How to Manage a Cybersecurity Incident

Written By Russell Mickler

You’re a small business owner. Cybersecurity sounds like a problem for bigger fish, but small businesses are often the primary targets for digital criminals. Why? Because they’re easy-pickin’s: small businesses are usually very busy and have no IT department.

So, again, you’re a small business owner. If you discovered a breach today, what would you do? Most owners don't, and that panic often leads to expensive mistakes.

Managing an incident isn’t just for technical engineers. It’s for people like you who must manage a crisis.

Here is a non-technical guide to help you navigate a security crisis without losing your cool.

1. Don’t Panic—Communicate Privately

When you suspect something is wrong — perhaps a suspicious wire transfer or a locked computer — the first step is to gather your key players. Avoid discussing the details on your main company email or Slack; if your system is compromised, the hackers might be "listening" to your plans. Keep your conversations private and offline until you’re in the clear.

2. "Stop the Bleeding"

Your instinct might be to start investigating "how" the breach happened. Ignore that for now. Your priority is to stop the damage.

  • Isolate: If one computer is behaving strangely, disconnect it from the network and Wi-Fi or just shut it down — even better.

  • Consult Experts: Talk to your IT provider before deleting information. Blindly cleaning up after a cybersecurity incident can sometimes delete the very evidence needed to recover your data or cause a permanent system crash.

3. Verify the Impact

Ask your team: “What is the worst-case scenario right now?” Is it customer credit card data? Your payroll system? Knowing exactly what is at risk helps you decide if you need to call your lawyer or insurance provider immediately.

4. Fix, Then Clean

Once the immediate threat is neutralized, implement a fix.

  • I’ll give you an opinion. It’s best to never just "clean" a hacked computer. It’s safer to wipe it entirely and restore from a known clean backup. This ensures no "backdoors" are left behind for the hacker to return.

  • I’ll give you another opinion. If you’re verifying the impact, and if you suspect the impact may involve criminal activity (an internal or external aggressor may have committed a crime), you may need to preserve the evidence of that crime, thus wiping a computer isn’t an option. Authorities must be notified, and the data has to be preserved in a forensically-acceptable way.

5. Loop in the Professionals

If you suspect customer data was stolen, or if you believe a crime was committed, you likely have legal obligations.

  • Legal & PR: Digital privacy laws vary by state. Consult your legal counsel before sending a mass email to customers. The wording matters for your liability.

  • IT: Contact your IT provider for advice and best practices.

  • Insurance: Contact your cyber-insurance carrier early; they often provide forensic experts to help you recover.

6. The "After-Action" Review

Once the dust settles, hold a postmortem. Sit down with your team and ask: How did they get in? How can we stop it from happening again? Use this moment to turn a crisis into a stronger, more resilient business strategy. Document, document, document. Record when you learned of the event, how you communicated the event to your staff, how you stopped the bleeding, how you performed an investigation, and what countermeasures you performed. Maintain an incident log so that you can learn from your mistakes or issues over time.

Need help building your defense?

We help small businesses turn IT from a source of stress into a managed asset. Please reach out to us to help secure your operations today.

R

Russell Mickler

Russell Mickler is a computer consultant in Vancouver, WA, who helps small businesses use technology better.

https://www.micklerandassociates.com/about
Previous

Is Your Browser a Backdoor?
Next

Mastering the SLAM Method to Avoid Phishing Attacks