February 28, 2026 Guide 10 min read

What to Do in the First 24 Hours After a Cyber Attack

By Cybersecurity Canada Editorial Team | Published February 28, 2026

You arrive at the office on a Monday morning. Employees can't log in. Files are inaccessible. There's an unfamiliar message on the screen demanding payment. Or maybe it's subtler — a vendor calls to say they received an unusual email from your account, or your bank flags a wire transfer you didn't authorize.

However it presents itself, you now know — or strongly suspect — that your business has been hit by a cyber attack.

What happens in the next 24 hours matters more than anything that happens in the weeks that follow. The speed and quality of your initial response determines how much data is lost, how much money is at risk, how long your business is disrupted, and whether your cyber insurance claim will be honoured.

This guide walks through the critical first 24 hours, step by step.

Hour 0-1: Stop the Bleeding

The first priority is containment — stopping the attack from spreading further.

Don't Panic, Don't Shut Everything Down

The natural instinct is to turn everything off immediately. Resist it. While disconnecting affected systems from the network is correct, powering off devices can destroy forensic evidence in memory that may be needed to understand the attack, recover data, or support an insurance claim.

Instead, disconnect — don't power off:

• Unplug network cables from affected computers
• Disconnect affected devices from Wi-Fi (turn off Wi-Fi on the device, don't just close the laptop lid)
• Do not restart, wipe, or reinstall anything yet

Identify What You're Dealing With

Different attack types require different responses. In the first hour, try to determine:

• Ransomware: Files are encrypted, ransom notes are visible, file extensions have been changed. Disconnect affected systems immediately to prevent lateral spread.
• Business email compromise: Unauthorized emails sent from your account, fraudulent payment requests, unexpected password reset notifications. Change the compromised account's password and revoke active sessions immediately.
• Account takeover: Unusual login activity, MFA prompts you didn't initiate, password changes you didn't make. Lock the affected accounts.
• Data breach/exfiltration: Notification from a third party, unusual data transfers in logs, sensitive data appearing where it shouldn't. Preserve logs and evidence.
• Malware infection: Unusual system behaviour, anti-malware alerts, degraded performance. Isolate affected devices from the network.

If you're not sure what you're dealing with, treat it as serious until proven otherwise. Containment first, classification second.

Call Your IT Support

If you have a managed service provider (MSP), IT support company, or internal IT person — call them now. Not email. Phone. Explain what you've observed and ask them to begin investigating immediately.

If your vendor or MSP has an emergency or after-hours number, use it. Cyber attacks don't respect business hours.

Hour 1-4: Assess and Escalate

Once immediate containment steps are taken, the next phase is understanding the scope and activating your support network.

Activate Your Incident Response Plan

If you have a written incident response plan, now is when you use it. Pull it out — the printed copy you keep accessible (because the digital copy may be on a compromised system) — and follow the steps.

If you don't have a formal plan, follow the steps in this guide and commit to building one after this is resolved.

Assess the Scope

Work with your IT support to determine:

• Which systems are affected? Is it one workstation, one server, the entire network?
• Which data may be compromised? Customer records? Financial data? Employee information? Email?
• Are backups intact? Check whether your backup systems are accessible and whether they have been affected. Do not connect backups to compromised systems.
• How did the attacker get in? A phishing email? A compromised account without MFA? An unpatched vulnerability? Understanding the entry point helps determine the scope.
• Is the attack still active? Is the attacker still in your systems, or has the damage already been done?

Document everything as you go. Timestamps, observations, actions taken. This record will be critical for your insurer, law enforcement, and any regulatory notifications.

Notify Your Cyber Insurer

If you have cyber insurance, notify your carrier as soon as possible — most policies require notification within 24 to 72 hours of discovering an incident. Late notification can jeopardize your claim.

Your insurer's claims line should be in your incident response plan. When you call:

• Describe what you've observed
• Explain what containment steps you've already taken
• Ask whether they have a preferred incident response firm or forensic investigator — many insurers have pre-approved vendors, and using them may be required under your policy
• Follow their instructions regarding evidence preservation

Do not engage a forensic investigator, legal counsel, or public relations firm on your own if your policy covers these services — the insurer may not reimburse costs for providers that weren't pre-approved.

Consider Legal Counsel

Depending on the nature of the attack, legal counsel may be needed early — particularly if personal information has been or may have been compromised. A lawyer experienced in cybersecurity and privacy law can advise on:

• PIPEDA breach notification obligations
• Privilege over forensic investigation findings (conducting the investigation under legal privilege can protect sensitive findings from disclosure in litigation)
• Contractual notification obligations to clients, partners, or vendors
• Communication strategy to minimize legal exposure

Your cyber insurance policy may include coverage for legal fees and may have pre-approved legal counsel.

