If your Singapore business is hit by a cyberattack, the first 24 hours decide how much it costs you. A calm, rehearsed response contains the damage, protects your customers, and keeps you on the right side of the PDPA; a panicked, improvised one does the opposite. This guide is a step-by-step incident response playbook for Singapore SMEs: what to do in the first hour, across the first day, and how to prepare before anything goes wrong.
Most small businesses assume incident response is something only banks and large enterprises need. In our experience delivering cybersecurity training to organisations across Singapore, the opposite is true: smaller teams have less time, fewer specialists, and thinner margins, so a simple plan makes a bigger difference for them than for anyone else.
What Is a Cyber Incident Response Plan, and Why Does Your SME Need One?
A cyber incident response plan is a short written document that sets out exactly who does what when your organisation suffers a security incident, from a ransomware infection to a leaked customer database. For a Singapore SME, it matters because the cost of a breach rises the longer it goes uncontained, and a plan is what lets a small team act fast instead of freezing on the worst morning of the year.
Ransomware and data theft continue to hit smaller organisations hardest, precisely because they tend to have lower security maturity and fewer resources than large firms. The Cyber Security Agency of Singapore (CSA) tracks ransomware as a persistent threat to local businesses, and its ransomware portal exists because so many affected organisations have no plan when the screen locks.
The good news is that a response plan is one of the cheapest controls you can build. It costs time, not money, and it pairs naturally with the everyday basics that keep the cost of a data breach for a Singapore SME down in the first place.
What Should You Do in the First Hour of a Cyber Incident?
The first hour is about containment and evidence, not blame or a full fix. Your goal is to stop the incident spreading while preserving what you will need to understand it later. Work through these steps in order.
- Isolate, do not wipe. Disconnect affected devices from the network by unplugging the cable or turning off Wi-Fi, but leave them powered on where possible. Logs and memory hold evidence that a rebuild would destroy.
- Assemble your response team. Pull in whoever owns IT, operations, and the decision to spend money. If you use an external IT provider, call them now.
- Preserve evidence and start a timeline. Open a simple document and record what was seen, when, and every action taken. This record helps recovery, insurers, and any regulator involved.
- Contain access. Reset passwords on affected and admin accounts, revoke suspicious sessions, and disable compromised users. Do not pay any ransom or reply to any extortion demand without advice.
- Protect the essentials. Confirm your backups are intact and offline, and check whether payment systems, email, and customer data are affected.
Resist the urge to fix everything at once. In the first hour, a contained incident with good notes beats a half-repaired one where nobody can reconstruct what happened.
The First 24 Hours: A Step-by-Step Response Timeline
Across the first day, an incident moves through four predictable stages: triage, containment, assessment, and recovery. Mapping your response to these stages stops the team from skipping ahead to a rebuild before anyone understands the scope. The timeline below is a realistic shape for a Singapore SME.
- 1
Detect and triage 0 to 1 hour
Confirm the incident is real, not a false alarm. Identify what is affected, assemble the response team, and begin your written timeline.
- 2
Contain 1 to 4 hours
Isolate affected systems, reset and revoke access, and block the attacker's route in. Preserve logs and evidence before changing anything you do not have to.
- 3
Assess and decide 4 to 12 hours
Work out which systems and what data were affected. Engage your IT provider, insurer, and bank if payments are involved, and assess whether the breach is notifiable under the PDPA.
- 4
Recover and report 12 to 24 hours
Restore from clean, tested backups, begin PDPA notification if the breach is notifiable, and communicate clearly with staff and affected customers.
Two mistakes derail this timeline most often. The first is recovering too early, restoring systems before the attacker’s access is removed, which simply reinfects the environment. The second is going quiet, leaving staff and customers to guess. A short, honest update beats silence every time.
Does the PDPA Require Singapore Businesses to Report a Data Breach?
Yes. Under Singapore’s Personal Data Protection Act (PDPA), you must notify the Personal Data Protection Commission (PDPC) within three calendar days once you assess that a data breach is notifiable, and notify affected individuals where required. A breach is notifiable if it is likely to result in significant harm to individuals, or if it affects 500 or more individuals.
The timing is widely misunderstood, so it is worth being precise about it.
| Question | The rule |
|---|---|
| When is a breach notifiable? | It is likely to cause significant harm to individuals, or it affects 500 or more individuals (significant scale) |
| How long do I have to notify the PDPC? | Within three calendar days of assessing that the breach is notifiable |
| What about affected individuals? | Notify them where the breach is likely to cause significant harm, at the same time or after notifying the PDPC |
| Can I delay by not assessing? | No. The PDPC expects your assessment to be prompt and reasonable, not stretched to buy time |
The three-day clock starts from your assessment, not from the moment of the breach, but you cannot sit on the assessment. If the PDPC later finds you failed to make reasonable security arrangements or missed the notification window, there can be financial penalties and directions on top of the breach itself. You can confirm the current thresholds and file a report at pdpc.gov.sg.
