Data Breach Response Checklist: The First 72 Hours

The call comes in or the alert fires, and you know: something happened. An employee's credentials were used from another country at 3 AM. Files are encrypting on a shared drive. Your bank called about a suspicious wire. Whatever the specific signal, you've crossed a threshold — and what you do in the next few hours determines whether this becomes a contained incident or a company-defining catastrophe.

Most businesses at this moment do one of two things. They either panic and start making reactive, uncoordinated decisions that inadvertently destroy forensic evidence or create legal exposure. Or they freeze — not sure who to call, what to touch, or whether they're making things worse by doing anything at all.

This guide exists to give you a third option: a structured, field-tested response sequence that moves fast without moving recklessly. IT Center has developed this protocol through years of incident response work with Southern California businesses across industries. The 3-Phase Post-Breach Protocol below is the exact framework our team activates when a client calls us with an active incident. Use it as your playbook — even before we get on the phone.

Why the First 12 Hours Are the Most Critical

The first hours after a breach are when attackers are most active, when the most damage can still be prevented, and when every decision carries the highest consequence. Attackers who have compromised an environment typically move through a predictable sequence: establish persistence, escalate privileges, conduct internal reconnaissance, exfiltrate data, and — if the attack is ransomware-based — deploy the payload. In many ransomware incidents, the initial access event and the actual ransomware deployment are separated by days or weeks. The attacker sits quietly in your network, learning the environment, before pulling the trigger.

What this means practically: if you discover unusual activity early — an anomalous login, a suspicious email forward rule, a dark web alert for a credential — you may have a window to act before the most destructive phase begins. That window is counted in hours, not days. Speed combined with structure is the entire point of Phase 1.

Credential Reset: Start With Email and Banking

The single most impactful immediate action in any breach scenario is resetting credentials — and the order matters. Attackers who have compromised your email account have visibility into your password reset emails, your bank notifications, and your communications with your IT provider. Email must be the first account you secure, because it is the recovery mechanism for every other account. Banking access must be the second, because the financial loss from an unauthorized wire transfer is often the most irreversible damage of a breach.

Do not reset passwords through an email-based password reset flow if you suspect email is compromised. Use your Microsoft 365 admin console or Google Workspace admin console to directly reset the password from the administrative interface, and immediately revoke all active sessions in addition to changing the password.

• Reset all email account passwords CriticalUse the admin portal — not a password reset email. Change every employee account, not just suspected compromised accounts. An attacker who has been in your environment may have established access to multiple accounts.
• Reset all banking portal passwords CriticalLog into every business banking portal, payment processor, and financial account directly (type the URL — do not click links). Change passwords. Verify no unauthorized scheduled transfers, payees, or signatories have been added.
• Reset payroll and accounting software credentials CriticalADP, Paychex, QuickBooks Online, Sage — any system with access to financial flows or direct deposit routing. Verify direct deposit bank account numbers for employees have not been altered.
• Reset VPN and remote access credentials CriticalVPN credentials are among the most valuable assets an attacker can use to maintain persistent access. Change all VPN account passwords and any RDP (Remote Desktop Protocol) credentials immediately.
• Reset all remaining business application passwords HighCRM, project management tools, cloud storage (SharePoint, Google Drive, Dropbox), communication platforms (Teams, Slack). Work down from highest-privilege and highest-risk to lower-risk applications.

Notify Your Bank: Place a Fraud Alert Immediately

Call your bank's fraud department — not the standard customer service line — and report a potential security incident. Ask them to place a temporary hold on wire transfer capability, review recent transaction history for unauthorized activity, and flag the account for enhanced monitoring. Ask specifically about:

• Any wire transfers in the past 30 days that were not authorized by a verified signatory via your documented approval process
• Any new payees or ACH recipients added to the account recently
• Any changes to account contact information, email addresses, or phone numbers
• Whether any new authorized users or signatories have been added

Banks can recall fraudulent wire transfers — but only if they are notified quickly, typically within 24 to 72 hours of the transaction. Every hour of delay reduces the probability of recovery. This phone call is urgent.

