The First 60 Minutes of a Suspected Breach
A calm, written first hour when something's wrong - contain the damage and preserve the evidence. This is preparation, not legal advice.
When to use
When you think you've been hacked, hit by ransomware, or an account is compromised - staff report strange logins, files are suddenly encrypted, or contacts receive messages you didn't send - and you need to know "what do we do first?".
Steps
1. Stay calm and start a written timeline. Note the time, what you saw, and every action you take - this record is valuable later. 2. Isolate the affected device: disconnect it from the network (turn off Wi-Fi or unplug the cable). If ransomware is involved, isolate but don't wipe or reformat - that destroys evidence. 3. Contain accounts from a clean, separate device: change passwords on affected accounts, sign out all active sessions, and turn on MFA. 4. Preserve evidence - don't delete suspicious emails, files or logs, and take photos or screenshots of anything unusual (including ransom messages). 5. Tell the right people internally (owner or manager) and contact your IT provider or MSP. 6. Call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371), available 24/7, and report the incident through ReportCyber (cyber.gov.au/report). 7. If personal or customer information may be involved, start writing down the facts and prepare questions for your privacy or legal professional - do not try to decide your legal obligations yourself. 8. Once contained, plan recovery from known-good backups and only reconnect devices your IT professional has cleared.
When to call a professional
Straight away - your IT provider or MSP and the ASD hotline for the technical incident, and a privacy or legal professional if any personal data may be affected.
ACSC reference: Aligns with ACSC incident response guidance and the "Have a cyber security incident response plan" step (cyber.gov.au/smallbusiness).
Want your agent to fetch skills itself? The Academy MCP serves this whole library.
Connect via MCP