The clock that no one hears until it's too late
Imagine that next Monday at 7 AM, none of your company's computers turn on. The management system won't open. Emails aren't coming in. The VoIP phone is silent. The order system is inaccessible. The payroll, which should be processed this week, simply no longer exists anywhere that anyone can reach. It's not a power outage. It's a ransomware attack, a type of malicious software that hijacks data and demands a financial ransom to return it, which encrypted your servers overnight.
According to IBM's 2024 Cost of a Data Breach report, companies with fewer than 500 employees take an average of 277 days to identify and contain a data breach. But the most critical point is not the 277 days. It's in the first 48 hours. It's during this window that orders stop being billed, customers don't receive responses, contracts expire without renewal, and the entire operation goes into silent collapse. The question that separates companies that recover from those that do not survive is simple: does your organization know what to do in the first two hours?
The answer, in the overwhelming majority of SMEs, is no. And the reason is not negligence. It's a misguided premise: the belief that investing in defense eliminates the need to prepare a response. As if buying a good fire extinguisher negates the need for an evacuation plan.
The invisible cost of every hour of downtime
When discussing cybersecurity in board meetings, the conversation almost always revolves around prevention: firewalls, antivirus, two-factor authentication. These are legitimate and necessary investments. However, no defense is invulnerable. According to Forrester's The State of Incident Response 2024 report, 78% of organizations that experienced significant cyber incidents already had protection tools deemed adequate for their size. The attack did not occur due to a lack of technology. It happened because there were operational gaps: an employee clicked on a compromised link, a security update was delayed for three weeks, an old password was never deactivated.
The real problem, however, is not the invasion itself. It’s what happens afterward. Think of your company as a gear: sales feed operations, operations feed revenue, revenue feeds cash, cash feeds everything. When systems stop, the gear doesn’t slow down. It locks up. And every hour locked has a cost that goes far beyond the technology bill.
Consider a distributor with an annual revenue of R$ 20 million. This represents approximately R$ 80,000 per business day, or R$ 10,000 per business hour. Two hours of total shutdown mean R$ 20,000 in revenue that simply did not happen. In 48 hours, the number reaches R$ 160,000, not counting contractual penalties, loss of customers who migrated to competitors during the outage, and the reputational cost of explaining to partners why their orders were not delivered.
According to IBM, the average total cost of a data breach for smaller companies reached $2.98 million in 2024. This amount includes everything from forensic investigation expenses to lost business in the period following the incident. For many SMEs, an impact of this magnitude represents the difference between continuing to operate and closing their doors.
There is still a dimension that rarely appears in spreadsheets: the emotional and decision-making cost. When an attack occurs, the company's leadership is forced to make critical decisions under extreme pressure, without complete information and often without knowing whom to turn to. Should we pay the ransom or not? Communicate with clients now or wait? Engage lawyers before or after understanding the scope? Every minute of hesitation increases the damage. And hesitation is exactly what happens when there is no predefined script.
NIST, the National Institute of Standards and Technology of the United States, published version 2.0 of its Cybersecurity Framework in 2024. Among the six core functions of the model, two gained significant prominence in this update: Respond and Recover. The institutional message is clear: it is not enough to identify and protect. There must be a structured capacity to react and rebuild. For SMEs, this guidance is even more urgent, as the survival time without systems is drastically shorter than that of a large corporation with cash reserves for months of crisis.
Response as a strategic asset, not as a drawer document
An incident response plan, when well constructed, is not a 40-page technical manual that only the IT team understands. It is a strategic business document that answers three fundamental questions: who does what, in what order, and with what authority. It defines that, in the first 15 minutes, the person responsible for IT isolates the compromised systems while the operations director activates the communication protocol with key clients. It defines that within two hours, the leadership already has an initial overview of the attack's scope and can make informed decisions about suppliers, timelines, and recovery priorities.
Forrester's research revealed a data point that deserves attention: organizations that tested their response plans through simulations at least once a year reduced their average containment time by 54%. Not because they had superior technology, but because people knew their roles. The most accurate analogy is with a fire drill. No one waits for the building to catch fire to find out where the emergency exit is. With cyberattacks, the logic should be the same, but it almost never is.
The strategic path for the manager is not to become a cybersecurity expert. It is to ensure that three elements exist in their organization. First: a clear inventory of which systems are essential for operations, that is, those whose downtime interrupts revenue in less than four hours. Second: a documented, tested response plan known by all decision-makers, not just the IT department. Third: a qualified external partner who can be called upon immediately, because most SMEs do not have, and should not have, an internal cyber incident response team.
The question that the manager should bring to the next board meeting is not "Are we protected?" but rather "If we are attacked tomorrow night, what happens at 8 a.m. the next morning?" If the answer is silence or uncertainty, the company has a vulnerability that no firewall can resolve.
5 questions every manager should ask
1. What is the cost per hour of total operational downtime for your company? 2. Does your team know exactly what to do in the first 2 hours after a cyber incident? 3. Who makes critical decisions during an attack, and does that person know it? 4. Do you have a communication plan for clients and suppliers during a cyber crisis? 5. How long would it take to restore your essential operations without access to any digital systems?