What Belongs in a One-Page Incident Response Plan?
A useful plan for an SME fits on a single page and can be read under pressure. It does not need the length or jargon of an enterprise policy; it needs to answer, at a glance, who acts and what they do. Include these elements.
- Roles and contacts. Name the incident lead, a deputy, and who can authorise spending or downtime. Include mobile numbers.
- Severity levels. A simple low, medium, high scale so the team knows when to escalate and wake people up.
- First steps. The isolate-preserve-contain actions from above, in order.
- External contacts. Your IT provider, cyber insurer, bank, SingCERT, and the PDPC.
- Communication plan. Who tells staff, customers, and regulators, and roughly what they say.
- Recovery steps. Where the backups are, how to restore them, and how to confirm systems are clean before reconnecting.
- Post-incident review. A short debrief to capture what happened and fix the gap.
CSA’s incident response checklists and playbooks give ready-made templates for common scenarios such as ransomware and business email compromise, which you can adapt rather than write from scratch. The point is not a perfect document; it is a plan the team has actually seen before the day they need it.
How Can Your Team Prepare Before an Incident Happens?
Preparation is where the first 24 hours are really won. Most incidents start with a person, not a firewall: a convincing email, a reused password, a payment request that looks legitimate. That makes your staff both the most common entry point and your earliest warning system, depending on how well they are trained.
Four habits do most of the work for a small business. Run tested, offline backups so ransomware cannot hold you hostage. Turn on multi-factor authentication for email, finance, and admin accounts. Rehearse your plan once with a simple tabletop exercise, talking through a ransomware scenario for an hour. And train your people to recognise and report suspicious messages quickly, because a phishing email reported in minutes rarely becomes a breach.
This is exactly where a workforce that understands the threat pays off. To go deeper on the human layer, see our guides to cybersecurity awareness training for Singapore businesses and phishing and employee training, and for the threats most likely to trigger a response, ransomware as a service and supply chain attacks. If you are also weighing a formal standard, our comparison of Cyber Essentials and the Cyber Trust mark shows where incident response fits into each.
The Bottom Line for Singapore Businesses
A cyber incident is not a question of if but when, and the difference between a bad week and a business-ending one is preparation. A one-page plan, tested backups, multi-factor authentication, and staff who can spot and report threats will do more for your resilience than any single tool. None of it is expensive, and all of it is within reach of a small team.
The calmest incident response is the one you rehearsed before the alarm went off. Build the plan while things are quiet, and the first 24 hours will look after themselves.
If you want your team ready before an incident lands, explore CFCI’s corporate cyber-safety training to see how hands-on sessions turn everyday employees into your first line of defence.
Frequently Asked Questions
What is a cyber incident response plan?
A cyber incident response plan is a short written document that sets out exactly who does what when your organisation suffers a security incident, from a ransomware infection to a leaked customer database. It names the people responsible, the immediate steps to take, and the external contacts to call, so a small team can act quickly instead of freezing. The Cyber Security Agency of Singapore publishes free incident response checklists and playbooks that a Singapore SME can adapt in an afternoon.
What is the first thing to do after you discover a cyberattack?
Isolate the affected systems from your network, but do not wipe or power them off, because the logs and memory hold evidence you will need. Disconnect network cables or Wi-Fi, revoke suspicious access, and assemble your response team. Then start a written timeline recording what you saw, when, and every action taken, which is invaluable for recovery, insurers, and any regulator involved.
How long do Singapore businesses have to report a data breach under the PDPA?
Under Singapore's Personal Data Protection Act you must notify the PDPC within three calendar days once you have assessed that a data breach is notifiable, and notify affected individuals where required. A breach is notifiable if it is likely to result in significant harm to individuals, or if it affects 500 or more individuals. The PDPC expects your assessment itself to be prompt, so you cannot delay the clock by delaying the assessment.
Does a small business really need an incident response plan?
Yes, and arguably more than a large enterprise, because SMEs are targeted heavily and have less cushion to absorb downtime. A plan does not need to be long or expensive; a single well-rehearsed page covering roles, first steps, contacts, and recovery is enough to turn panic into a process. Since most incidents start with a person being tricked, training staff to spot and report threats early is the highest-return preparation a small business can make.