Home/Materials/Cyberattack response
Cybersecurity and continuity

What to do in the first hours after a cyberattack: action plan

The first hours after an attack decide whether you lose a day or a week. We break down a step-by-step response plan and what to prepare in advance so the team does not waste time.

Updated: June 28, 2026 · Author: Evgeny Telenkov · ≈ 7 min read
What to do in the first hours after a cyberattack: action plan

The first hours: step by step

  1. Isolate. Disconnect infected systems from the network to stop the spread. Do not shut machines down blindly — it can destroy evidence.
  2. Assemble the response team. Pre-assigned roles: who leads, who handles IT, who handles communications.
  3. Assess the scope. What is affected, which processes are down, whether there is a data breach.
  4. Activate the continuity plan. Switch critical processes to backup options (see BCP).
  5. Communications. Agreed messages for customers, partners and staff; notify the regulator if required.
  6. Recovery. Bring systems back from isolated backups by priority (see DRP).
  7. Post-incident review. Causes, lessons, fixes — so it does not happen again.
What not to do: do not pay extortionists on emotion (no guarantees, it encourages attacks), do not "sweep" the incident under the rug without root-cause analysis, and do not stay silent where notification is mandatory. Why concealment is costly — in "Why companies hide cyberattacks".

What to prepare in advance

See how resilient your business really is

13 questions, 5 minutes, free — results on screen and by email.

Take the free assessment → Book a review · 4,900 ₽ BCM turnkey →

FAQ

What is the very first thing to do in an attack?

Isolate infected systems from the network to stop the spread, and assemble the pre-assigned response team. Do not shut machines down blindly — you can destroy evidence.

Should you pay extortionists for decryption?

Usually no: payment does not guarantee recovery and encourages new attacks. Rely on isolated backups and a recovery plan.

Do you have to report an attack?

For certain organisations and data, notifying the regulator is required by law. Even when silence is formally allowed, root-cause analysis matters more than concealment.

Evgeny Telenkov
Evgeny Telenkov
Chief Risk Officer · PhD in Economics · "Best Risk Manager of Russia 2020"
20 years in risk management. Led risk management at Beeline, Nornickel, Rosneft and EY. Built business continuity plans for Nornickel, Rostec, NSD and DIA. Trained 300+ risk and BCM specialists.
More about the approach and expert →
Read also
7 days of downtime: a cyberattack lesson →
A real ransomware case at a major insurer: 7 days of downtime, website and app offline. Which BCM mechanisms w
BCM, BCP, DRP — the difference →
How BCM, BCP, DRP and risk management differ in plain language. A clear levels diagram, comparison table and e
5-minute assessment →
Your resilience level, three main risks and first steps. Free.