• Call your bank's fraud department CriticalReport the incident. Request temporary suspension of outbound wire capability pending investigation. Ask them to add a verbal confirmation requirement for any wire over a defined threshold.
• Review the past 30 days of transactions for unauthorized activity CriticalGo line by line. Flag anything unrecognized for immediate investigation. For any suspicious transactions, request a recall immediately — do not wait for the review to be complete before initiating the recall.
• Place a business credit alert HighContact Dun & Bradstreet, Experian Business, and Equifax Business to flag the account if you have reason to believe business identity theft may be part of the incident.

Revoke All Active Email Sessions

Changing a password does not disconnect an attacker who is already logged in. Active sessions remain valid until they are explicitly revoked, which means an attacker can continue reading email, exfiltrating data, and sending messages on behalf of compromised accounts even after the password has been changed. Session revocation must happen immediately after the password reset.

• Microsoft 365: Revoke all user sessions from Entra ID CriticalIn the Microsoft Entra ID admin center, navigate to Users → select the affected user → Revoke sessions. For a full-environment reset, use PowerShell: Revoke-AzureADUserAllRefreshToken for each affected account. This forces re-authentication on all active connections.
• Google Workspace: Reset sign-in cookies from Admin Console CriticalAdmin Console → Users → select the user → Reset sign-in cookies. This terminates all active Google sessions including Gmail, Drive, and connected apps. Verify this for every account, not just suspected compromised accounts.
• Audit all email accounts for unauthorized forwarding rules CriticalAttackers routinely set up forwarding rules that route copies of all incoming email to an external address. In Microsoft 365, check this in the Exchange admin center under mail flow rules and in individual mailbox settings. Remove any rule you did not create.
• Check for unauthorized mailbox delegates and send-as permissions HighReview who has been granted send-as, send-on-behalf, or full-access permissions on every mailbox. Remove any permissions that were not explicitly authorized by your organization.

Send Customer Notification (Template Provided)

If there is any possibility that customer or partner data was accessed during the incident, early notification is both legally required and strategically correct. California's data breach notification law requires notification to affected individuals without unreasonable delay — and for breaches affecting more than 500 California residents, notification to the California Attorney General is also required. Do not wait for the investigation to be complete before notifying; notify based on what you know, and update as you learn more.

Here is a template for initial customer notification:

• Identify which customers or partners may be affected HighWork with your IT team and legal counsel to determine the scope of data that was potentially accessed. Do not speculate beyond what the investigation supports, but do not understate the scope either.
• Send initial notification to affected customers or partners HighUse the template above as a starting point. Have your legal counsel review before sending if possible, but do not allow the legal review to significantly delay notification — the clock is running on your California law obligations.
• Suspend or disable any confirmed compromised user accounts CriticalFor any account with confirmed unauthorized access — as opposed to suspected exposure — disable the account entirely pending full remediation. Do not simply reset the password of an account where active attacker presence has been confirmed.
• Start your incident log immediately and maintain it throughout HighRecord every action taken, by whom, and at what time. This documentation is essential for legal compliance, insurance claims, and post-incident review. A simple spreadsheet is sufficient — the important thing is that it's started and maintained in real time.

Enumerate All Running Services and Active Connections

Before you can declare an environment clean, you need to understand what's running in it. Attackers establish persistence by installing services, creating scheduled tasks, adding startup entries, or deploying remote access tools that survive a reboot and a credential change. Phase 2 begins with a full inventory of everything running in your environment.

• Enumerate all running services on all servers and managed endpoints CriticalOn Windows systems, use Get-Service | Where-Object {$_.Status -eq "Running"} in PowerShell and compare against a known-good baseline. Any service installed in the past 30 days that is not a recognized, approved application warrants immediate investigation.
• Review active outbound network connections on all servers CriticalUse netstat -an or your firewall's connection logs to identify any established connections to unfamiliar external IP addresses. Attackers maintaining active command-and-control channels will show as persistent outbound connections.
• Audit all software installed on servers in the past 30 to 90 days HighRemote monitoring and management tools (AnyDesk, TeamViewer, ScreenConnect), network scanners, and remote access utilities installed without authorization are common attacker tools. Any software that is not on your approved software list needs to be investigated and removed.

