The first 72 hours
after a cyber incident matter most
If your business is dealing with ransomware, suspicious access, data exposure, or a possible compromise, the goal is simple: contain the damage, preserve evidence, stay compliant, and recover without creating new problems in the process.
What separates a controlled response from a chaotic one
This is the structure we recommend for Canadian businesses responding to a breach or suspected breach.
Speed is critical
The first 72 hours typically determine whether the incident stays contained or becomes a broader operational and legal problem.
Contain first, panic last
You need disciplined containment, not random shutdowns that create blind spots and data loss.
Communication discipline
Use a single source of truth. Internal confusion and premature statements can make the response much worse.
Document everything
Track actions, timestamps, decisions, affected systems, and who approved what. This matters for forensics, insurance, and legal review.
A practical incident response framework
The exact order varies by incident, but this is the shape of a disciplined breach response.
Immediate response
- Activate the response team and assign one lead decision-maker.
- Confirm what appears affected: endpoints, email, cloud accounts, servers, backups, or identity systems.
- Preserve logs, screenshots, timestamps, and system state before broad cleanup begins.
- Assess whether cyber insurance, external counsel, or forensic partners need to be engaged immediately.
Containment
- Isolate affected systems carefully, without destroying evidence.
- Revoke suspicious sessions, rotate exposed credentials, and restrict risky access paths.
- Stabilize critical business operations, especially email, identity, and file access.
- Identify whether the threat is still active or has already completed its objective.
Assessment and notifications
- Determine what data may have been accessed, encrypted, deleted, or exfiltrated.
- Coordinate with legal counsel on privacy, contractual, and reporting obligations.
- Prepare internal, client, and partner communications using approved messaging.
- Decide what must be reported to regulators, insurers, vendors, or law enforcement.
Recovery planning
- Prioritize restoration of business-critical systems in a controlled sequence.
- Validate backup integrity before reintroducing systems into production.
- Close the access path that enabled the breach before declaring recovery.
- Confirm monitoring is in place to detect repeat activity during restoration.
Post-incident review
- Build a clear incident timeline and root-cause narrative.
- Document lessons learned, process failures, and control gaps.
- Update policies, security controls, training, and vendor expectations.
- Use the incident to improve resilience, not just return to baseline.
What not to do
- Do not mass-delete suspicious mailboxes or wipe devices before evidence is preserved.
- Do not let multiple people issue public or client-facing statements independently.
- Do not assume encryption means no data was stolen.
- Do not treat recovery as complete until access, monitoring, and hardening are verified.
What should already be in place
- Response team roles and emergency contacts kept current
- Cyber insurance details available and reviewed
- Legal counsel identified for privacy and breach notification advice
- Backup testing performed and documented
- Privileged access controls and MFA enforced
- Approved communication templates prepared in advance
- Tabletop exercises run at least annually
Support during and after an incident
- Containment support for Microsoft 365, endpoints, identity, and network access
- Coordination with legal, insurance, and specialist forensic partners
- Restoration sequencing and recovery planning
- Documentation and evidence preservation support
- Hardening and remediation after the immediate incident is controlled
- Longer-term improvement planning so the same issue does not happen twice
Think you may have a breach?
If something looks wrong, move quickly, but do it in the right order. We can help you assess the situation, contain it, and coordinate the technical side of the response without making the incident harder to investigate.