Picture a Monday. Someone on your team opens their laptop and the files have odd names and won't open. A note pops up demanding payment. Within minutes three more people are saying the same thing. Now what?
This is the moment everything else has been leading to, and it's also the moment people make their biggest mistakes, not because they're careless, but because nobody decided in advance who does what. So let's walk through that first hour while heads are cool, instead of when the room is on fire.
Minute one: stop the spread before you do anything else
Your instinct will be to investigate, to understand, to fix. Resist it. The very first move is containment: cut off whatever's infected so it can't reach the rest. Unplug the network cable, switch off the Wi-Fi on that machine, disconnect the affected computers. You're not trying to solve the problem yet. You're trying to keep it from getting bigger while it's still small enough to handle.
A single locked laptop is a bad morning. The same thing spread across every machine in the office is a different kind of disaster, and the minutes right at the start are when you decide which one you're having.
Don't pull the plug on everything
There's a tempting shortcut: power everything off and walk away. Don't. Shutting a machine down can wipe out traces of what happened and how it got in, information you'll badly want later whether for insurance, the authorities, or simply making sure it doesn't happen again next week. Disconnect from the network, yes. Yank the power on the whole office, no.
Get the right people talking, fast
An hour into a crisis is no time to be hunting for a phone number. You want a short, known list ready beforehand: whoever handles your IT, your manager or owner, and any security partner you work with. One person picks up the role of running things, not to do everything themselves, but so decisions actually get made instead of debated. Five capable people with no one in charge is slower than three with a leader.
Resist the urge to pay or to hide it
Two reactions tend to show up under pressure, and both make things worse. The first is paying the ransom immediately to make it go away. Payment buys a promise from criminals, often doesn't bring the data back cleanly, and marks you as someone who pays. The second is quietly hoping nobody finds out. Depending on what data is involved, staying silent can land you in real legal trouble, and it almost always costs more trust than honesty would have. Slow down on both. These are decisions for clearer heads, not the first ten minutes.
Then, and only then, start recovering
Once the bleeding has stopped and the right people are on the line, you move to the part you hopefully planned for already: bringing systems back from clean backups (most businesses don't realize their cloud provider isn't backing them up), in the order your business actually needs them. This is where last week's "boring" preparation quietly saves you. Recovery is so much calmer when you're following a plan instead of inventing one mid-panic.
None of this hour is about heroics. It's about having a sequence to follow when your instincts are screaming and the clock is loud. Write it down, stick it somewhere everyone can find it (here are the three fundamentals every SMB should have in place), and the worst morning of your business year becomes something you move through, not something that moves through you.
If you've never mapped out what your own first hour would look like, that's worth fixing while everything's calm.
Book a 15-minute security check
No pitch, no pressure. Just a conversation about what your team would actually do in the first hour.