You get a call from your IT team on a Tuesday afternoon: unusual login activity on your Microsoft 365 tenant, large volumes of data being accessed from an unfamiliar IP address, and one executive account sending emails they didn’t write. You’re dealing with a data breach.

What you do in the next 72 hours will determine whether this becomes a manageable incident or an existential crisis for your business. The difference almost always comes down to whether you had a plan before the call came in.

Hour 0-4: Contain and Preserve

The instinct when you discover a breach is to shut everything down. Resist that urge — at least partially. Containment means stopping the bleeding without destroying evidence you’ll need later.

Isolate compromised accounts and systems. Reset passwords on affected accounts. Revoke active sessions. If a specific machine is compromised, disconnect it from the network but don’t wipe it — forensic investigators will need that data.

Preserve logs and evidence. Before anyone starts “fixing” things, make copies of relevant logs: authentication logs, email audit trails, firewall logs, endpoint detection alerts. If you overwrite or delete this data, you lose the ability to understand what happened and how far the breach extends.

Activate your incident response team. This should include your IT lead (or managed IT provider), a decision-maker with authority to spend money and make calls, and your legal counsel. If you have cyber insurance, notify your carrier now — many policies require immediate notification and provide access to breach response specialists.

Hours 4-24: Investigate and Assess

Once the immediate bleeding is stopped, you need to understand the scope:

What data was accessed or exfiltrated? Customer records, financial data, employee information, intellectual property — the type of data determines your legal obligations and the severity of the incident.

How did the attacker get in? Phishing? A compromised vendor? An unpatched vulnerability? Identifying the entry point is essential for closing the door and preventing re-entry.

How long were they inside? Attackers often maintain access for weeks or months before detection. Understanding the timeline helps you assess the full extent of the exposure.

Is the attacker still inside? Containment doesn’t always mean eviction. A thorough investigation confirms whether the attacker has been fully removed or has additional persistence mechanisms in place.

For most small and mid-sized businesses, this is where a professional incident response team earns their fee. Your internal IT team may be excellent at day-to-day operations, but breach forensics is a specialized skill. Many managed IT providers maintain partnerships with incident response firms for exactly this situation.

Hours 24-72: Notify and Communicate

Utah has specific breach notification requirements that businesses need to follow:

The Utah Protection of Personal Information Act requires businesses to notify affected individuals “in the most expedient time possible” after discovering a breach involving personal information (names combined with Social Security numbers, financial account numbers, or driver’s license numbers).

If 500+ Utah residents are affected, you must also notify the Utah Attorney General’s office.

Industry-specific requirements may apply on top of state law. Healthcare organizations under HIPAA have a 60-day notification window. Financial institutions have additional federal requirements. Businesses handling payment card data may need to notify the card brands.

Common Mistakes That Make Breaches Worse

Delaying response to “figure things out.” Every hour of delay gives attackers more time to exfiltrate data and expand their access. Speed matters more than perfection in the first 24 hours.

Destroying evidence during cleanup. Reformatting drives, deleting logs, or reinstalling systems before preserving forensic images means you’ll never know the full scope of the breach — and your insurance claim may be denied.

Hiding the breach from stakeholders. The cover-up is always worse than the breach itself. Customers, partners, and regulators respond far better to transparent, proactive communication than to finding out you tried to sweep it under the rug.

Paying the ransom without professional guidance. If ransomware is involved, paying doesn’t guarantee you’ll get your data back, may fund future attacks, and could violate OFAC sanctions depending on who you’re paying. Always consult legal counsel and law enforcement before making payment decisions.

Not updating defenses after the incident. A breach that doesn’t result in improved security is a wasted crisis. Use the findings from your investigation to close gaps, update policies, and strengthen the controls that failed.

Build Your Response Plan Before You Need It

The best time to create a breach response plan is right now — while you’re not under pressure. Document your response team, communication channels, legal contacts, insurance information, and technical procedures. Then practice it with a tabletop exercise at least annually.

At Brivy IT, we help Utah businesses build and test incident response plans as part of our managed IT services. If you don’t have a plan in place — or you’re not confident the one you have would hold up under pressure — reach out for a consultation. We’d rather help you prepare than help you recover.