ValydexFile → Print → Save as PDF  ·  Paper: Letter  ·  Margins: None  ·  Background graphics: On
Business Cyberattack Recovery ChecklistValydex SMB Guide · NIST CSF 2.0 & CISA Response Guidance · valydex.comPage 1 — First 30 Minutes: Immediate Actions
Printed: 2026-04-01
Page 1 of 6
Company: _______________________
Evidence preservation ruleTake photos with your phone, avoid shutting down affected systems unless absolutely necessary, and document discovery time before taking containment actions.
First 30 minutes checklist
  • Take photos of ransom messages, error screens, or suspicious activity with your phone
  • Record the discovery time and how you first noticed the attack
  • Note affected systems - which computers, servers, or services are impacted
  • Disconnect affected systems from internet and network (unplug ethernet, disable Wi-Fi)
  • Isolate network segments if you have managed switches or firewalls
  • Preserve system state - avoid shutting down computers unless absolutely necessary
  • Alert other employees to stop using shared systems and network resources
  • Contact IT support person or company for technical response coordination
  • Notify business owner/manager for decision-making authority
  • Contact legal counsel for compliance and liability guidance
  • Call cyber insurance provider to initiate claims process
Emergency contacts
IT Support Contact
Name / phone / email
Business Owner/Manager
Name / phone / email
Legal Counsel
Name / phone / email
Cyber Insurance Provider
Carrier / policy # / phone
Incident Response Firm
Company / 24/7 hotline
FBI IC3 Reporting
ic3.gov (online) / Local FBI field office
valydex.com/guides/my-business-got-hacked-complete-recovery-checklistNIST CSF 2.0 · CISA Incident Response · Free to use and adapt
Business Cyberattack Recovery ChecklistValydex SMB Guide · NIST CSF 2.0 & CISA Response Guidance · valydex.comPage 2 — First Hour: Authority Reporting
Printed: 2026-04-01
Page 2 of 6
Company: _______________________
Law enforcement reporting
  • Report to FBI Internet Crime Complaint Center (IC3) at ic3.gov
  • Contact local FBI field office for significant incidents or ongoing threats
  • Report to local law enforcement (some have specialized cybercrime units)
  • Notify industry regulators if applicable (healthcare, finance, etc.)
Information to report
ItemDetails to provide
Discovery time and methodWhen and how you first noticed the attack
Attack typeRansomware, data theft, system compromise, BEC, unknown
Affected systemsComputers, servers, cloud services, databases
Potential data exposureTypes of data potentially accessed or stolen
Ransom demandsAny ransom messages or attacker communications
Containment actionsSteps already taken to isolate the breach
Professional engagement checklist
  • Incident response consultant for threat assessment and containment
  • Digital forensics specialist for evidence preservation and analysis
  • Legal counsel with cyber expertise for regulatory compliance
  • Public relations consultant if customer data is involved
  • Create disk images of affected systems before making changes
  • Capture network logs from firewalls, routers, and security devices
  • Screenshot system states showing current conditions
  • Preserve email communications including any attacker messages
  • Document all response actions with timestamps and responsible parties
valydex.com/guides/my-business-got-hacked-complete-recovery-checklistNIST CSF 2.0 · CISA Incident Response · Free to use and adapt
Business Cyberattack Recovery ChecklistValydex SMB Guide · NIST CSF 2.0 & CISA Response Guidance · valydex.comPage 3 — Days 1-7: Recovery Checklist
Printed: 2026-04-01
Page 3 of 6
Company: _______________________
Recovery phasesPhase 1 (Days 1-2): Critical systems · Phase 2 (Days 3-5): Secondary systems · Phase 3 (Days 5-7): Complete restoration with validation
Complete recovery checklist
  • Identify entry point - How did attackers gain initial access?
  • Map attack progression - What systems were compromised and when?
  • Assess data exposure - What information was accessed or stolen?
  • Evaluate ongoing threats - Are attackers still present in systems?
  • Deploy professional-grade malware removal tools (EDR solutions)
  • Run multiple scanning engines to ensure complete malware removal
  • Check for rootkits and advanced persistent threats
  • Patch all vulnerabilities that enabled the initial compromise
  • Update all software to current versions with security patches
  • Replace ALL compromised credentials (passwords, certificates, API keys)
  • Restore from clean backups (Phase 1: Critical systems, Days 1-2)
  • Verify backup integrity - Scan restored data for malware
  • Test core business functions in isolated environment
  • Implement enhanced monitoring and logging
  • Gradually restore secondary systems (Phase 2: Days 3-5)
  • Validate data integrity - Check for corruption or changes
  • Complete system restoration (Phase 3: Days 5-7)
  • Conduct user acceptance testing before full production
valydex.com/guides/my-business-got-hacked-complete-recovery-checklistNIST CSF 2.0 · CISA Incident Response · Free to use and adapt
Business Cyberattack Recovery ChecklistValydex SMB Guide · NIST CSF 2.0 & CISA Response Guidance · valydex.comPage 4 — Cloud Environment Containment
Printed: 2026-04-01
Page 4 of 6
Company: _______________________
Cloud-specific actionsCloud breaches require immediate credential revocation and session token invalidation. Do not rely solely on password changes—revoke all active sessions and API keys.