Check for Persistence Mechanisms

This is the step that separates thorough incident response from superficial cleanup. Attackers who have had meaningful access to your environment will have attempted to establish ways to return even after their initial access method is blocked. Finding and removing all persistence mechanisms is what prevents reinfection.

• Audit all scheduled tasks on servers and endpoints CriticalIn Windows Task Scheduler, review every task that is not a recognized Microsoft or approved application task. Pay particular attention to tasks that run PowerShell scripts, download executables from external URLs, or run from temporary directories like %TEMP% or %APPDATA%. Delete any task that cannot be attributed to a legitimate application.
• Review all startup entries (registry Run keys, startup folders) CriticalUse Autoruns (Sysinternals) to comprehensively audit all locations where programs can be configured to run at startup. Autoruns covers registry keys, startup folders, browser extensions, scheduled tasks, services, and dozens of other persistence locations in a single view. Flag anything unsigned or unrecognized for removal.
• Enumerate all local administrator and domain administrator accounts CriticalAttackers who escalate privileges frequently create backdoor administrator accounts. On your domain controller, run Get-ADGroupMember -Identity "Domain Admins" and compare to your documented admin list. On each server and workstation, review local administrators. Remove any account not authorized by your organization.
• Review Active Directory for unauthorized Group Policy Objects or changes HighAttackers with domain access may create GPOs that ensure malware executes across the domain at every login. Review the GPO list in Group Policy Management Console and audit the GPO change log for any modifications made during the suspected incident window.
• Verify local user accounts on all servers and critical workstations HighUse Get-LocalUser in PowerShell on each system. Any account created recently that is not a recognized service account or staff member is a backdoor candidate and must be disabled and investigated immediately.

Verify Antivirus and EDR Health

Sophisticated attackers frequently disable or tamper with security tools as one of their first actions after gaining access to an environment. A compromised endpoint whose security software has been silenced will appear clean in dashboards while actively running malware. Verifying tool health is not optional.

• Verify security agent status on every managed endpoint and server CriticalIn your EDR or AV management console, check for endpoints reporting as offline, agents reporting as unhealthy, or agents that have not reported telemetry recently. An endpoint that "disappeared" from your security console during the incident window should be treated as actively compromised until proven otherwise.
• Check for disabled or tampered security services CriticalOn each endpoint, verify that your security software services are running: Windows Defender (if used), your EDR agent service, and any security monitoring agents. Attackers commonly stop these services or use exclusion lists to blind them to malware activity.
• Initiate full malware scans from a centrally managed, verified-clean console HighTrigger full scans across all endpoints through your management console rather than initiating locally on each machine. Local scans on a compromised machine may be intercepted by the malware itself. If you don't have centralized scanning, contact IT Center — we can deploy a scanning agent remotely.

Audit All Firewall Rules

Firewall rules are a common target for attackers who need to maintain communication channels or enable new access paths. A rule added to allow inbound RDP from "any" source, or to permit outbound traffic to a specific external IP, can be the difference between a contained incident and an ongoing compromise.

• Audit all perimeter firewall rules for unauthorized additions or modifications CriticalCompare current rules to your last documented baseline or change log. Pay special attention to rules allowing inbound access (RDP, SSH, VNC, custom ports) from broad source ranges, and rules allowing outbound traffic to uncommon destinations. Remove any rules that were not explicitly authorized through your change management process.
• Review Windows Firewall rules on all servers HighIn addition to your perimeter firewall, check host-based firewall rules on each server. Use Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"} in PowerShell and look for recently added rules that permit unusual inbound connections.
• Confirm patch status on all systems and identify the most critical gaps HighWhile you're doing this audit, document the patch status of every system. Identify any endpoints or servers running software with known critical vulnerabilities — especially VPN appliances, remote access tools, and internet-facing services. Prioritize patching these immediately as part of the Phase 2 remediation.

