Network Brainiacs
Tip #10·Ransomware

What happens when you get breached.

A realistic walkthrough of the first 30 days after a breach — the calls, the costs, the clients, and what you wish you'd done sooner.

Nobody plans their breach until they're in one. When it happens, the first 72 hours are chaos. Here's what the next 30 days actually look like, based on the response work our team does for businesses that got hit.

The first 72 hours

Discovery usually comes from an employee noticing something weird — files renamed, a strange login, a ransom note on the server. From there, everything accelerates. You call your MSP. Your MSP triggers your incident response plan (if you have one). Insurance gets notified. A lawyer gets looped in. Affected systems get isolated — which often means your business is partially offline by lunchtime.

What it actually costs

Direct ransom, if you even consider paying, is often the smallest line item. Downtime eats you. So does breach counsel, forensics, notification letters to affected clients, regulator calls, credit monitoring for impacted people, and — the invisible one — client trust. We've watched firms lose 20% of their book of business in the year after a breach, even ones that handled the response well.

Two real timelines

A 12-person accounting firm hit with ransomware on a Saturday.

Red flag: Backups had failed silently for 9 weeks. Decrypt cost $58K, downtime cost $180K, and they had to notify 400 clients. Net damage: over $400K.

A law firm the same size that had tested backups, EDR, and MFA.

Red flag: They still got hit, but the attack was caught on day one before encryption finished. Total damage: ~$22K and two weeks of cleanup. Same playbook, very different outcome.

What matters before it happens

  • A written incident response plan — who calls who, which systems get isolated first, who talks to clients.
  • Cyber insurance with clear ransomware, wire fraud, and business interruption coverage.
  • A lawyer on retainer who handles breach notification for your state.
  • Working, tested backups you can restore from within 24 hours.

Don't wait until it happens.

We'll walk your setup and flag the gaps in 30 minutes. You'll walk away with a simple checklist, whether or not you become a client.

Do this today
  • 1Write a one-page incident response plan this month — even a rough one beats nothing.
  • 2Confirm your cyber insurance actually covers ransomware, BEC, and business interruption. Read the exclusions.
  • 3Test a backup restore before you need one. Block a Saturday and prove it works.
  • 4Save your MSP, insurer, and breach counsel numbers in every executive's phone.
  • 5Decide in advance: who talks to clients, who talks to staff, who talks to the press.

Want help securing your business?

Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.

Schedule a quick security review

Keep reading

Tip #6 · Ransomware

Ransomware starts small.

Ransomware doesn't arrive with sirens. It arrives as one boring email, one click, one moment of trust — and then spreads quietly for days before the lock.

ReadTip #19 · Ransomware

The ransomware first-hour playbook.

What you do in the first 60 minutes of a ransomware event determines whether it's a bad week or a bad year. Here's the playbook.

Read
Back to all tips