Report a Security Incident — Emergency Response Guide for Irish Business

Your business has been breached. What to do in the first 72 hours: containment, regulator notifications, evidence preservation. Emergency contacts included.

What to do in the first 72 hours after a breach (Irish business): contain the incident, notify the right regulators, and preserve evidence — in order, starting immediately. Disconnect affected machines without turning them off, secure your remaining accounts, assess the damage, then notify and begin recovery.

This page is written for the moment you're in right now. No jargon. No sales pitch. Just the steps you need to follow, in order, starting immediately.

Written by a CISA, CISSP, and CISM-certified practitioner with 25+ years of experience guiding Irish businesses through cyber incidents.

Key Contacts You May Need

  • Data Protection Commission (DPC) — report a personal data breach: +353 1 765 0100 / +353 57 868 4800 (DPC Breach Notification: https://www.dataprotection.ie/en/organisations/know-your-obligations/breach-notification)
  • NCSC Ireland — report a cybersecurity incident: +353 1 678 2333 (NCSC Incident Reporting: https://www.ncsc.gov.ie/incidents/)
  • An Garda Síochána — report cybercrime: 999 / 112 (emergency) or local station (Garda Cybercrime: https://www.garda.ie/en/crime/cyber-crime/)
  • Pragmatic Security — incident response guidance for Irish SMEs (Book Emergency Call: https://www.pragmaticsecurity.ie/book-a-call)

Do NOT Do These Things

Paying the ransom without expert advice

There is no guarantee you will get your data back. Many businesses pay and receive nothing, or receive a broken decryption key.

Turning off affected machines

This destroys forensic evidence that investigators need to understand how the attacker got in and what they accessed.

Delaying DPC notification beyond 72 hours

GDPR requires notification within 72 hours of discovery. Late notification can result in additional fines.

Making public statements before understanding the scope

Premature communication can cause unnecessary panic, legal exposure, and reputational damage.

Assuming your backups are clean

Attackers often compromise backups before triggering ransomware. Always verify backup integrity before restoring.

Trying to handle it alone

Incident response requires specialist skills. Engaging an expert early almost always reduces the total cost and recovery time.

The First 72 Hours — Step by Step

Follow these steps in order. Each phase builds on the previous one. If you're unsure about any step, skip to the next one and come back to it.

Minute 0–15: Stop the Bleeding

Disconnect affected machines from the network — pull the Ethernet cable or disable Wi-Fi. Do NOT turn them off. Do NOT log into any accounts from the affected machines. Take a photo of any ransom note or error message on screen. Write down the exact time you discovered the incident and what you observed.

Minute 15–60: Secure What's Left

Change all administrator and email passwords from a clean device (phone or unaffected computer). Enable multi-factor authentication on all accounts if not already active. Check whether your backups are intact — do NOT connect backup drives to affected machines. Tell your IT provider or IT person what has happened. Be specific about what you've seen.

Hour 1–4: Assess the Damage

Determine what type of attack this is: ransomware (files encrypted), data theft (data accessed or stolen), or business email compromise (fraudulent emails sent). Identify which systems and data are affected — customer data, financial records, email, files. Check whether the attacker is still active — are new files being encrypted? Are emails still being sent? Contact a cybersecurity incident responder if you don't have one (see contacts below).

Hour 4–24: Notify the Right People

Notify the Data Protection Commission (DPC) if personal data may have been accessed — you have 72 hours from discovery. Report the incident to An Garda Síochána — this is a criminal offence. Contact your cyber insurance provider — many policies require notification within 24 hours. Brief your board, senior management, and legal counsel.

Hour 24–72: Begin Recovery

Begin restoring systems from verified clean backups — start with the systems your business needs most. Implement additional security controls before reconnecting restored systems to the network. Communicate with affected customers, partners, or suppliers if their data may have been compromised. Document everything: what happened, when, what you did, what you found. You will need this for regulators, insurers, and your own lessons learned.

After the First 72 Hours

Once the immediate crisis is contained, you need to focus on three things: full recovery, understanding what happened, and making sure it doesn't happen again.

Full Forensic Investigation

Understand exactly how the attacker got in, what they accessed, and whether they're still present

Business Continuity

Restore operations in priority order — the systems that keep your business alive come first

Regulatory Compliance

Complete DPC notifications, customer communications, insurer reports, and full documentation

Security Improvements

Implement the controls that would have prevented this attack — and test them

Staff Communication

Brief your team honestly. They need to know what happened, what's being done, and what's expected of them

Prevention Is Always Cheaper Than Recovery

The average cost of recovering from a cyber attack is 10 to 50 times the cost of preventing one. Once you've stabilised, let's make sure this doesn't happen again.