What to Do in the First 24 Hours of a Cyberattack — The Melbourne Business Playbook

When a cyberattack hits your business, the actions you take in the first 24 hours have an enormous impact on the final outcome — the extent of data loss, the cost of recovery, your regulatory standing, and your relationship with customers. Businesses that have a documented response plan recover significantly faster and at lower cost than those responding reactively.

Before an Attack — Build Your Plan

Document your incident response plan before you need it. This should include: the contact details of your cybersecurity provider, your cyber insurance company, and your bank's fraud line. A list of your critical systems and who is responsible for each. Your backup locations and restoration procedures. Your Privacy Act notification obligations and the OAIC's notification portal. And the chain of communication — who needs to be informed internally and externally in what order.

Hour 1 — Contain the Damage

The first priority is preventing the attack from spreading. Disconnect affected computers from the network by unplugging ethernet cables and disabling WiFi. Do not turn computers off — this can destroy forensic evidence that may be needed for insurance claims and regulatory investigations. Alert all staff immediately not to use their devices until given the all-clear. Change passwords on critical accounts from an unaffected device. If you are an IntrusionX client, call +61 499 468 971 immediately — we have 24/7 incident response capability.

Hours 1-2 — Assess What Has Happened

With the spread contained, assess the situation: what type of attack is this — ransomware, data theft, email compromise, fraud? Which specific systems and data are affected? When did the attack begin — the visible event may be days after initial access? What data may have been accessed, stolen, or destroyed? Document everything you observe and the times of your observations — this is essential for insurance and regulatory purposes.

Hours 2-8 — Get Expert Help and Notify

Contact a cybersecurity incident response team. Contact your cyber insurer — most policies require prompt notification as a condition of coverage. Contact your bank if the attack involved financial fraud. Preserve forensic evidence before beginning recovery — do not wipe or rebuild systems until a cybersecurity professional has assessed them.

Hours 8-24 — Legal and Regulatory Obligations

Assess whether you have Privacy Act Notifiable Data Breaches obligations — you must notify the OAIC and affected individuals if the breach is likely to result in serious harm. If in doubt, seek legal advice. Begin documenting the incident comprehensively for your insurer. For ransomware incidents, do not pay without consulting a specialist — payment does not guarantee recovery and may create legal complications. IntrusionX provides 24/7 incident response for Melbourne businesses — contact us before an incident to ensure we are your first call when it matters.

Communications During an Incident

How you communicate during a cyber incident has significant implications for your legal liability, regulatory standing, and client relationships. Before the incident, establish who is authorised to communicate publicly about a security incident — typically only a designated spokesperson. During the incident, avoid public statements until you understand the scope and have legal guidance. Be aware that some communications — particularly emails and messages about the incident — may be discoverable in future legal proceedings. Your cyber insurer's incident response team will typically include communications guidance as part of their service.

Learning From the Incident

Every cyber incident, regardless of its severity, provides information that should be used to improve your security posture. After the immediate response is complete and normal operations have resumed, conduct a post-incident review: how did the attacker get in? What controls failed or were absent? What actions taken during the response worked well, and what could be improved? Update your incident response plan based on these findings. The goal is not to assign blame but to systematically close the gaps the incident revealed. IntrusionX can facilitate post-incident reviews for Melbourne businesses — contact us to discuss a structured review process.