The actions taken in the first 24 hours of an incident shape everything that follows: how much data is lost, how long systems are unavailable, what evidence is preserved for investigation, and what notification obligations are triggered.
Step One: Contain Before You Investigate
The most common mistake is attempting to investigate the cause before containing the damage. If you suspect ransomware, isolate affected systems from the network immediately. If you suspect account compromise, reset credentials and revoke active sessions in Microsoft 365 via the admin centre. Do not warn the account holder first if there is any risk the account is actively being used for malicious purposes.
Step Two: Assemble the Right People
At minimum: the person with IT decision-making authority, the person with legal or compliance responsibility, and whoever is managing the technical response. Notify your cyber insurer early — most policies require prompt notification and some provide access to incident response resources. Nominate a single incident commander with clear authority to make decisions.
Step Three: Document Everything
From the moment you become aware of an incident, begin logging. What you observed, when, what actions you took. This supports forensic investigation, demonstrates due process for any regulatory inquiry, and supports insurance claims.
Step Four: Preserve Evidence
Before any remediation — wiping systems, resetting passwords — consider what forensic evidence needs preserving. System logs, email logs, security alerts, memory dumps from affected systems. Err on the side of preserving more rather than less before remediation begins.
Step Five: Assess Notification Obligations
Australia's NDB scheme requires notification when a breach is likely to result in serious harm. This assessment needs to happen quickly. Legal counsel should be involved — getting it wrong in either direction has consequences.
When should we engage an external incident response team?
As soon as you suspect a serious incident and lack internal capability to contain and investigate it. Earlier engagement means less evidence loss, faster containment, and better recovery outcomes. Do not wait until you have confirmed the full scope.
