Contact us

Breached? Do This in 72 Hours or Pay Twice

Most Canadian businesses don’t lose because attackers are geniuses. They lose because the first 72 hours are chaos. No owner, no IT lead, and no privacy officer wants to admit it, but it’s true: when pressure hits, you fall back to whatever you practiced. If you haven’t practiced a breach response, you don’t have a breach plan. You have a document.And in Canada, chaos gets expensive fast. Beyond downtime and reputation, your legal obligations around breach reporting can trigger under federal privacy rules, and if you touch Québec customers or operations, you may also be dealing with Law 25 obligations. That’s where many SMBs get hit twice: once by the incident, and again by a messy, poorly documented response.

The myth that keeps Canadian companies vulnerable

Myth: “If we get breached, we’ll know.”

Reality: modern incidents often look like normal business. Attackers log in with stolen credentials, create quiet mailbox rules, move laterally using legitimate tools, and blend in until the day they decide to monetize. That’s why “we have antivirus” is not a strategy, and why “we’ll just restore from backups” is usually fantasy.

If you think backups are your safety net, make sure it’s a real one. This matters more than most leaders realize: Your Backups Alone Won’t Save You From Ransomware.

When you’re blind, you’ll do what most SMBs do: pull the plug on systems, scramble passwords, and call three vendors who all give different advice. Meanwhile, evidence evaporates, your timeline becomes guesswork, and your reporting decisions become risky. That’s how one breach becomes two disasters.

Canada’s breach reality: it’s not just “IT’s problem”

Under PIPEDA, organizations must report and notify when there is a “real risk of significant harm” (RROSH) and must also keep records of all breaches. The Office of the Privacy Commissioner of Canada lays out the practical expectations in its guidance on mandatory reporting of breaches of security safeguards.

Québec’s Law 25 regime uses the language of “confidentiality incidents.” Private enterprises are expected to assess risk of serious injury, notify affected individuals and the regulator when required, and keep a register. The Commission d’accès à l’information (CAI) summarizes the obligations for private organizations here: Confidentiality incidents and security measures (private enterprises). If you want the legislative source, the Regulation details what notices must include: Regulation respecting confidentiality incidents.

Notice what neither law gives you: a magic checklist that works without operational discipline. That part is on you.

The good news is Canada already provides a practical baseline for what “reasonable security” looks like via the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls for Small and Medium Organizations. The bad news is most businesses treat those controls like a PDF to skim, not a system to run.

The 72-hour breach playbook Canadian SMBs can actually execute

This is the playbook we push because it’s built for speed, evidence quality, and defensible decision-making. It also aligns cleanly with the “Detect, Respond, Recover” realities found in frameworks like NIST CSF 2.0 without turning your response into a consulting project.

Hour 0 to 2: Stop the bleeding without destroying evidence

  • Declare an incident commander. One person owns decisions. Everyone else supports. Breaches fail when leadership is “group chat governance.”
  • Contain surgically. Isolate impacted endpoints or accounts, not the whole company. Knee-jerk shutdowns can wipe volatile evidence and break business-critical workflows.
  • Freeze identity risk. If attackers logged in, identity is your primary crime scene. Revoke sessions, reset high-risk credentials, and review privileged access immediately.
  • Preserve logs fast. Export key telemetry (identity, email, EDR, firewall, VPN). If you don’t have centralized logging and retention, this is where timelines die.

 

Our stance at 010grp: if you can’t see after-hours sign-ins, suspicious inbox rules, and privilege escalation attempts, you’re defending with the lights off. Our 24/7 monitoring and SIEM/SOC as a Service are built for this moment: catch it early, triage fast, and preserve evidence properly.

Hour 2 to 12: Build a credible timeline

  • Answer three questions: What happened? What systems are impacted? What data could be exposed?
  • Hunt for “quiet persistence.” Mailbox rules, external forwarding, OAuth app consents, abnormal admin actions, and new MFA device registrations are classic indicators in real-world breaches.
  • Check fraud pathways immediately. Business email compromise (BEC) is still brutal in Canada. The RCMP’s guidance on Business Email Compromise should be wired into your finance workflow.

If you want a practical BEC workflow fix your leadership will actually follow, pair this with: One Email. One Wire. You’re Done.

