First 24 Hours Post-Breach: Key to Your Firm’s Next Year

Your Firm's First 24 Hours After a Breach Will Define the Next 12 Months

Not because of technical wizardry. Not because someone deployed the right tool at the right moment. Because of who got called, in what order, and whether the people making decisions understood what needed to happen before anything else.

The First Phone Call Sets the Tone

If IT gets called first and starts remediating before forensics can preserve evidence, you've already compromised the investigation. If your cyber insurer hears about the incident from one of your clients before they hear it from you, trust erodes in a way that's very difficult to rebuild. If partners find out through staff corridor conversations rather than a coordinated internal briefing, panic fills the vacuum where leadership should be.

I've seen all three of these play out in real incidents, sometimes in the same firm.

The fix is straightforward, and it costs nothing: map the call tree before you need it. Know who calls whom, in what order, within the first thirty minutes. Document it. Print it. Make sure it doesn't live exclusively on the server that might be encrypted when you need it most.

Your call tree should answer one question clearly: when we get the call at 9pm on a Friday, who does what?

The Three Things That Must Happen Before Anything Else

In the chaos of a breach, there's an overwhelming temptation to start fixing things. Resist it. Before remediation, before recovery, before anyone touches a keyboard with the intention of making the problem go away, three things need to happen — in this order.

First, preserve logs and evidence.

This means firewall logs, email logs, endpoint telemetry, access records, and any system that shows what happened, when, and to whom. If your IT team or MSP starts remediation before these are secured, critical evidence disappears. I've worked incidents where the most important forensic artefacts were overwritten within hours of detection — not by the attacker, but by well-meaning IT staff doing exactly what they'd been trained to do in any other context.

Second, notify your cyber insurer.

This is not a formality. Your insurer will deploy a breach coach, typically an experienced privacy lawyer, who coordinates the entire response. Legal privilege, regulatory notification obligations, client communication, forensic engagement, the breach coach orchestrates all of it. The sooner they're in the loop, the sooner the response becomes structured and defensible. Every hour of delay is an hour of uncoordinated activity that may need to be unwound later.

Third, contain — don't eradicate.

There's an enormous difference between stopping the bleeding and ripping out the stitches. Containment means limiting the attacker's ability to move further or access additional data. Eradication means removing them entirely, which often means destroying the evidence of how they got in, what they accessed, and how long they were there. You need to understand the scope before you start cleaning. Otherwise, you're answering every question the insurer, regulator, and affected client will ask with "we don't know" — and that answer has consequences.

The "IT Guy Fixed It" Problem

Let me be direct about something: this is not a criticism of IT teams. Internal IT staff and managed service providers are trained to restore operations. That's their job. When something breaks, they fix it. When a system is compromised, they rebuild it. That instinct is correct in almost every scenario they encounter, except this one.

In a cyber incident, the objectives of forensics and the objectives of remediation are fundamentally different, and they often conflict. Forensic investigation needs the compromised environment preserved, at least long enough to capture disk images, memory dumps, and log files. Remediation wants to wipe the infection and restore from backups as fast as possible. If remediation runs first, forensics arrives to find a clean system and no evidence.

This creates real downstream problems. Your insurer needs evidence to validate the claim. Regulators need evidence to assess whether notification obligations are triggered. Your own firm needs evidence to determine which clients may have been affected. Without it, you're operating blind, making notifications you may not need to make, or worse, failing to make ones you should.

The answer isn't to sideline IT. It's to coordinate. Forensics and remediation need to work in parallel, with a clear understanding of what gets preserved before anything gets rebuilt. That coordination needs to be agreed in advance, not negotiated in the middle of a crisis.

What the Insurer Will Ask

If you've never been through a breach response with a cyber insurer, the questions the breach coach will ask might surprise you in their specificity. They're not asking whether you got hacked. They're asking questions that determine the legal, regulatory, and financial trajectory of the incident.

What systems were accessed?

Not what was targeted — what was actually accessed, with evidence to support it.

How long was the attacker in the environment?

Dwell time matters enormously for scoping obligations. An attacker who was present for forty-five minutes is a very different scenario to one who had access for six weeks.

Was data exfiltrated?

And critically, can you demonstrate whether it was or wasn't? In the absence of evidence, the assumption defaults to worst case.

Can you demonstrate the scope?

This is the question that separates a manageable incident from a months-long ordeal. If you have logs, forensic images, and a clear timeline, scope can be determined with confidence. Without them, every assessment becomes speculative — and speculative assessments lead to broader notifications, higher costs, and longer resolution timelines.

The firms that come through incidents in the best shape aren't the ones who never get breached. They're the ones who can answer these questions clearly because the evidence was preserved from the outset.

The Conversation You Should Have This Month

If you've read this far and you're thinking about your own firm's readiness, here's the single most valuable thing you can do — and it won't cost you anything beyond an hour of time.

Sit down with three people: your IT lead (whether that's internal staff or your MSP), a partner from the management or risk committee, and your cyber insurer's breach coach contact. If you don't know who your breach coach would be, call your insurer and ask. They'll tell you.

Walk through one scenario together. It doesn't need to be elaborate. Just ask: what happens when we get the call? A staff member reports a suspicious email. Or the MSP flags unusual network activity on a Saturday morning. Work through it step by step.

Who gets called first? Who has the authority to take systems offline? Where are the logs stored, and for how long? Does anyone have the breach coach's direct number? Is there a forensics provider on retainer, or will you be searching for one at 10pm? Who briefs the partners, and what do they say to clients who call on Monday?

You'll find gaps. Everyone does. That's the point. The gaps you find in a calm one-hour meeting are infinitely cheaper to fix than the gaps you discover at 2am during a live incident.

One hour. No cost. Massive impact on what happens when the call comes.

A Practical Starting Point

If you’d like a framework to support this conversation, our free 72-Hour Cyber Crisis Response Kit provides call trees, evidence preservation guidance, and first-day response checklists designed for real incidents, not compliance exercises.

Ready to Pressure-Test Your Response Plan?

If you'd like help facilitating that conversation — someone independent who's been through real incidents and can stress-test your plan with the questions that actually get asked — I'm happy to help. Or if you'd prefer a more structured review of your firm's incident readiness, including how your current logging, containment, and notification processes would hold up under a real breach scenario, reach out for a confidential conversation.

The best time to prepare was last year. The second best time is this month.