Deploy EDR and MDR

Basic antivirus — signature-based detection that matches known malware — does not stop modern threats. Modern attacks use fileless techniques, living-off-the-land tools that are legitimate Windows utilities, and custom malware that has never been seen before. Endpoint Detection and Response (EDR) software monitors behavior rather than matching signatures: it watches for suspicious process sequences, unusual file system activity, and anomalous network connections that indicate attack patterns even when no known malware signature is present.

Managed Detection and Response (MDR) adds a human layer: security analysts who review EDR telemetry 24 hours a day, seven days a week, and take response action when they see something that requires it. For most small and mid-sized businesses, MDR delivers the security operations center capability that would otherwise require a team of in-house analysts to staff.

• Deploy EDR on every endpoint and server in the environment CriticalZero gaps. Every machine that touches business data or network resources needs behavioral endpoint protection. Coverage gaps are where attackers establish their foothold — an unprotected workstation used occasionally by a part-time employee is still a viable initial access point.
• Enroll in a Managed Detection and Response service HighIT Center's managed security program includes 24/7 MDR coverage as a standard component. This means human analysts are reviewing your telemetry around the clock — not just software alerts, but the judgment of security professionals who understand attacker behavior and can distinguish a genuine incident from a false positive.

Migrate to Microsoft 365 (If Not Already)

If your business is still running on-premises Exchange, local file servers without cloud backup, or a fragmented mix of consumer email services and personal Google accounts, this incident is the forcing function for a platform that belongs in every business: Microsoft 365 Business Premium. The combination of Exchange Online, SharePoint, Teams, OneDrive, Defender for Business, Entra ID (formerly Azure AD), and Microsoft Intune gives you an integrated security platform with conditional access, device compliance enforcement, mobile device management, advanced email filtering, and centralized identity management — all from a single monthly subscription.

• Migrate to or upgrade to Microsoft 365 Business Premium HighMicrosoft 365 Business Premium includes Defender for Business (EDR-level endpoint protection), Defender for Office 365 (advanced email security), Entra ID P1 (conditional access, MFA enforcement), and Microsoft Intune (device management) — all in one license at approximately $22 per user per month. IT Center manages the full migration.
• Configure Microsoft Defender for Business security policies HighAfter migration, configure attack surface reduction rules, tamper protection, network protection, and controlled folder access policies. These settings block the most common attack techniques at the OS level and are frequently left at default (insufficient) settings in new deployments.

Enforce MFA on All Accounts Without Exception

If there is a single control that consistently separates businesses that contain incidents quickly from businesses that suffer catastrophic breaches, it is multi-factor authentication. MFA does not prevent every attack — session hijacking and MFA fatigue attacks exist and are real — but it eliminates the vast majority of credential-based attacks by requiring a second factor that the attacker does not possess.

• Enable MFA on every user account — no exceptions CriticalIn Microsoft 365, use Conditional Access policies (available in Business Premium) to require MFA for all users, with no exceptions for "break glass" accounts that aren't also protected. In Google Workspace, enforce MFA through the Admin Console under Security → 2-Step Verification.
• Migrate from SMS-based MFA to authenticator app or hardware key HighSMS-based MFA is vulnerable to SIM-swapping attacks and real-time phishing proxies. Microsoft Authenticator or Google Authenticator generates time-based one-time passwords that are significantly harder to intercept. For highest-value accounts (administrators, finance, executives), consider FIDO2 hardware security keys.
• Configure Conditional Access to block sign-ins from risky locations and unmanaged devices HighUse Microsoft Entra Conditional Access to require MFA for all users, block sign-ins from high-risk locations (countries your company never operates in), and require compliant or Entra-joined devices for access to sensitive data. This policy set stops the majority of credential-based attacks even when credentials are stolen.

