ShawTech Blog
Article

A Plain-English Cyber Incident Checklist for Small Businesses: What To Do in the First 24 Hours

April 11, 2026 · Tyler Shaw

Think your business might be dealing with a cyber incident? The first 24 hours matter. This plain-English guide walks small businesses through the key steps to take right away, from containing the issue to protecting accounts, communicating clearly, and preparing for recovery.

A Plain-English Cyber Incident Checklist for Small Businesses: What To Do in the First 24 Hours

A Plain-English Cyber Incident Checklist for Small Businesses: What To Do in the First 24 Hours

If your business thinks it may be dealing with a cyber incident, the first day matters.

That does not mean you need to panic.

It does mean you need to act carefully, quickly, and in the right order.

For many small businesses, the hardest part is not knowing where to begin. In the middle of a stressful situation, it is easy to lose time, make rushed decisions, or accidentally make the problem worse. A simple checklist helps bring some order to the chaos.

According to CISA, small businesses should have an action plan for cyber incidents, and NIST’s incident response guidance emphasizes preparation, containment, eradication, and recovery as core parts of an effective response process. The FTC also advises businesses hit by ransomware to isolate affected systems quickly and notify affected parties if personal information was compromised. :contentReference[oaicite:0]{index=0}

This guide is written in plain English and focuses on the first 24 hours after you suspect something is wrong.

First, what counts as a cyber incident?

A cyber incident can include things like:

  • A ransomware note appearing on a computer
  • Employees suddenly being locked out of accounts
  • Suspicious logins or MFA prompts
  • Business email compromise or fake invoice emails
  • Missing files or unusually changed files
  • Antivirus or security tools reporting malware
  • A server, PC, or cloud account behaving strangely without explanation
  • Evidence that customer or employee data may have been exposed

Not every technical problem is a cyber incident, but if something feels off and the cause is unclear, it is better to treat it seriously early than too late.

The goal for the first 24 hours

Your goal on day one is not to solve everything immediately.

Your goal is to:

  1. Stop the damage from spreading
  2. Preserve useful evidence
  3. Protect accounts and critical systems
  4. Figure out what was affected
  5. Make smart decisions about communication and recovery

Think of the first day as stabilizing the building before you start rebuilding the walls.

The first 24-hour cyber incident checklist

1) Confirm the symptoms and slow down the chaos

Start by identifying what you actually know.

Ask:

  • What was first noticed?
  • When did it start?
  • Which devices, accounts, or systems seem affected?
  • Is this one computer, several devices, email, cloud apps, or the whole network?
  • Has anything been encrypted, deleted, or accessed unexpectedly?

Write this down right away. Even rough notes help.

During an incident, memory gets fuzzy fast. A timeline started early can become very useful later.

2) Isolate affected devices right away

If you suspect a device is infected or compromised, disconnect it from the network as quickly as possible.

That can mean:

  • Unplugging the network cable
  • Turning off Wi-Fi
  • Disconnecting VPN access
  • Removing the device from remote access tools if needed

The FTC specifically advises businesses dealing with ransomware to immediately disconnect infected computers or devices from the network to limit damage. :contentReference[oaicite:1]{index=1}

Important note: do not start randomly wiping devices or reinstalling systems yet. Early containment is good. Blind destruction of evidence is not.

3) Protect critical accounts immediately

If email, Microsoft 365, Google Workspace, banking, payroll, remote access, or admin accounts may be involved, move fast.

Priority actions:

  • Change passwords for affected accounts
  • Reset passwords for admin accounts first
  • Revoke suspicious sessions where possible
  • Review MFA settings
  • Check whether new forwarding rules, delegate access, or recovery methods were added
  • Disable compromised accounts temporarily if necessary

If the incident involves business email compromise, one of the biggest dangers is that the attacker quietly stays inside the account while appearing invisible. Locking down access early can stop a bad situation from growing teeth.

4) Preserve evidence before making major changes

This part is easy to skip when stress is high, but it matters.

Before wiping systems, replacing devices, or deleting logs, preserve what you can:

  • Take photos or screenshots of ransom notes, alerts, pop-ups, or suspicious messages
  • Save copies of suspicious emails with headers if possible
  • Record device names, usernames, IP addresses, and times
  • Export logs from email, firewall, endpoint, VPN, or cloud platforms if available
  • Note what security tools detected and when

NIST’s incident response guidance emphasizes collecting and preserving relevant incident data so organizations can analyze the event, support recovery, and improve future response. :contentReference[oaicite:2]{index=2}

Even if you are a small business and not doing a full forensic investigation, preserving basic evidence can help you understand what happened and what needs fixed next.

5) Figure out what systems are affected and what business functions are at risk

Now ask the practical business questions:

  • Is email affected?
  • Are shared files affected?
  • Is accounting or payroll affected?
  • Are point-of-sale systems affected?
  • Are remote workers affected?
  • Are backups affected?
  • Are customer-facing systems affected?
  • Is sensitive data potentially involved?

This is where the conversation shifts from “something is wrong” to “what is the blast radius?”

That matters because recovery priorities should be based on business impact, not just technical drama.

6) Check your backups, but do not trust them blindly

Many businesses say they have backups. Fewer know whether those backups are:

  • Recent
  • Complete
  • Isolated from the attack
  • Actually restorable

CISA’s small-business guidance tells organizations to back up important files, and broader response guidance stresses having restoration plans, not just backup copies. :contentReference[oaicite:3]{index=3}

In plain English: a backup is only helpful if you can restore from it safely and within a useful amount of time.

