Try this first
- 1List the people: who is incident lead (usually exec or IT lead), who handles internal comms, who handles customer comms, who calls outside parties (insurer, IR partner, DPA). Name, phone (personal and work), backup person.
- 2List the externals: cyber insurer (24x7 number), IR retainer (if any), bank (recall procedure), data protection authority (breach form), maybe police and NCSC. Phone numbers for emergencies, not email addresses.
- 3Describe the first 4 hours per scenario briefly: ransomware (isolate, do not power off, preserve logs, call insurer), BEC (revoke sessions, audit inbox rules, call finance), data breach (start the 72-hour clock, open the DPA form).
- 4Agree where communication happens. Mail might be compromised, then a Signal or WhatsApp group with a pre-defined list works. Not default Teams if it might be read by an attacker.
- 5Test once a year with a tabletop. 90 minutes with a scenario, walk through who does what, then update the plan based on the gaps you found.
When to bring us in
If you have a complex environment (production OT, customer data in cloud, international entities), bring in an external IR consultant to read the plan critically before you file it. A few hours of consult saves a week of chaos in a real incident.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.