Microsoft 365 / Azure
  • Revoke all OAuth tokens and app registrations
  • Reset admin account passwords and enforce MFA
  • Review Azure AD sign-in logs for persistence
  • Disable compromised service principals
  • Lock down tenant-level settings
  • Review conditional access policies
Amazon Web Services (AWS)
  • Rotate all access keys and API credentials
  • Review CloudTrail logs for unauthorized activity
  • Use Security Hub to isolate compromised instances
  • Lock down security groups and NACLs
  • Review IAM roles and policies for backdoors
  • Check Lambda functions for malicious code
Google Cloud Platform (GCP)
  • Revoke service account keys
  • Review Cloud Audit Logs for suspicious activity
  • Isolate compromised projects using VPC firewalls
  • Reset IAM bindings and organization policies
SaaS Applications
  • Revoke all user sessions immediately
  • Reset admin credentials and enforce MFA
  • Review API integrations and webhooks
  • Audit user permission changes
valydex.com/guides/my-business-got-hacked-complete-recovery-checklistNIST CSF 2.0 · CISA Incident Response · Free to use and adapt
Business Cyberattack Recovery ChecklistValydex SMB Guide · NIST CSF 2.0 & CISA Response Guidance · valydex.comPage 5 — Communication Templates & Regulatory Timelines
Printed: 2026-04-01
Page 5 of 6
Company: _______________________
Regulatory notification timelines
RegulationTimelineScope
GDPR (EU customers)72 hours to authoritiesWithout undue delay to individuals
HIPAA (Healthcare)60 daysBreaches affecting 500+ individuals
CCPA (California)Without unreasonable delayCalifornia residents affected
PCI DSS (Payment cards)ImmediatelyNotify card brands and acquirer
State breach laws30-90 days (varies)Check specific state requirements
Customer notification template
What happened
Clear, non-technical explanation of incident
What information involved
Specific data types potentially affected
What we are doing
Concrete steps taken to address incident
What you can do
Specific, actionable recommendations
Contact for questions
Dedicated incident response contact info
Media holding statement
Acknowledgment
Aware of and investigating cybersecurity incident
Response status
Implemented incident response procedures
Expert engagement
Working with cybersecurity experts
Commitment
Take security of customer information seriously
Updates
Will provide updates as appropriate
valydex.com/guides/my-business-got-hacked-complete-recovery-checklistNIST CSF 2.0 · CISA Incident Response · Free to use and adapt
Business Cyberattack Recovery ChecklistValydex SMB Guide · NIST CSF 2.0 & CISA Response Guidance · valydex.comPage 6 — Post-Recovery Security Improvements
Printed: 2026-04-01
Page 6 of 6
Company: _______________________
Post-incident requirementComplete security improvements within 30-60 days. Attackers often return to previously compromised targets if fundamental vulnerabilities remain unaddressed.
Essential security improvements
  • Implement multi-factor authentication on all business accounts
  • Deploy endpoint detection and response (EDR) on all devices
  • Upgrade firewall with advanced threat detection
  • Establish security information and event management (SIEM)
  • Implement network segmentation to isolate critical systems
  • Deploy data loss prevention (DLP) tools
  • Upgrade to next-generation firewall (NGFW)
  • Implement zero trust architecture
  • Establish 24/7 security operations center (SOC) or MDR service
  • Subscribe to threat intelligence feeds
Assessment & training checklist
  • Conduct penetration testing to identify remaining vulnerabilities
  • Run comprehensive vulnerability scanning
  • Review and update all security policies based on lessons learned
  • Conduct incident-specific employee training
  • Implement regular phishing simulations
  • Establish clear security reporting procedures
  • Develop comprehensive 3-2-1 backup strategy
  • Create business continuity plan for extended outages
  • Test backup restoration monthly
  • Document all changes and improvements made during recovery
For complete recovery guidanceVisit valydex.com/guides/my-business-got-hacked-complete-recovery-checklist for detailed step-by-step instructions, vendor recommendations, and compliance requirements.
valydex.com/guides/my-business-got-hacked-complete-recovery-checklistNIST CSF 2.0 · CISA Incident Response · Free to use and adapt