An Incident Response Guide for Columbus & Central Ohio Businesses

Cyberattacks don’t happen “if.” They happen when.

And in those first 24 hours, the actions you take — or don’t take — can determine whether your business experiences a minor disruption or a full-scale crisis.

If you're a business owner or operations leader in Columbus, Westerville, Worthington, Dublin, or anywhere in Central Ohio, this guide walks you through exactly what to do in the first 24 hours after a cyberattack.

In the first 24 hours after a cyberattack, you should:

1. Isolate affected systems immediately
2. Contact your IT or cybersecurity provider
3. Preserve evidence and logs
4. Determine the scope of the breach
5. Notify legal counsel and cyber insurance
6. Communicate internally and externally
7. Begin recovery from verified backups

Fast containment and structured response dramatically reduce financial damage, legal risk, and downtime.

Step 1: Contain the Threat Immediately (Minutes 0–60)

The first goal is simple: Stop the spread.

If you suspect ransomware, phishing compromise, or unauthorized access:

• Disconnect affected computers from the network (unplug ethernet, disable Wi-Fi)
• Do NOT power off machines unless instructed
• Disable compromised user accounts
• Block suspicious IP addresses (if you have firewall access)
• Shut down remote access tools if necessary

⚠️ Do not start randomly deleting files or “trying fixes.”
You may destroy forensic evidence or make recovery harder.

For Columbus businesses using Microsoft 365, we often see:

• Compromised email accounts sending phishing internally
• MFA fatigue attacks
• Business Email Compromise (BEC) targeting accounting teams

Immediate isolation prevents lateral movement across your environment.

Step 2: Call Your IT & Cybersecurity Partner

If you work with a Managed IT Services provider (like many Central Ohio businesses do), this is the moment to call them.

If you don’t have one — you should contact an experienced incident response firm immediately.

A qualified cybersecurity partner will:

• Assess active threats
• Preserve forensic logs
• Determine breach scope
• Secure privileged accounts
• Guide regulatory response

This is not the time for DIY IT.

Step 3: Preserve Evidence (Hours 1–4)

One of the biggest mistakes businesses make is wiping systems too quickly.

Instead:

• Preserve server logs
• Retain firewall logs
• Export Microsoft 365 audit logs
• Document timeline of events
• Take screenshots of ransom notes or suspicious activity

If law enforcement or your cyber insurance provider gets involved, this documentation matters.

For Ohio businesses in regulated industries (banking, healthcare, manufacturing with CMMC requirements), proper documentation is critical.

Step 4: Determine the Scope of Impact (Hours 4–8)

Now you need answers:

• What systems are affected?
• Is data encrypted?
• Was sensitive data accessed or exfiltrated?
• Is this ransomware, phishing, insider threat, or malware?
• Are backups intact?

Your IT team should evaluate:

• Endpoint detection alerts
• Server integrity
• Email forwarding rules
• Privileged account access
• Backup validation

In Columbus and surrounding areas, we frequently see:

• Credential theft via phishing
• Ransomware entering through unmanaged endpoints
• Legacy firewall vulnerabilities

Understanding scope determines next steps.

Step 5: Contact Legal Counsel & Cyber Insurance (Hours 8–12)

If you have cyber liability insurance, notify them immediately.

Most policies require:

• Prompt reporting
• Approved forensic vendors
• Specific documentation

You should also consult legal counsel regarding:

• Breach notification laws (Ohio data breach law)
• Client notification requirements
• Regulatory reporting
• Contractual obligations

Delaying this step can void coverage.

Step 6: Internal & External Communication (Hours 12–18)

Clear communication prevents panic and rumor spread.

Internally:

• Inform leadership first
• Provide employees with instructions
• Instruct staff not to discuss incident publicly
• Require password resets where needed

Externally:

• Notify affected clients (if required)
• Prepare a controlled statement
• Communicate steps being taken

Transparency builds trust. Silence creates suspicion.

Step 7: Begin Controlled Recovery (Hours 18–24)

Recovery should only begin after:

• The threat is neutralized
• Entry point is identified
• Systems are secured

Then:

• Restore from verified backups
• Rebuild compromised machines
• Force password resets organization-wide
• Implement MFA (if not already required)
• Apply critical patches

Never restore from backups without confirming they’re clean.

What NOT to Do After a Cyberattack

• Do not pay ransom immediately
• Do not announce publicly without legal guidance
• Do not wipe systems prematurely
• Do not ignore minor signs
• Do not assume cyber insurance will “handle it”

How Much Does a Cyberattack Cost Ohio Businesses?

According to IBM’s Cost of a Data Breach Report, the average breach costs millions nationally.

For small and mid-sized businesses in Central Ohio, we commonly see:

• $10,000–$250,000 in downtime & remediation
• Lost productivity
• Reputational damage
• Insurance premium increases
• Client churn

The first 24 hours often determine whether the cost stays manageable or escalates dramatically.

How to Prepare Before It Happens

The best way to survive the first 24 hours is to prepare now.

Every Columbus-area business should have:

• A documented Incident Response Plan
• Verified and tested backups
• Multi-factor authentication everywhere
• Endpoint Detection & Response (EDR)
• Regular phishing training
• Cyber liability insurance
• A local IT partner who understands your business

Frequently Asked Questions 

What should I do immediately after a cyberattack?

Immediately isolate affected systems, contact your IT provider, preserve evidence, and notify legal and insurance partners before attempting recovery.

Should I shut down my computer after a ransomware attack?

No. Disconnect it from the network but do not power it off unless instructed by a cybersecurity professional.

When should I notify customers about a data breach?

After consulting legal counsel and determining whether sensitive data was accessed, and in compliance with Ohio breach notification laws.

Can small businesses in Columbus be targeted?

Yes. In fact, small and mid-sized businesses are frequently targeted because attackers assume defenses are weaker.

Final Thoughts: The First 24 Hours Define the Outcome

A cyberattack is stressful. Emotional decisions lead to expensive mistakes.

The businesses that recover fastest in Central Ohio are the ones that:

• Act quickly
• Follow a structured plan
• Work with experienced cybersecurity professionals

If your organization does not have a documented incident response plan, now is the time to build one — not after an attack. Download our Incident Response Plan Template to get started.

Need Help Preparing?

Cloud Cover partners with Columbus and Central Ohio businesses to provide:

• Incident response planning
• Cybersecurity assessments
• Microsoft 365 security hardening
• Backup validation
• Ongoing managed IT services

If you want to ensure your business can survive the first 24 hours after a cyberattack, let’s talk.