The first 24 hours after a cyber attack determine the outcome. Here is what Irish SMEs must do — and must not do — to contain damage and meet DPC obligations.

The First 24 Hours After a Cyber Attack: What to Do (and What Not to Do)

Imagine arriving at your Donegal or Irish business to find your systems locked, data inaccessible, or customer information compromised. This isn't a hypothetical scenario for many Irish SMEs. Recent reports indicate that one in three Irish SMEs experienced a cyberattack between May 2021 and April 2022 [3]. The moments immediately following a suspected breach are chaotic, but your cyber attack response in the first 24 hours can dramatically alter the outcome — determining the extent of damage, recovery time, and regulatory penalties. Knowing what to do after a data breach is paramount for continuity and reputation.

Immediate Actions: The First Critical Hours

When a cyber incident strikes, panic is a natural reaction, but swift, decisive action is crucial. The primary goal in these initial hours is to contain the threat and prevent further damage. This involves a series of technical and operational steps that must be executed with precision.

1. Isolate and Contain

The very first step is to isolate the compromised systems or networks. This means disconnecting affected devices from the internet and internal networks to stop the attack from spreading. For example, if a server is infected with ransomware, take it offline immediately. This might involve pulling network cables or disabling network interfaces. While this can disrupt operations, it's a necessary measure to prevent a small incident from becoming a catastrophic one. The National Cyber Security Centre (NCSC) Ireland's incident response process emphasizes containment as a critical phase [7].

2. Activate Your Incident Response Plan

If you have an incident response plan (and every Irish SME should), now is the time to activate it. This plan should clearly outline roles, responsibilities, and communication protocols. Don't waste precious time trying to figure out who does what. Your plan should guide your cyber attack response team through the initial steps, ensuring a coordinated effort. For many SMEs, this might mean contacting your external cybersecurity partner or vCISO immediately.

3. Initial Assessment and Evidence Preservation

While containment is ongoing, begin a preliminary assessment of the incident's scope. What systems are affected? What data might be compromised? Crucially, ensure that any potential evidence is preserved. This means avoiding actions that could overwrite logs or destroy forensic data. Take screenshots, document timestamps, and secure any affected hardware. This evidence will be vital for understanding how the attack occurred, mitigating future risks, and fulfilling potential legal or regulatory obligations. Think of it as securing a crime scene – every detail matters for the subsequent investigation.

Communication and Notification: Who Needs to Know?

Once the immediate technical actions are underway, attention must turn to communication. This is a delicate balance between transparency and protecting sensitive information. Incorrect or delayed communication can lead to reputational damage, regulatory fines, and loss of customer trust.

1. Internal Communication

Inform key internal stakeholders immediately. This includes senior management, legal counsel, and your incident response team. Ensure everyone understands their role and the gravity of the situation. Establish a clear internal communication channel to avoid misinformation and ensure a unified message.

2. External Communication (Strategic and Timely)

Deciding when and how to communicate externally is critical. This includes customers, partners, and potentially the public. Your incident response plan should have pre-approved communication templates. Transparency is important, but premature or inaccurate statements can be damaging. Focus on factual information and what steps you are taking to resolve the issue and protect affected parties.

3. Regulatory and Legal Obligations

Irish businesses operate under strict data protection regulations, primarily GDPR. If the cyber attack involves a personal data breach, you have a legal obligation to notify the Data Protection Commission (DPC) within 72 hours of becoming aware of the breach [12]. Failure to do so can result in significant penalties. The DPC provides practical guidance on how to handle data breaches and navigate these mandatory notifications [13].

Furthermore, certain sectors may have additional reporting requirements. For example, entities covered by the NIS2 Directive (which will soon be transposed into Irish law) will have stringent incident reporting obligations to NCSC Ireland. Understanding these obligations is a key part of your cyber attack response strategy.

What NOT to Do: Common Pitfalls to Avoid

In the high-pressure environment following a cyber attack, it's easy to make mistakes that can exacerbate the situation. Avoiding these common pitfalls is as important as taking the right actions.

1. Don't Panic or Act Impulsively

While urgency is necessary, panic leads to poor decisions. Stick to your incident response plan. If you don't have one, rely on expert advice. Avoid making drastic changes to systems without proper documentation or forensic consideration, as this can destroy valuable evidence.

2. Don't Delete or Alter Evidence

As mentioned, evidence preservation is paramount. Do not delete logs, reformat drives, or reinstall operating systems without first securing forensic images. This evidence is crucial for understanding the attack, recovering data, and potentially pursuing legal action or making an insurance claim. The CCPC (Competition and Consumer Protection Commission) also emphasizes the importance of evidence in consumer protection cases, which could arise from a data breach.

3. Don't Communicate Without a Plan

Resist the urge to make public statements or send out mass emails without a carefully crafted communication strategy. Hasty communication can spread misinformation, cause unnecessary alarm, and undermine trust. Ensure all communications are reviewed by legal and PR teams, if available, or by your vCISO.

4. Don't Go It Alone

Many Irish SMEs lack in-house cybersecurity expertise. Attempting to handle a sophisticated cyber attack without professional help is a recipe for disaster. Engage with cybersecurity experts, legal counsel specialising in data protection, and your cyber insurance provider immediately. They have the experience and tools to guide you through the crisis effectively. This is particularly true when considering what to do after a data breach that impacts customer data or critical business operations.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

What This Means for Your Business

Cybersecurity is no longer optional for Irish businesses. the message is clear: preparedness is not optional. The first 24 hours after a cyber attack are a crucible moment. Having a robust incident response plan, understanding your regulatory obligations, and knowing when to call for expert help can be the difference between a recoverable incident and a business-ending catastrophe. Proactive measures, such as regular security assessments, employee training, and strong cyber hygiene, significantly reduce your risk. Even with the best preparation, knowing your cyber attack response steps for the immediate aftermath is vital.

References

The first 24 hours after a ransomware attack - IISF
Expert Incident Response & Threat Containment - VMGroup
1 in 3 Irish SMEs Hit by Cybercrime - LinkedIn
Cybersecurity for Irish SMEs: How to Stay Ahead of Threats - Spector
How Can Cyber Resilience Protect SMEs in Ireland? - Radium
Cyber insurance - NFP
National Cyber Emergency Plan - NCSC Ireland
The Importance of Incident Containment during a Cyberattack - CommSec
Cybersecurity incident simulation exercises - EY
National Cyber Security Centre publishes Ireland's National Cyber Emergency Plan - Gov.ie
Incident Response SANS: The 6 Steps in Depth - Cynet
Breach Notification - Data Protection Commission
A Practical Guide to Personal Data Breach Notifications - Data Protection Commission
Data Breach Notification - TCD

Take the Next Step

If your cybersecurity posture and where to focus first is something you're thinking about, the best starting point is a structured conversation.

Book a free 20-minute call with our vCISO team. We work with Irish SMEs across every sector — no jargon, no scare tactics, just clear advice on what to do next.

Book Your Free 20-Minute Call →

The First 24 Hours After a Cyber Attack: What to Do and What Not to Do.