So on day one, verify:

  • What backups exist
  • When they last ran successfully
  • Whether they were also impacted
  • Which systems can actually be restored first

7) Do not assume it is “just one weird computer”

A common mistake is treating an incident like a single-device issue too early.

Sometimes it is.

Sometimes it is the visible tip of a much larger iceberg with a laptop taped to it.

Check for signs of broader spread:

  • Similar alerts on other machines
  • Multiple user lockouts
  • Strange admin activity
  • Unusual outbound traffic
  • New unknown accounts
  • Disabled security tools
  • Suspicious login locations or times

NIST’s incident response recommendations emphasize analyzing the scope and characteristics of the incident as part of containment and response. :contentReference[oaicite:4]{index=4}

8) Decide who needs to know internally

You do not need an all-hands panic parade, but the right people should know early.

Usually that includes:

  • The business owner or leadership
  • Internal IT or outside IT support
  • Whoever handles operations
  • Whoever handles customer communication, if needed
  • Legal, compliance, or insurance contacts if applicable

Keep the message simple and factual. Avoid guessing. Avoid blame. Avoid dramatic wording that outruns what you actually know.

A good early internal update sounds like this:

We are investigating a possible cyber incident affecting [system or area]. We have begun containment steps and are reviewing impact. Please do not delete suspicious emails, restart affected systems, or make changes unless directed.

If you have cyber insurance, review the policy and follow any notification requirements quickly. Some policies require specific reporting steps or the use of approved vendors.

Also consider whether your contracts, regulatory obligations, or privacy requirements trigger notice steps if sensitive information may have been exposed.

The FTC advises businesses to notify affected parties if personal information was compromised. :contentReference[oaicite:5]{index=5}

This is one of those moments where delay can create a second problem on top of the first.

10) Report the incident where appropriate

Depending on the incident, reporting may be appropriate to:

  • Your cyber insurance provider
  • Legal counsel
  • Law enforcement
  • The FBI Internet Crime Complaint Center
  • CISA
  • Affected vendors or service providers

CISA encourages organizations to report cyber incident information, and the FTC’s small-business ransomware guidance also says to report ransomware attacks to your local FBI office. :contentReference[oaicite:6]{index=6}

Not every incident needs the same reporting path, but serious incidents should not remain sealed inside a conference room forever.

11) Communicate carefully with staff, customers, and vendors

If other people may be affected, communication needs to be timely, calm, and honest.

That does not mean sharing every theory in real time.

It means explaining:

  • What you know
  • What you are doing
  • What actions others should take
  • What you will share next and when

Good communication reduces confusion. Bad communication multiplies it.

If email accounts were compromised, this is especially important because attackers may try to continue scams using your name.

12) Start planning recovery, but do not rush restoration

Once containment is underway and you have a clearer picture of impact, you can start planning recovery.

That may include:

  • Rebuilding infected systems
  • Restoring clean backups
  • Resetting passwords at scale
  • Re-enabling business services in phases
  • Monitoring for signs of reinfection
  • Validating that security controls are working again

NIST’s incident response lifecycle places recovery after containment and eradication for a reason: restoring too quickly without understanding the issue can reintroduce the same problem. :contentReference[oaicite:7]{index=7}

13) Keep a running incident log

Throughout the first day, keep a single running document with:

  • Time the issue was first reported
  • Actions taken
  • Accounts changed
  • Systems isolated
  • People notified
  • Evidence collected
  • Decisions made
  • Outstanding questions

This does two things.

First, it keeps your response organized.

Second, it gives you a useful record for insurance, compliance, outside support, or later review.

14) After the immediate danger, ask the uncomfortable follow-up questions

Once the situation is more stable, the next questions matter just as much as the initial response:

  • How did this happen?
  • What controls failed?
  • What warning signs were missed?
  • Was MFA enabled everywhere it should have been?
  • Were backups actually ready?
  • Were old devices, stale accounts, or weak processes part of the issue?
  • What should change so this is easier to catch next time?

CISA’s Cyber Essentials and small-business guidance both emphasize practical, prioritized improvements rather than trying to boil the whole ocean at once. :contentReference[oaicite:8]{index=8}

That is often where long-term value comes from. Not just surviving the incident, but coming out of it less fragile than before.

A simple first-24-hours summary

If you want the shortest version possible, focus on this order:

  1. Confirm what is happening
  2. Isolate affected systems
  3. Secure important accounts
  4. Preserve evidence
  5. Assess impact
  6. Verify backups
  7. Notify the right people
  8. Report if needed
  9. Plan careful recovery
  10. Document everything

That is the backbone.

Everything else builds on it.

Final thought

Cyber incidents are stressful, but confusion is often what causes the most wasted time in the first few hours.

A small business does not need a giant enterprise playbook to take smart first steps. It needs a calm process, clear priorities, and enough visibility to avoid making blind decisions under pressure.

That is one of the biggest practical advantages of being more proactive with IT in the first place. Better visibility does not just help with routine maintenance. It also helps when something goes sideways and the clock starts ticking.

If your business wants a clearer picture of day-to-day device health, account risk, reporting, and areas that may need attention before they turn into bigger problems, that is exactly the kind of gap ShawTech is built to help make easier to understand.