We’ve all heard the warnings, “it’s not a matter of IF you’ll suffer a cyberattack, it’s WHEN.” Yet according to one study, more than 77% of organizations have no incident response plan. Hard to believe when you consider that attacks can cost businesses millions of dollars. What’s worse, 60% of those attacked go out of business within six months of being victimized.

Some 14 million businesses in the U.S. are at risk of being hacked, a nightmare scenario that unfortunately is becoming more commonplace. Many small business owners don’t make defense against cyberattacks a priority—or even know how to. It’s an operational reality small companies must take seriously. Having a plan in place may be the difference between surviving and shutting your doors.

The first line of defense is taking proactive measures to detect and protect the entire IT landscape. It’s critical to have the right security systems and processes in place to  find known and unknown threats before they impact your business. But you also need a bulletproof plan in case your systems are breached. You need to move very quickly to limit damage, so you should have a team experienced in handling these situations ready to jump to action, bringing along tools, procedures, and a proven methodology to stop attacks and to repair and restore whatever you can.

Here are five critical factors in preparing for the first 24 hours after an attack:

  1. Take control & minimize damage: Taking the appropriate steps within the first 24 hours of an incident is crucial for preventing business continuity issues and reducing legal or financial repercussions. Restore security as quickly as possible and contain the breach to reduce impact and spread. Companies that contained a breach in less than 30 days saved over $1 million versus those that took more than 30 days. Pinpoint where the breach occurred, preserve evidence, and comply with contractual and legal obligations.
  2. Experience matters: The moment you find out you’ve been breached, the command center takes over with pre-defined roles and levels of authority. You want an experienced incident response team as a one-part advisor/calming force and another part cybersecurity and forensic expert who can act quickly to secure critical evidence and stop the spread of malware, further data theft, or damage to critical systems.
  3. Open communications:  Being transparent means not just alerting customers. It’s crucial to tell all the necessary people as quickly as possible. This can include employees, customers, and other companies you do business with. Depending on the business you’re in, it may also involve contacting certain regulatory agencies. It’s also important to be forthcoming with all the information related to the hack.
  4. Repair damage and rebuild: You’ll want to start rebuilding your systems and your reputation as quickly as possible. To do this you should start by prioritizing which computers or systems you’ll work on cleaning up first. Replace corrupt data, files and applications with a clean backup. While you’re repairing and rebuilding systems, you should maintain contact with customers, partners and authorities. Alerting the right people isn’t a one-time deal. You should keep those who need to know informed during the entire process of rebuilding.
  5. Reevaluate your security posture:  You’ll likely want to do something different than what you had in place before. Most small business owners are on a tight budget, but security is not one area to skimp on. You’ll need to create layers of security to protect your information. This can include adding encryption as well as more than one password to retrieve the most sensitive information.

It's important for organizations to recognize that cybersecurity spend is a necessary cost of doing business nowadays. Without a plan and an experienced response team in place, businesses are at putting everything at stake. When your business is compromised, you need a team with experience in handling these situations to limit damage and get back up and running again.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.