Person using laptop with VPN protection displayed on the screen and plant, glasses, phone nearby on table

What Happens After a Cyberattack? A Step-by-Step Incident Response Guide for Small Businesses


What Happens After a Cyberattack? A Step-by-Step Incident Response Guide for Small Businesses

TechSage Solutions · San Antonio, TX

It's 7am on a Tuesday. An employee calls saying their files look strange — names are garbled, nothing opens. Another employee is locked out of their email. Your first instinct is to reboot everything and hope for the best.

Don't.

The first hour after a cyberattack is the most consequential one. What you do — and equally important, what you don't do — in that window has a direct impact on how bad the damage gets, how much evidence survives for investigation, and what your options look like on the other side.

This guide is written for business owners and office managers, not IT teams. You don't need to be technical to follow it. You do need to have it before you need it.

The Six Steps of Incident Response

1

Don't Panic — But Do Act Immediately

The instinct to reboot devices, run a quick virus scan, or just wait to see if things clear up is dangerous. Rebooting can destroy forensic evidence. Waiting lets an attacker continue moving through your network. The right move in the first minutes is to stop what you're doing, don't touch the affected systems beyond what's described in Step 2, and get help on the phone.

2

Isolate Affected Devices — Without Wiping Them

Disconnect any device you believe is compromised from the network. Unplug the ethernet cable. Disable Wi-Fi. Do not turn the device off, do not factory reset it, and do not delete files. The device contains evidence that your IT provider and potentially law enforcement will need. Isolation stops the spread. Wiping destroys the trail.

If you're not sure which devices are affected, the safest move is to disconnect everything from the internet temporarily and let your IT provider assess the scope.

3

Call Your IT Provider or Incident Response Team

This is not a DIY situation. Call your managed IT provider immediately — they should have an emergency line for exactly this scenario. If you don't currently have a provider, this is the point where not having one becomes very expensive very fast.

A provider with 24/7 monitoring often catches these situations before the business owner even knows something is wrong. Behavioral anomalies, lateral movement inside the network, unusual data transfers — those show up in monitoring tools hours before the symptoms become visible to users. That early detection window is what determines whether an incident is contained quickly or spreads into something much worse.

4

Contain and Assess

Once your IT provider is engaged, the focus shifts to containment and scope assessment. This typically involves: disabling compromised user accounts, blocking suspicious external connections, halting automated backup processes (critical — you don't want to back up encrypted or corrupted data over your clean backup), and identifying which systems were affected and to what degree.

Assessment before cleanup is non-negotiable. Cleaning up a compromised system before you understand how it was compromised means the vulnerability that let the attacker in is still there.

5

Notify the Right People — and Know Your Obligations

This step is where many small businesses make their second-biggest mistake (after the reboot instinct). There are legal notification requirements, and missing them compounds your exposure significantly.

Your attorney. Call them early. They can advise on privilege protections for the investigation and guide you through notification obligations.

Your cyber insurance carrier. Coverage may depend on timely notification — some policies have tight windows. Call them before you start making decisions about remediation.

Affected clients or customers. Texas has a breach notification law (Texas Business and Commerce Code §521) requiring notification to affected individuals when their personal information is compromised. The timing and method requirements matter.

Regulators, if applicable. If you're in a compliance environment — CMMC, FTC Safeguards, HIPAA — your incident response plan should already include the specific notification requirements for your framework. If it doesn't, now is a very bad time to find that out.

6

Investigate Before You Restore

Restoring from backup before understanding how the attacker got in is one of the most common and costly mistakes in incident response. If you restore to an environment that still has the vulnerability that was exploited, you'll be in the same position again — potentially within days.

A proper investigation identifies the root cause: was it a phishing email that harvested credentials? An unpatched system with a known vulnerability? A compromised vendor account? Modern attackers often don't break in — they log in using legitimate credentials that were stolen or guessed. That's a fundamentally different problem to fix than a malware infection.

For guidance on backup strategy and common mistakes that make this step harder, this post on backup mistakes covers what most businesses get wrong before they need to use their backups under pressure.

Recover, Harden, and Document

Once the investigation is complete and the root cause is addressed, recovery can begin: restoring from clean backups, rebuilding affected systems, implementing fixes for identified vulnerabilities, and restoring normal operations in a sequenced way that doesn't reintroduce risk.

The post-incident review that follows is genuinely one of the most valuable things that comes out of a bad situation. What failed? Where did monitoring catch it? Where did it not? What needs to change in policy, technology, or employee behavior to reduce the probability of a repeat? A provider who takes incident response seriously will document all of this and turn it into a hardening plan, not just a cleanup bill.

The businesses that recover fastest from cyberattacks share one thing: they had a plan before the incident happened. Not a perfect plan — a real one. Written incident response procedures, a provider with a direct emergency line, and backups that had actually been tested.

The Best Incident Response Plan Is a Proactive One

Everything in this guide is easier when the groundwork is already in place. A provider monitoring your environment around the clock catches the early signs of an attack — the reconnaissance, the lateral movement, the credential testing — before it reaches the stage where an employee calls you at 7am to say something is wrong. A written incident response plan means your team knows exactly what to do in the first ten minutes instead of freezing. Tested backups mean restoration is a matter of hours, not weeks.

If you're a San Antonio business that doesn't currently have those things in place — or you're not confident your current provider does — that's the conversation worth having before you need this guide.

Don't Wait for an Incident to Find Out You Weren't Ready

TechSage provides 24/7 monitoring, incident response planning, and the kind of proactive cybersecurity services in San Antonio that catch problems before they become crises. Start with a free risk assessment.

Book a Free Discovery Call

Call 210-582-5814 or fill out the form below to schedule a FREE discovery call.

 

Recent Articles

Person organizing labeled boxes for cables, recycling, and retired laptops on metal shelves in office storage.

Spring Cleaning for Your Technology

 Man working on laptop focused on cybersecurity with large word Security displayed in background.

The FTC Safeguards Rule: What San Antonio Financial and Professional Services Firms Need to Know

 Aerial view of a dense urban cityscape with various commercial and residential buildings under a clear sky.

The Cybersecurity Risk Most Businesses Overlook: Their Vendors