By the Team at Krypto IT | Cybersecurity Experts Serving Houston SMBs

When a serious cyber incident hits your small to medium-sized business (SMB)—say, a server is locked by ransomware, or a high-level executive falls for a phishing attack—the single most damaging factor is often panic. When adrenaline is high and time is scarce, a lack of clear direction can turn a manageable crisis into a business-ending catastrophe.

Many SMB owners know they should have an Incident Response (IR) Plan, but the idea sounds overwhelming, complex, and bureaucratic. At Krypto IT, we believe your IR Plan shouldn’t be a 50-page document collecting dust in a filing cabinet. It should be a simple, immediate resource: what we call the “Break Glass” File.

Why the “Break Glass” File is Better Than a Binder

Traditional Incident Response plans are often written for large enterprises with dedicated security teams. They use complex flowcharts and require internal resources most SMBs simply don’t have.

The “Break Glass” File is different. It’s an easy-to-access, concise document that answers the three most critical questions in a crisis:

1. WHO do we call, and what are their immediate action steps?
2. WHAT are the essential, technical steps we must take right now?
3. WHERE is the necessary information (passwords, contacts, backups)?

This file is designed to stop panic, enforce discipline, and ensure that the first 60 minutes—the most crucial window of any cyber event—are handled effectively.

Step 1: Secure Your Contact List (The “Who”)

When systems are down and email isn’t working, how do you communicate? Your file needs a verified, offline contact list.

• Internal Crisis Team: Designate one non-technical leader (e.g., the owner, CFO) and one operational leader (e.g., office manager). Include their cell phone numbers (not just office extensions).
• External Experts (Krypto IT): Include our dedicated 24/7 emergency hotline number and the specific account manager’s cell phone. This is the first call, after initial isolation (see Step 2).
• Legal/Insurance: Include the contact information for your cyber insurance provider and legal counsel who specializes in data breaches. Do not call them from a compromised device.
• Offline Access: This list must be printed, stored in a physical, secure location (like a locked safe), and stored digitally in an encrypted, non-network location (like an air-gapped USB drive).

Step 2: Immediate Containment (The “What Now”)

The primary goal during an active attack is containment: stopping the damage from spreading. This step requires quick, decisive action.

• Isolate the Patient Zero: The moment an employee reports an issue (e.g., strange file names, lock screen, phishing success), immediately disconnect that device (PC, laptop) from the network (unplug the Ethernet cable or disable Wi-Fi). Do not turn the machine off. The running memory holds crucial forensic data.
• Disable Connectivity: If the attack is widespread, be ready to instruct employees to disconnect devices and, if necessary, instruct the designated leader to physically turn off the main network switch and Wi-Fi routers.
• Identify Compromised Accounts: If the breach involves credentials (like a successful phishing attack), immediately change the password of the compromised account from a known clean device and check for any unauthorized Multi-Factor Authentication (MFA) changes or forwarding rules.

Step 3: Verify and Rehearse (The “When”)

A plan is useless if it hasn’t been tested. Testing reveals flaws in communication, gaps in contact lists, and confusion over roles.

• Practice Drills: Schedule a simple, annual tabletop exercise with your internal crisis team and Krypto IT. Run through scenarios like “What if the primary server is down?” or “What if our social media accounts are hijacked?”
• Backup Verification: Your recovery depends entirely on your backups. Your plan must include the verified, recent date of the last successful backup and the offline credentials needed to access the recovery storage (following the 3-2-1 Rule).

Krypto IT: More Than Just a Contact Number

While the “Break Glass” File empowers your SMB with immediate, low-tech steps, the complexity of a modern cyberattack requires professional expertise.

As your Managed Service Provider (MSP), Krypto IT doesn’t just wait for your call; we are the foundation that prevents the attack in the first place through 24/7 monitoring and advanced defenses. When the call comes in, we immediately activate our full incident response protocol, providing:

• Forensic Analysis: Determining how the attack happened and what data was accessed.
• System Cleansing: Ensuring every trace of the malware or threat actor is removed.
• Rapid Recovery: Using verified, segmented backups to restore operations quickly and safely, minimizing that costly downtime.

Don’t let a crisis catch you unprepared. Let Krypto IT help you build your “Break Glass” File today, ensuring you know exactly what to do when disaster strikes.

Ready to stop panicking and start planning?

Contact Krypto IT for a consultation on building a robust, yet simple, Incident Response Plan for your Houston SMB.