Beat the Clock – Cyber Breach Response Unplugged

October 07, 2025

Beat the Clock – Cyber Breach Response Unplugged

 

If there’s one thing guaranteed to ruin your morning coffee, it’s the words “We think we’ve been breached.” The blood runs cold and the blood pressure spikes, phones start ringing and suddenly your peaceful day turns into a mix of CSI, The Thick of It and a mild panic attack.

 

But breathe. It’s not all doom and downside. At least it doesn't have to be.

 

Let’s unpack what really happens when the alarm bell rings and, more importantly, what should happen. Because when it comes to cyber incidents, every minute counts. So, to paraphrase the horror movie, we’re breaking it down. 28 minutes, 28 hours, and 28 days later.

 

The First 28 Minutes – Contain the Chaos

 

This is your “stop the bleeding” phase. Forget the blame game, forget the post-mortem. Right now it’s about getting control and not letting chaos get a grip.

 

Your Security Operations team (or whoever’s watching the blinking lights) isolates compromised systems, blocks traffic that shouldn’t be where it is and kicks off the Incident Response plan. Ideally there is one and it doesn’t just live in a dusty SharePoint folder called “Stuff to do if we get hacked”, last updated 5 years ago.

 

If you’ve practised your drills, this should be calm, coordinated and professional. If not, it’s a lot of shouting, screen-sharing and someone inevitably saying, “I thought Dave was patching that server.” *shakes head* Oh Dave. Dave, Dave, Dave.

 

The Next 28 Hours – Investigate and Communicate

 

Skipping through the first phase then, once the immediate fire is out, you move into the “who, what, how and how bad” phase.

 

Now it’s time to gather logs, collect forensic evidence and work out if the bad actors got hold of anything sensitive (spoiler alert: they probably did). This is also when the internal bat-signal goes up. The CIO, CISO, CFO, Legal, Compliance, HR and PR all enter the chat. They will want clear, unambiguous answers.

 

Comms become critical. Staff need facts before the rumour mill does its job. Regulators need to know what’s happened before the headlines tell them. And PR needs to keep the story factual before the twitterati decide on a counter-narrative and run with it.

 

If you’ve got a Managed Detection and Response (MDR) partner, they’re invaluable right now. They’ve seen this film before, and they know how to skip straight to the part where you start fixing things.

 

The Next 28 Days – Recovery and Reflection

 

By now, the adrenaline has worn off and reality sets in. You’re deep into recovery and review mode. Systems are hopefully rebuilt, backups restored and every password in the organisation is being changed (again). You or your MDR partner are watching the network like a hawk for any signs the attackers are still hanging around.

 

Meanwhile, leadership wants reports. Customers want reassurance. Regulators want timelines. And the board wants a PowerPoint that somehow turns chaos and disaster into positive sounding, forward thinking bullet points.

 

Finally comes the lessons learned bit – what failed, what worked and how to make sure it doesn’t happen again. Ideally this ends with improved processes, stronger defences and fewer grey hairs all round.

 

The Prep Work (aka: What You Should Have Done Yesterday)

 

Here’s the hard truth. The best time to prepare for a breach was a couple of years ago, a couple of months ago and a couple of days ago. The second-best time is right now.

 

You’ll want three things in good shape:

 

  1. A clear, rehearsed, up to date Incident Response Plan, not something you dust off once a year.
  2. Regular simulations – yes, you actually are supposed to run the drills and table-top exercises.
  3. Backups and monitoring that you trust.

 

Because no matter how slick your recovery is, no unpractised plan survives first contact with the real enemy – panic.

 

The Takeaway

 

Every breach tells the same story. The faster and calmer the response, the smaller the fallout.

 

So, the next time someone asks if you’re ready for a cyber incident, you can smile confidently and say:

 

  • 28 minutes: contain it.
  • 28 hours: investigate and communicate.
  • 28 days: recover and learn.

 

And if they still look worried? Point them to this blog or our Cyber Unplugged video. It’s like a fire drill, only you’re less likely to get your eyebrows singed.