Implement Formal Patch Management

Unpatched systems are the root cause of a substantial percentage of successful breaches. Known vulnerabilities — with published proof-of-concept exploits available to any attacker — sit unpatched on business endpoints for months because there is no systematic process for ensuring patches are deployed. Patch management is not a tool purchase; it is a process that requires policy, scheduling, and accountability.

• Deploy a centralized patch management solution CriticalWindows Update for Business (included in Microsoft 365 Business Premium via Intune) or a dedicated RMM platform gives you visibility into patch status across every managed device and the ability to push patches on a schedule. IT Center manages patch deployment for all clients in our managed IT program, including monthly patch cycles and emergency patches for critical vulnerabilities.
• Establish and document a patch deployment SLA HighCritical patches (CVSS score 9.0 and above, or patches for actively exploited vulnerabilities per CISA's Known Exploited Vulnerabilities catalog) should be deployed within 48 to 72 hours of release. Standard patches should be deployed within 30 days. Document this policy and make adherence to it a measured metric.
• Prioritize internet-facing systems and VPN appliances for immediate patching CriticalVPN appliances, firewalls, remote access gateways, and any system with a public IP address represent the highest-risk unpatched assets. These should be on an accelerated patch schedule regardless of your standard cycle — attackers actively scan for known-vulnerable VPN firmware within hours of exploit publication.

Conduct User Awareness Training

Technology controls stop the attacks that don't require human interaction. For the attacks that do — phishing, business email compromise, social engineering — the human layer is both the most common point of failure and the most trainable control in your security stack. A staff that can consistently recognize a phishing attempt, question an unusual wire request, and know who to call when something looks wrong is a meaningful security asset.

• Schedule mandatory security awareness training for all staff HighPlatforms like KnowBe4 or Proofpoint Security Awareness Training combine on-demand video training with automated simulated phishing campaigns. Employees who click simulated phishing links receive immediate remedial training. Run a baseline phishing simulation within the first week to understand where your greatest human risk exists.
• Train accounts payable and finance staff specifically on BEC recognition HighThe people who process wire transfers and ACH payments need specific training on the patterns of business email compromise attacks and your organization's mandatory verification procedures. No banking change should ever be processed based solely on an email request — always verify via a callback to a known phone number.
• Document and distribute your incident reporting procedure to all staff StandardEvery employee should know: what to do if they think they clicked a phishing link (report immediately, do not try to handle it themselves), who to contact (name and phone number, not just an email address), and what not to do (don't shut down the machine, don't forward the suspicious email, don't discuss it on personal devices). A one-page quick reference is more useful than a 40-page policy document.

What Comes After Phase 3: Building a Sustained Security Program

Phase 3 does not end cybersecurity work — it establishes the foundation of a security program that can sustain itself. The businesses that successfully complete all three phases of the Post-Breach Protocol emerge from the incident with a security posture that is materially stronger than it was before. EDR is deployed. MFA is enforced. Patches are being managed. Staff have been trained. Dark web monitoring is watching for the next credential exposure.

But security is not a project — it is an ongoing operational function. After Phase 3, the work continues through quarterly patch reviews, annual security assessments, simulated phishing campaigns every 60 to 90 days, and regular tabletop exercises where your team walks through an incident scenario before a real one occurs. The goal is to make your next security incident a minor, contained event rather than a crisis — because the probability of there being no future incident approaches zero for any business operating on modern networks.

Call IT Center the Moment You Suspect an Incident

The checklists above give you a framework to act immediately and decisively when an incident occurs. But incident response is not something that should be navigated alone, and time spent figuring out what to do is time attackers are using against you.

IT Center has been supporting Southern California businesses since 2012. Our incident response team is available to take your call, assess the situation remotely, and dispatch engineers when needed. We can access your Microsoft 365 admin console, your endpoint management platform, and your firewall from our operations center to begin containment actions without waiting for an on-site visit. The moment you think something is wrong, call us.

For existing managed IT clients, incident response is included in your flat-rate program — no additional billing for emergency response, no per-hour charges during a crisis. For businesses that are not yet clients, we offer incident response as a standalone engagement. Either way, the number is the same: (888) 221-0098.