You don't need a thick binder. You need a one-page plan everyone can follow under pressure, prepared before anything happens. These are the six steps.
1. Prepare (before anything happens)
- List who to call: an internal lead, your IT provider, a security contact, and management.
- Know where your backups are and how to restore them.
- Keep contact details and this plan available offline — you may lose access to email.
2. Identify
Confirm something is actually wrong and note what you see: ransomware message, suspicious logins, missing files, a reported phishing click. Write down the time and the first symptoms — this helps later.
3. Contain
- Isolate affected devices — disconnect from the network (unplug Ethernet / turn off Wi-Fi). Do not power them off if you can avoid it, to preserve evidence.
- Reset passwords and revoke sessions for affected accounts.
- Stop the spread before cleaning up.
4. Eradicate
Once contained, remove the cause: malware, malicious rules, compromised accounts, or the vulnerability that was exploited. Understand how it got in so it can't happen again.
5. Recover
Restore from clean backups, verify systems are healthy, and monitor closely for signs the attacker returns. Bring services back in a controlled order, not all at once.
6. Learn
After the dust settles, hold a short review: what happened, what worked, what to improve. Update the plan and fix the gap that allowed the incident.
Do not rush to pay a ransom. Payment does not guarantee recovery, may be unlawful, and marks you as a target. Isolate first, preserve evidence, and get expert and legal advice before making any decision.
Know who you'll call
The worst time to find a security partner is mid-incident. We help SMEs prepare a realistic response plan — and can be the contact you call when something goes wrong.