The call usually comes in the same shape. It is a weekday morning, the voice on the other end is calm in the way people are calm right before they are not, and the sentence is some version of “I think something is wrong with our computers.” What happens in the next sixty minutes tends to decide whether this becomes a bad week or a bad quarter.
Most small businesses have no plan for that hour. They have backups they have never tested and a vague sense that they should “call someone.” So they spend the first hour the worst possible way: poking at the problem, rebooting things, and quietly making the situation harder to investigate. Let me give you the version I wish every owner had taped inside a cabinet.
Do not turn it off. Disconnect it.
The instinct is to power down the infected machine. Resist it. Shutting down can destroy evidence that lives only in memory, and it can trigger some malware to do worse on the way out. Instead, disconnect it from the network. Pull the ethernet cable, turn off the wifi, but leave the machine running. You are trying to stop the spread without burning the crime scene.
If more than one machine is affected, or you are not sure how far it has gone, isolate the whole network from the internet rather than chasing individual devices. A business that loses an afternoon of connectivity recovers. A business that lets ransomware finish encrypting everything because nobody pulled the plug does not recover as cleanly.
Make the calls, in order
This is why the printed page matters. When the network is down, you cannot look up the phone numbers that are stored on the network. Keep a paper card. In rough order:
- Your IT lead or security partner, the person who can actually start containing the problem.
- Your cyber insurance carrier’s incident hotline. Call them early. Many policies require it, and they often supply the responders.
- Your lawyer, because breach-notification clocks may already be running.
- If money moved or you are being extorted, law enforcement. The FBI takes these reports seriously.
Notice who is not first on that list: the ransom note. You do not negotiate with anyone in the first hour. You contain, you call, and you gather facts.
Write down what you see
Grab a notepad and timestamp everything. What machine, what time you noticed, what the screen said, what you clicked. This sounds bureaucratic in the moment, but your insurer, your responders, and possibly your regulators will all ask, and memory is unreliable under stress. A photo of the ransom screen with your phone is worth more than a paragraph you write from memory three days later.
Resist the urge to clean up
I have watched well-meaning office managers delete files, wipe machines, and “start fresh” before anyone understood what happened. It feels productive. It is the opposite. You destroy the evidence that tells you how they got in, which means you cannot be sure you have closed the door, which means they come back. Let the people whose job this is decide what gets cleaned and when.
The hour you spend before the bad day
Here is the quiet truth about that frantic first hour: almost all of the work happens before it ever arrives. The paper card with the phone numbers. The tested backup. The one person who knows they are allowed to pull the network without asking permission. A sixty-minute conversation with your team about “what would we actually do” turns the worst morning of your year from a panic into a procedure.
You do not need a thick binder. You need a single page, agreed on in advance, that anyone in the building could follow. Write it this week, while nothing is wrong. That is the cheapest insurance you will ever buy.
Further reading
- From Resolute Security: The Backup You’ve Never Tested Is Not a Backup
- From Resolute Security: When Your MSP Says They Handle Security
- From Resolute Security: The $48,000 Email: How Wire Fraud Actually Happens
- CISA StopRansomware
- NIST Small Business Cybersecurity Corner
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.