Your network is down. An employee just forwarded a ransom note to your inbox. Or maybe your IT team flagged unusual login activity at 2 a.m. Whatever the trigger, you now have a narrow window where every decision you make will either contain the damage or multiply it.
Most Toronto businesses have no written incident response plan. They improvise. That improvisation costs them time, money, customer trust, and in some cases, their regulatory standing under Canadian law. According to the Canadian Centre for Cyber Security, cyber incidents affecting Canadian businesses have increased sharply year over year, with ransomware remaining the top threat to critical infrastructure and small-to-medium enterprises alike.
This guide walks you through exactly what to do, in order, during the first 24 hours after a cyberattack. Keep it bookmarked. Better yet, adapt it into a formal plan before you ever need it.
Not every alert is a breach. But you cannot afford to assume an alert is nothing.
Your first job is to determine whether you are dealing with a confirmed incident or a potential one. Check your endpoint detection tools, review recent login logs, and speak to whoever flagged the issue. If you see lateral movement, encrypted files, unauthorized access to privileged accounts, or data being exfiltrated, treat it as a confirmed incident immediately.
Do not shut down systems reflexively. Powering off machines can destroy volatile memory evidence that forensic investigators need later. Your instinct will be to pull the plug. Resist it until you have guidance from a qualified incident response team.
Who Should You Call First?
Activate your incident response chain of command. If you have an internal security team, get them on the phone now. If you do not, contact an external cybersecurity incident response provider with 24/7 availability. Brigient’s incident response team operates around the clock for exactly this scenario. The first call sets the pace for everything that follows.
Containment is your priority, not cleanup.
Isolating affected systems means cutting them off from the rest of your network without deleting anything. Disconnect compromised machines from the network by disabling their network interfaces or unplugging ethernet cables. If you are dealing with cloud environments, revoke access tokens and disable compromised accounts at the identity provider level.
Do not wipe or reimage systems yet. Forensic evidence lives on compromised machines. Destroying it before investigators examine it can cripple your ability to understand the full scope of the attack, respond to regulators, or pursue legal action.
Segment Your Network
If your network is flat, meaning all devices can talk to each other freely, you are exposed to maximum spread. Use whatever firewall or VLAN controls you have to segment affected zones from clean zones. This is also a wake-up call: network segmentation should be part of your permanent architecture, not a crisis measure.
Change Credentials Across the Board
Assume the attacker has captured credentials. Force password resets on all privileged accounts, disable any service accounts that are not immediately necessary, and revoke active sessions across your identity systems. If you use an Identity and Access Management platform, now is when it pays for itself.
You need to understand what was accessed, what was altered, and what was taken.
Work with your incident response team to build a timeline of attacker activity. This typically involves reviewing authentication logs, endpoint detection telemetry, email gateway logs, and any available network flow data. The goal is to answer three questions: How did they get in? How far did they move? What did they touch?
According to the Verizon 2024 Data Breach Investigations Report, the median time for attackers to exfiltrate data after gaining access is under 24 hours. That means if you are reacting to an incident that started the night before, the exfiltration may already be done.
Document Everything
Every action your team takes from this point forward should be documented with timestamps. Regulators, insurers, and legal counsel will ask for this record. Use a shared incident log and have team members record every decision and action in real time.
This is the part most Toronto businesses get wrong.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to report breaches of security safeguards to the Office of the Privacy Commissioner of Canada when there is a real risk of significant harm to individuals. You must also notify affected individuals directly if that risk exists. Failing to report when required can result in significant fines and reputational damage.
The key questions to answer with your legal counsel:
You should have legal counsel involved no later than hour six. If you do not have a privacy lawyer on retainer, your incident response provider can typically help you connect with one.
Sector-Specific Obligations
If your organization operates in financial services, healthcare, or critical infrastructure, you may have additional reporting obligations beyond PIPEDA, including sector-specific regulators and, in some cases, obligations to law enforcement. Know your sector’s rules before an incident happens.
Once you have contained the incident, completed your scope assessment, and initiated required notifications, you can begin restoring systems.
Recovery should be methodical. Start with systems that are confirmed clean and critical to operations. Restore from verified clean backups only. If you are not certain a backup was taken before the compromise window, do not restore from it without forensic verification.
Test Before You Reconnect
Before bringing any system back online and reconnecting it to your broader network, verify that the vulnerability that allowed the initial compromise has been patched or mitigated. Restoring a system without closing the entry point just invites a second incident.
Cyberattacks do not respect business hours. The 2024 Canadian Centre for Cyber Security National Cyber Threat Assessment confirmed that ransomware actors frequently time their deployments for weekends and holidays, when IT staff coverage is thinnest and response is slowest.
Having a 24/7 incident response partner changes the math. Brigient provides round-the-clock incident response for Toronto and GTA businesses, with experienced responders who can be engaged immediately when an incident is confirmed. The faster you contain, the less you lose. Learn more at brigient.com.
Do I need to call the police if my business is hit by a cyberattack in Canada?
You are not legally required to report most cyberattacks to police, but it is advisable for serious incidents, particularly ransomware. The RCMP’s National Cybercrime Coordination Centre (NC3) accepts reports and can sometimes assist with investigations. Reporting does not obligate you to pause your recovery efforts.
How do I know if my business needs to notify customers after a breach?
Under PIPEDA, you must notify individuals when a breach involving their personal information creates a real risk of significant harm. Work with legal counsel to conduct this assessment. When in doubt, err toward notification, as the reputational cost of under-notifying is typically higher than the cost of transparency.
Should I pay the ransom?
Payment is generally discouraged by law enforcement and cybersecurity professionals. It does not guarantee data recovery, it funds criminal operations, and it may attract repeat attacks. Exhaust all recovery options, including forensic data recovery services, before considering payment.
What if my business has no incident response plan?
Contact an incident response provider immediately and let them guide you through triage. After the incident is resolved, work with a cybersecurity firm to build a formal incident response plan aligned to NIST or ISO frameworks. Brigient’s cybersecurity program development services can help.
How long does incident response typically take?
Containment can happen within hours. Full recovery and forensic investigation can take days to weeks depending on the scope. Complex breaches involving data exfiltration and legal proceedings can extend months. Speed of initial response is the single biggest factor in shortening the timeline.
The worst time to figure out your incident response plan is while you are living through a breach. The businesses that recover fastest are the ones that prepared: they had a tested plan, a response partner on standby, and documented procedures their team could follow under pressure.
Brigient works with Toronto and GTA businesses to build incident response programs that actually work, and stands by to respond when the call comes in at any hour. If your business does not have a formal incident response plan in place, start that conversation now at brigient.com.
Let’s Talk About Your Project: Unleash Possibilities, Explore Solutions, and Forge a Brighter Digital Future Together.
Contact Us Today!