Hour 4-12: Investigate and Communicate

Work With Forensic Investigators

For significant incidents — ransomware, confirmed data breaches, business email compromise with financial losses — a professional incident response team should investigate. They will:

• Determine the full scope of the compromise
• Identify the attacker's entry point and movement through your systems
• Preserve forensic evidence in a way that is admissible and useful
• Advise on eradication and recovery steps
• Provide a timeline of the incident

If your cyber insurer has assigned an incident response firm, work with them. If not, the Canadian Centre for Cyber Security can provide guidance.

Communicate With Your Team

Your employees need to know what's happening — and what to do. Communication should be clear, calm, and specific:

• What happened (at a high level — you don't need to share technical details)
• What they should and should not do — don't log in to affected systems, don't click any unusual links, don't discuss the incident publicly or on social media
• Who to contact if they notice anything unusual or have questions
• What the plan is — when you expect to have more information, what the next steps are

If the attack involved compromised email accounts, communicate through an alternative channel — phone, text, or a messaging platform that isn't connected to the affected systems.

Report to Authorities

Canadian Centre for Cyber Security: Report the incident by calling 1-833-CYBER-88 (1-833-292-3788) or through the My Cyber Portal. The Cyber Centre can provide technical guidance and, in cases involving significant threats, may be able to assist directly. In 2024-2025, the Cyber Centre issued 336 pre-ransomware notifications to Canadian organizations.

Local Police: File a report with your local police service. While local police may not have the capacity to investigate cybercrime directly, the report creates an official record that may be needed for insurance claims and regulatory filings.

Canadian Anti-Fraud Centre: If the incident involves fraud (such as BEC), report to the CAFC at 1-888-495-8501 or online at antifraudcentre.ca.

Hour 12-24: Plan Recovery and Fulfil Obligations

Determine PIPEDA Notification Requirements

If the incident involves personal information — and most cyber attacks that compromise business systems do — you need to assess whether PIPEDA's mandatory breach notification is triggered.

Under PIPEDA, you must report a breach to the Office of the Privacy Commissioner of Canada when it creates a "real risk of significant harm" (RROSH) to individuals. Given the nature of most cyber attacks, the threshold is met in the majority of cases.

If RROSH is met, three obligations apply:

1. Report to the Privacy Commissioner — as soon as feasible
2. Notify affected individuals — inform them of what happened and what they can do to protect themselves
3. Keep records — maintain records of the breach for 24 months

Failure to comply can result in fines of up to $100,000 per violation. Your legal counsel and cyber insurer can help you navigate this process. For a detailed overview, see our guide to Canada's privacy landscape.

Begin Recovery Planning

Once the investigation has determined the scope and the attacker's access has been eliminated, recovery can begin:

• Prioritize critical systems. Restore the systems your business needs most — email, financial systems, customer-facing services — first. Use the priority list from your incident response plan.
• Restore from clean backups. Only restore from backups that you have verified are not compromised. If backups are cloud-based, confirm the backup predates the attack.
• Patch before reconnecting. Close the vulnerability or access method the attacker used before bringing restored systems back online. Otherwise, the same attack can succeed immediately.
• Reset all credentials. Change passwords for all accounts — not just the ones known to be compromised. Enable MFA everywhere it wasn't already in place.
• Monitor closely. After recovery, monitor systems for signs of re-compromise. Attackers sometimes maintain secondary access methods (persistence mechanisms) that survive the initial cleanup.

Notify Affected Parties

Depending on the nature of the incident, you may need to notify:

• Customers whose data may have been accessed
• Employees whose personal information was affected
• Business partners and vendors who may be at risk or whose data was involved
• Your bank if financial accounts may be compromised
• Contractual parties where your agreements include breach notification requirements

Work with legal counsel on the content and timing of notifications to ensure compliance and minimize legal exposure.

After the First 24 Hours

The immediate crisis response is just the beginning. In the days and weeks that follow:

• Complete the forensic investigation — understand exactly what happened, what data was accessed, and how
• Implement the recommendations — close the gaps that allowed the attack to succeed
• Conduct a post-incident review — what worked, what didn't, what needs to change
• Update your incident response plan — incorporate lessons learned
• Review your security posture — MFA on all accounts, patching current, backups tested, training refreshed

The Key Takeaway

The first 24 hours after a cyber attack are about three things: contain, communicate, and preserve. Contain the damage to prevent it from spreading. Communicate with the right people — your IT support, your insurer, your team, and the authorities. Preserve evidence so that investigators, insurers, and regulators have what they need.

Every action in the first 24 hours is easier and faster with a plan. If this guide highlighted gaps in your preparedness, our free assessment evaluates your organization across all 13 of the Canadian Centre for Cyber Security's Baseline Control areas — including incident response readiness, backup integrity, and authentication controls. It takes under 10 minutes and shows you exactly where to strengthen your defences before the next incident.