What should an SME do in the first hour after a cyber incident? Here’s a practical incident response plan to reduce damage and restore control fast.
Your First Hour After a Cyber Incident: A Practical SME Incident Response Plan
Most SMEs don’t fail to respond to cyber incidents because they don’t care. They fail because they’re unprepared for the first hour. In the moment, decisions get made quickly: someone resets a password, someone reboots a server, someone emails staff, someone calls the IT provider — often all at once, without coordination.
That chaos is understandable, but it can increase damage. The first hour is when you either contain the incident and preserve evidence, or you accidentally spread it, lose visibility, and make recovery harder. That’s why a simple, practical incident response plan is so valuable. It doesn’t need to be a 60-page document. It needs to be a clear sequence of actions that helps the business regain control.
Amazing Support is a multi-award-winning, Microsoft Partner and Cyber Essentials certified provider supporting SMEs across London, Greater London and Manchester. For SMEs, the goal in the first hour is not perfection — it’s containment, clarity, and control.
The short answer is this: in the first hour, you need to confirm what’s happening, contain spread, secure identity, preserve evidence, and coordinate communication — in that order.
Step 1: Assume it’s real and start logging actions
Pick one person to coordinate and keep a simple timeline of what’s happening and what actions are taken.
Step 2: Contain spread (don’t “clean up” yet)
- isolate affected devices/users where possible
- stop suspicious sessions
- pause risky integrations if needed
Step 3: Secure identity immediately
- reset passwords for affected accounts
- revoke sessions / tokens
- check admin accounts first
Step 4: Preserve evidence
Avoid wiping devices or deleting logs until you know what you need for investigation/insurance/legal.
Step 5: Communicate clearly (internally first)
Tell staff what to do right now (e.g., don’t click links, report odd prompts, stop using a compromised device).
Step 6: Start recovery with priorities
Restore what matters most to keep the business operating, not what’s easiest.
FAQ
Should we shut everything down immediately?
Not always. Contain first, then make controlled decisions.
Should staff be told straight away?
Yes, but with clear instructions to avoid panic and misinformation.
What’s the biggest mistake SMEs make?
Trying to “fix” before containing and understanding what’s happening.
If you don’t currently have a clear
business continuity incident response plan, we can help you build a practical one that your team can actually follow under pressure.
