Back to blog
CybersecurityIncident ResponseBusiness ContinuityAU/NZ

What to Do in the First 60 Minutes of a Cyber Incident

15 December 2025
9 min read

What to Do in the First 60 Minutes of a Cyber Incident

When you realise something is wrong, your files are encrypted, a mailbox is sending spam, a privileged account has logged in from overseas, or money has been redirected, you have one job in the first hour.

Get control.

This playbook is for Australian and New Zealand businesses. It focuses on containment, getting the right people involved, preserving evidence, and setting up a clean recovery.

First, decide who is in charge

Before you do anything else, nominate an incident lead. One person makes decisions and records actions. Everyone else executes.

If you do not have a dedicated security function, assign the role to a senior leader who can coordinate quickly.

Who to call in the first hour

You want help early, before you accidentally destroy evidence or restore into an infected environment.

Call, in this order:

  1. Your cyber insurer if you have cyber insurance. Use their 24/7 incident line.
  2. Your IT and security partner who can isolate systems, review logs, and guide containment.
  3. Your internal decision maker for business continuity. This is usually the owner, CEO, or operations lead.
  4. Legal and privacy advice if there is any chance of personal information exposure.

If there is active fraud in progress, also call your bank immediately.

0 to 15 minutes: Immediate containment

Goal: stop the spread. Do not investigate deeply yet.

  1. Isolate affected endpoints
  • Disconnect the device from the network.
  • Turn off Wi-Fi and unplug Ethernet.
  • Do not wipe or rebuild anything yet.
  1. Contain identity compromise
  • If Microsoft 365 or Google Workspace is involved, force password resets for suspected accounts.
  • Revoke active sessions for affected accounts.
  • Disable risky sign-in methods and block suspicious IPs if you can.
  • If an admin account is suspected, treat it as a full environment compromise.
  1. Stop lateral movement
  • Pause non-essential remote access.
  • Disable newly created accounts and suspicious mailbox forwarding rules.
  • If ransomware is suspected, consider isolating segments or shutting down affected servers under guidance.
  1. Start an incident log Record timestamps, affected systems, actions taken, and who approved them. This helps for insurance, legal, and post-incident review.

15 to 30 minutes: Triage, evidence, and decision points

Goal: confirm what happened and preserve proof.

  1. Preserve evidence
  • Take photos or screenshots of ransom notes, error messages, suspicious emails, and admin alerts.
  • Export relevant logs where possible (sign-in logs, audit logs, firewall logs).
  • Do not delete mailboxes or files yet.
  1. Establish scope Answer these quickly:
  • What is affected: endpoints, servers, cloud accounts, data, payments
  • What is still safe: backups, identity provider, critical systems
  • Is the attacker still active: new logins, new rules, new encryption activity
  1. Stabilise communications
  • Use an out-of-band channel if you suspect email compromise (phone, Signal, Teams tenant you trust).
  • Tell staff what to do and what not to do. Keep it short.

30 to 60 minutes: External obligations and safe recovery preparation

Goal: prepare a clean recovery and start legal and regulatory thinking.

  1. Backups and recovery readiness
  • Verify you have at least one offline or immutable backup set.
  • Confirm the backup location and credentials are not compromised.
  • Identify restore order: identity first, then core systems, then endpoints.
  • Do not restore until the entry point is understood and closed.
  1. Notifiable Data Breaches (NDB) in plain English In Australia, if personal information is accessed or disclosed and it is likely to result in serious harm, you may need to notify:
  • The Office of the Australian Information Commissioner (OAIC)
  • The affected individuals

You do not need to notify within the first hour, but you should start gathering facts:

  • What personal information could have been exposed
  • Whether it was encrypted
  • Whether the attacker likely accessed it
  • What protections were in place

If you are unsure, get legal and privacy advice early.

  1. Report to the ACSC ReportCyber is the Australian Cyber Security Centre reporting channel. It helps threat intelligence and creates an official record.

  2. Police and banking

  • If fraud or extortion is involved, contact your state police or the AFP through appropriate channels.
  • If payments may be affected, notify your bank fraud team immediately.

What not to do in the first hour

  • Do not pay a ransom in the first hour.
  • Do not wipe systems or reinstall until evidence is preserved.
  • Do not restore from backups until you are confident the attacker is out.
  • Do not send a detailed public statement while facts are unclear.

After the first hour

Once containment is stable, shift to:

  • Root cause analysis
  • Clean rebuild and restoration
  • Security hardening so it does not happen twice
  • A clear comms plan for staff, customers, and suppliers

If you want a printed version of this playbook for your office, keep a one page summary with key numbers, logins, and the incident lead process.