modified or shut down
What NOT to Do
The first hour is as much about avoiding mistakes as taking the right actions.
Don't Contact the Attacker Directly
If you receive a ransom demand, do not respond. Attackers are skilled manipulators. Wait for professional negotiators if you decide to engage.
Don't Use Compromised Systems to Communicate
The attacker may be monitoring your email and chat systems. Use personal phones, out-of-band communication channels, or systems confirmed to be clean.
Don't Make Public Statements Yet
Anything you say publicly in the first hour will likely be incomplete or wrong. Wait until you have facts before communicating externally.
Don't Destroy Evidence
Well-meaning IT staff may try to "clean up" by wiping systems or deleting files. Stop them. Forensic evidence is critical for investigation and insurance claims.
Your First-Hour Checklist
Print this and keep it accessible
- [ ] Isolate affected systems from network (keep powered on)
- [ ] Disable compromised accounts
- [ ] Call cyber insurance carrier
- [ ] Activate incident response retainer (if applicable)
- [ ] Brief internal leadership team
- [ ] Engage legal counsel
- [ ] Issue internal holding statement to employees
- [ ] Prepare external holding statement
- [ ] Start incident timeline documentation
- [ ] Preserve all logs and evidence
- [ ] Establish out-of-band communication channel
- [ ] Schedule first status call for 90 minutes from discovery
Key Takeaways
- Contain, don't solve, Your goal is to stop the spread, not fix the problem in the first hour
- Preserve evidence, Keep systems on, document everything, don't delete
- Get help fast, Call insurance and incident response immediately
- Control communication, One spokesperson, holding statements only
- Don't engage attackers, Wait for professional negotiators
Be Ready Before It Happens
The executives who handle the first hour well are the ones who prepared before the attack arrived. For a complete framework on building organizational readiness, Cybersecurity for CEOs provides the playbook you need.
"In a cyber attack, you don't rise to the occasion. You fall to your level of preparation. The first 60 minutes reveal whether you prepared or hoped."
Questions about incident readiness? Get in touch or connect with me on LinkedIn. I help leaders build the response capabilities that make the difference when attacks occur.