Hour 12 to 24: Decide what this incident really is

  • Classify the data involved. Personal information, financial data, health information, credentials, and IP change your regulatory and operational response.
  • Start the breach record and register now. Don’t wait for “more facts.” You will forget details. Document timestamps, impacted assets, containment actions, and who approved what.
  • Control the narrative internally. Leadership, legal, HR, finance, and comms should be working from one source of truth, not hallway updates.

For ransomware scenarios specifically, the Cyber Centre’s Ransomware Playbook is one of the most practical Canadian resources available. Even if you never face ransomware, the response structure is a strong template.

Hour 24 to 48: Make the “report or not” decision

  • Risk assessment is not vibes. Under PIPEDA, the question is RROSH. Under Québec’s confidentiality incident approach, you’re assessing risk of serious injury and notification obligations.
  • Write down your reasoning. Regulators care less about perfection and more about whether you followed a defensible process and kept proper records.
  • Prepare plain-language communications. No jargon. No excuses. What happened, what information is involved, what you’re doing, and what people should do next.

If you suspect criminal activity or fraud, Canada’s Cyber Centre explains how to report a cyber incident. For fraud guidance and reporting, the Canadian Anti-Fraud Centre is a useful reference.

Hour 48 to 72: Recover, harden, and prevent the sequel

  • Recover using tested runbooks. If your recovery plan is “we’ll figure it out,” you will be down longer than you think.
  • Rotate privileged access properly. Don’t just change passwords. Audit tokens, sessions, service accounts, and admin roles.
  • Turn lessons into controls. Patch the root cause, tighten identity, limit admin sprawl, enforce MFA for admins, and close the monitoring gaps that let the incident breathe.

The breach readiness kit most Canadian SMBs are missing

If this article makes you uncomfortable, good. That discomfort is your early-warning system. Here’s what we consider the minimum “breach readiness kit” to build before you need it:

  • A one-page call tree: who leads, who approves comms, who talks to legal, who contacts the bank, who calls your cyber provider.
  • A log map: where your identity, email, endpoint, firewall, VPN, and cloud logs live, and how to export them quickly.
  • Log retention you can defend: enough history to investigate realistically, not “whatever the default was.”
  • A tested restore process: not just backups, but verified recovery time objectives for your critical systems.
  • A finance kill switch: a documented process to pause wire payments and vendor banking changes during incidents.
  • Email security hygiene: phishing-resistant controls, plus filtering that reduces the junk reaching users. If you’re tightening this layer, 010grp also supports protective controls like email filtering to cut down the blast radius of phishing and impersonation.
  • Endpoint visibility: you need telemetry that tells you what ran, where, and when.
  • Privileged access discipline: fewer admins, tighter access, better audit trails.
  • A tabletop exercise schedule: quarterly beats “we’ll do it later.”
  • A baseline control plan: map your improvements to Canadian guidance so it’s not random spending.

This is exactly why we keep telling SMB leadership to stop buying tools and start building an operating rhythm. That shift is the difference between “security theatre” and “security outcomes.”

Make this real before you need it

If you only do one thing this quarter, do this: run a 60-minute tabletop exercise using a realistic scenario (BEC, ransomware, or stolen admin credentials). Timebox it. Force decisions. Capture gaps. Then fix the gaps with an actual plan and measurable controls.

Need a practical baseline to measure against? Start with Canada’s Baseline Controls and then operationalize them. We talk about that exact shift here: Stop Checking Boxes: Make Canada’s Baseline Controls Work in 60 Days.

And if your environment is mostly cloud apps (Microsoft 365, Google Workspace, Salesforce), remember: “cloud” is not a security strategy. Misconfigurations, weak identity policies, and poor logging are where breaches hide. This pairs well with: Your Cloud Isn’t Secure by Default (And Attackers Know It).

We’re a Canadian team built around one idea: cyber protection has to work on your worst day, not your best day. That’s why our approach combines strategic risk assessment and security policies, 24/7 monitoring and threat detection, incident response process (IRP) design, backup and disaster recovery, cyber intelligence, and security awareness training into one operational program.

If you want us to pressure-test your breach readiness, validate your logging and recovery reality, or build an incident response process your leadership can actually execute, you can reach out to 010grp here.

Read next (recommended)

Bottom line: A breach is survivable. A sloppy response is what turns it into a headline.

Skip to content