Data breaches: the first 24 hours determine the next 24 days

When a cyber incident hits, organisations often imagine they’ll have time to assess, plan, and respond methodically. In a typical enterprise setting, systems can sometimes be taken offline to contain a threat. In Critical National Infrastructure (CNI), there is no such luxury when it becomes a matter of national safety and keeping services like energy, water, transportation, finance and healthcare running. Security teams aren’t working with days; they’re working with minutes. Every decision must balance containment with continuity, often under intense pressure and scrutiny.

 

The real challenge lies in managing the outward ripples of early decision-making when cyber incidents do arise in CNI. Those first actions don’t just solve immediate problems; they shape everything that follows.

 

At the same time, the regulatory landscape is tightening. The Cyber Safety Review Board (CSRB) and similar frameworks are reducing the time organisations have to report incidents and requiring earlier engagement with external stakeholders. That means incident response must be a coordinated, multi-disciplinary effort involving legal, communications, regulators, and executive leadership from the outset.

 

So, what does effective incident response look like when every second counts?

 

 

Four Questions that Define the First 24 Hours

The first 24 hours of an incident should be driven by four critical questions. Often happening in parallel, together they form the backbone of a successful response.

 

1. What’s Affected?
The immediate priority is detection and scoping. Is this an IT or OT issue? Is the threat active, passive, or post-compromise? This stage is fundamentally a fact-finding mission. Without clarity here, every subsequent decision risks being misaligned.

 

Too often, organisations jump to conclusions or act on incomplete information. In high-stakes environments, this can lead to unnecessary disruption or, worse, allow a threat to spread unchecked. Establishing scope quickly and accurately is the foundation of everything that follows.

 

2. Who Needs to Know?
Incident response is not a siloed activity. The right people must be engaged early, including incident response teams, IT and OT engineers, legal counsel, executive leadership, communications teams and potentially external regulators.

 

Delays or missteps in communication can create confusion, duplication of effort, or conflicting actions. Clear escalation paths and predefined stakeholder roles are essential. Everyone needs to understand not just what is happening, but what is expected of them.

 

3. How Do We Stop It?
In CNI environments, “stopping” a threat rarely means shutting everything down. Instead, it’s about intelligent containment, or limiting impact while maintaining critical services.

 

This requires careful coordination and a deep understanding of system dependencies. What can be isolated without affecting operations? Which assets are critical? Where are the interdependencies that could cause cascading failures?

 

Layered containment strategies should be predefined, not improvised. Understanding dependencies upfront saves a world of pain later, as without this, well-intentioned actions can inadvertently make the situation worse.

 

4. What’s Next?
Once the immediate threat is contained, the focus shifts to controlled recovery. This involves stabilising operations, preserving evidence and ensuring vulnerabilities are not reintroduced.

 

This stage is often underestimated. Rushing recovery can destroy forensic evidence or reopen attack vectors. A disciplined, well-documented approach is essential to ensure both operational resilience and future learning.

 

 

Where Incident Response Goes Wrong

Despite having plans in place, many organisations struggle during real incidents. The root cause is rarely a lack of technical capability; it’s a failure of coordination and decision-making.

 

Uncoordinated incident response often manifests in two ways: people becoming too heavy-handed, or people getting in each other’s way. Overreaction can lead to unnecessary disruption, while hesitation can allow threats to escalate.

 

Leadership plays a critical role here. Poor outcomes are frequently linked to indecisive, delayed, or overly micromanaged decisions. In high-pressure situations, there must be clear delegated authority, ideally not resting with the CEO, who may not have the operational context to act quickly and effectively.

 

Success in incident response is not about perfection. It’s about making timely, informed decisions. Or put more bluntly: decisions trump perfection.

 

 

Coordination Beats Capability

One of the most important insights from experience is that coordination consistently outweighs technical capability.

 

Organisations may have highly skilled teams and advanced tools, but if those teams are not aligned, the response will falter. Disconnects between IT and OT teams, unclear communication channels and slow mobilisation can all undermine even the most capable response.

 

Closely linked to this is the idea that preparedness beats talent. Even the most talented individuals cannot compensate for a lack of planning, rehearsal, and shared understanding. Incident response is a team sport and, like any team activity, it relies on practice.

 

 

Building “Muscle Memory” Through Rehearsal

Effective incident response doesn’t start when an incident occurs; it starts long before, through careful planning and rehearsal.

 

Organisations need to develop and test incident response plans that go beyond technical playbooks. These plans should incorporate communication strategies, stakeholder engagement and decision-making frameworks.

 

Tabletop exercises are a critical tool here. By simulating incidents in a controlled environment, teams can identify gaps, test assumptions, and refine their approach. Over time, this builds “muscle memory” to gain the ability to act quickly, decisively and confidently when a real incident occurs.

 

Importantly, these exercises should involve more than just security teams. IT and OT teams need regular opportunities to collaborate and understand each other’s priorities. Legal and communications teams should also be included, ensuring that all aspects of the response are aligned.

 

Live exercises that bring everyone together can be particularly valuable. They expose real-world challenges that may not be apparent on paper and help build the relationships that underpin effective coordination.

 

 

Communication: The Often-Overlooked Risk

One area that is frequently overlooked in incident response planning is communication.

 

In the chaos of an incident, teams may default to familiar tools like WhatsApp or personal messaging apps. However, these “out-of-band” channels can introduce security risks and create gaps in documentation.

 

Organisations need to define and rehearse secure communication methods as part of their incident response plans. This ensures that information flows efficiently while maintaining confidentiality and auditability.

 

 

Start Small, Start Now

For many organisations, the idea of building a comprehensive incident response capability can feel overwhelming. But the key is to start small.  No plan will be perfect from the outset. The goal is to begin with a basic framework, test it and iterate. Over time, this incremental approach builds a robust, adaptable capability.

 

The alternative - waiting for the perfect plan - leaves organisations exposed. In incident response, inaction is just too big a risk.

 

Ultimately, the effectiveness of incident response comes down to what happens in those first critical hours: The first 24 hours determine the next 24 days.

 

Early decisions create ripples that shape the trajectory of the entire incident. Get them right, and organisations can contain threats, maintain operations and recover in good time. Get them wrong, and the consequences can escalate rapidly. Because when every second counts, preparation is everything.

 

---

 

James John is Incident Response Manager at Bridewell

 

Main image courtesy of iStockPhoto.com and Sandwish