1. What is the cost per hour of a complete shutdown of your company's operations?
This is the most revealing question and, at the same time, the least answered. Most managers know precisely the cost of an employee, a production line, or a square meter of rent. But almost no one has calculated how much it costs, per hour, for a complete shutdown of all digital systems. Revenue that is not generated, logistics that do not dispatch, customer service that does not respond, inaccessible financial information.
The exercise is simple but uncomfortable. Take your annual revenue, divide it by working days, then by business hours. This gross number is already alarming. Now add indirect costs: contractual penalties for delays, overtime to recover the backlog when the systems come back, and the cost of retaining customers who had a negative experience during the shutdown. According to IBM, 38% of the total cost of a data breach comes from the loss of business following the incident. It is not the attack that is the most expensive. It is what comes after it.
2. Does your team know exactly what to do in the first 2 hours after a cyber incident?
The first two hours after an attack are the operational equivalent of the "golden hour" in emergency medicine. The decisions made during this time determine whether the incident will be a contained crisis or a prolonged catastrophe. The problem is that, without prior training, natural reactions tend to be counterproductive: restarting servers that should remain isolated for forensic analysis, trying to resolve the issue "in-house" and wasting precious time, or simply freezing in the face of uncertainty.
Forrester identified that in 63% of serious incidents in mid-sized companies, the first hour was wasted trying to understand whether the problem was really an attack or just a technical failure. This initial indecision has cascading consequences. An effective response plan eliminates this ambiguity: it defines clear triggers to activate the crisis protocol, designates specific individuals responsible for each initial action, and establishes communication channels that function independently of compromised systems.
The manager does not need to know how to interpret server logs. They need to ensure that someone in the organization, whether internal or external, is prepared and authorized to act in the first minutes, not the first hours.
3. Who makes the critical decisions during an attack, and does that person know it?
During a cyber incident, decisions arise that completely exceed the technical scope. Communicate to the market or maintain confidentiality? Activate cyber insurance before or after consulting lawyers? Prioritize the recovery of the financial system or the customer service system? These are business decisions that require executive authority, not an IT analyst.
In many SMEs, the chain of command during a cyber crisis simply does not exist. The business owner discovers the problem through a cell phone call while in an external meeting. The CFO does not know if he has the authority to approve emergency spending on forensic consulting. The operations manager does not know whether to communicate with clients or wait for guidance. Each gap in authority turns into hours of decision-making paralysis.
NIST explicitly recommends that the response plan define a crisis governance structure with roles, authorities, and decision-making limits pre-approved by senior leadership. This means that the CEO, CFO, and COO must know, before any incident, what their specific role is during the crisis and what type of decision they can make without consulting others.
4. Do you have a communication plan for clients and suppliers during a cyber crisis?
Silence during a crisis is interpreted in only one way by the market: incompetence or cover-up. Neither of these perceptions is easily reversible. Clients who find out from third parties that their supplier has suffered a cyber attack lose trust disproportionately to the actual impact of the incident. An out-of-control narrative causes more damage than the event itself.
A crisis communication plan does not need to be sophisticated. It needs to be anticipated. It defines who communicates, at what moment, through which channel, and with what message. It establishes pre-approved templates for different scenarios: contained incident with no data breach, incident with potential exposure of client information, temporary operational shutdown. These templates are adjusted at the moment of the crisis, not created from scratch while the phone keeps ringing.
The regulatory dimension is also relevant. In Brazil, the LGPD (General Data Protection Law) requires communication to the ANPD and the affected data subjects within a reasonable timeframe. In the United States, each state has its own notification legislation, with deadlines ranging from 30 to 72 hours. Ignorance of these obligations is not a legal defense. It is an aggravating factor.
5. How long would it take to restore your essential operations without access to any digital system?
This question forces an uncomfortable reflection on the digital dependency of the operation. Many managers discover, only during a real incident, that processes considered simple, such as issuing an invoice, checking a customer's balance, or accessing a contract, are completely impossible without the management system. There is no paper plan B. There is no local copy. There is no documented manual procedure.
The ability to restore depends on two variables that must be defined before the crisis: the RTO (Recovery Time Objective), which is the maximum acceptable time to resume operations, and the RPO (Recovery Point Objective), which is the maximum amount of data the company is willing to lose, measured in hours of work. If your most recent backup is 72 hours old, that means three days of work, orders, financial records, and communications simply cease to exist.
According to IBM, organizations that maintained tested backups isolated from the main network reduced the total cost of the incident by 43%. The key word is "tested." A backup that has never been restored in a simulation is just a hope. And hope, as any experienced manager knows, is not a strategy.
The difference between companies that navigate a cyber crisis and those that are consumed by it is not in the size of the IT budget. It lies in the existence of a realistic, tested plan known by those who need to execute it. If reading this article has raised more questions than answers about your company's preparedness, that is exactly the sign that the time to act is now.
Zamak Technologies offers a Strategic IT Diagnosis at no cost, focused on assessing the actual response capability of your operation in the face of a cyber incident. Request yours here.