When a high school principal couldn’t turn on her computer one morning, she assumed it was a minor technical problem with her machine. She quickly changed her mind, though, when within minutes she received phone calls from staff and students throughout the school about the lack of Internet access and computers that failed to start.

News quickly broke that every school in the district had lost access to the Internet. It was all due to one person. A recently fired IT employee illegally accessed the district’s computers using a school administrator’s username and password, and then destroyed a significant amount of data, including lesson plans, final papers, and athletic records in an effort to take revenge.

A single individual who has the power to create a massive security breach can affect an incalculable number of people. When the unexpected happens, local governments and any organizations associated with them need to act quickly. The first 24 hours are critical to successfully navigating a suspected security breach.

Here are critical steps local officials should take in this situation:

Look at your watch. The first two hours after learning of a breach are the most important since you must assemble a team and gather as much information as possible about the damage, along with the potential cause of the breach.

Find one clock (you don’t want variation in timing) and write down the details of the suspected breach: exactly what time you noticed the breach, who you spoke with after discovering a problem, and any details that can be assembled. This information will come in handy later when you develop the in-depth liability report and relay information to a variety of stakeholders.

Identify your goals. A security breach elicits a strong emotional response, but you need to take a step back and determine your primary objective. Do you want to stop the attack, try to catch the culprit, or prevent future attacks? Aligning your team around the same goal or goals will lead to a greater chance of success and stop emotions from getting in the way of a solution.

Leave the power on. It’s tempting to immediately pull the plug on affected machines in an attempt to prevent further damage. The majority of today’s attackers, however, leave a trail in the computer’s memory as well as on the hard disk. Shutting down a computer and rebooting deletes valuable code saved on the machine and may destroy any evidence of tampering.

Instead, quarantine affected machines by unplugging the network connection and not the power cord. This will preserve valuable information and save other machines from potential threats.

Look before you leap. There’s a fine line between transparency and discretion when dealing with a breach. What initially seems like a dire situation may turn out to be reparable after a few hours of investigation. In order to avoid causing panic, you need to properly evaluate the suspected breach before making a public announcement.

Typically, breach-related announcements occur three to five days after the incident. You don’t want to overshare or interfere with the current investigation, but it’s important not to hide anything. Stakeholders deserve a high-level snapshot of both the breach and your plan of action.

There are important things to do before going public. Make sure to gather your forensic evidence and address any obvious public-facing vulnerabilities. When you make a public announcement, it will grab the attention of not only investigative reporters, but also the hacking community. You want to make sure your organization is as prepared as possible for the additional scrutiny.

The key to successfully handling a breach is to react quickly and in an organized manner. By following the steps outlined above and making a governmentwide commitment to providing IT security education for all staff members, governments can recover from a breach and move forward with their primary goal of serving their residents for years to come.