by Scott Jack
Content Contributor, E-N Computers
More than a decade of experience in technical support including end user support, mobile device management, application deployment, and documentation.
Your systems are down. Your IT contact isn’t answering, or they’re telling you they’re “working on it” with no timeline. You have clients expecting deliverables, employees who can’t do their jobs, and no clear picture of when this ends.
This guide isn’t for your IT team. It’s for you — the CEO, CFO, or operations leader who needs to protect the business while someone else handles the technical problem. Most of the guidance available online is written for the wrong person.
On top of that, if your business operates under CMMC, HIPAA, or financial services regulations, there’s an added layer to manage that most crisis guides ignore entirely: your compliance obligations activate the moment the incident starts, not after you’ve confirmed what happened. That changes the order of everything.
Here’s what to actually do.
QUICK ANSWER:
What should you do when your computers and servers go down?
Start with business triage: document the exact impact, risks, and start time to protect your business legally and financially.
Next, take the initiative to communicate with key clients, your internal team, and then vendors. Be aware of industry regulatory requirements for notification.
While recovery is underway, secure a realistic resolution timeline and establish a clear communication bridge, knowing when to escalate and call for outside help.
Finally, treat the outage as a diagnostic. What it revealed about your IT risk matters more than the recovery itself — and it’s the conversation most regulated businesses never have.
Table of Contents
- Start with business triage, not the technical problem
- Your first 30 minutes: who to call and what to say
- What regulated businesses have to do that others don’t
- The incident log every regulated business needs
- How to manage your IT team during the crisis
- What the crisis is telling you
- Case Study: When ransomware hits a government health office
- If your systems are down right now
Start with business triage, not the technical problem
The first instinct in an IT crisis is to focus on the broken thing: call IT, restart servers, chase down whoever is supposed to be responsible. But that is not the first thing you should do as a business leader.
Before anything else, spend ten minutes on business triage. What’s specifically at risk? Which client deliverables are due today or this week? Are there compliance deadlines that could be missed? How many employees can’t work, and in which functions? Which automated processes are stopped, like billing, payroll, or customer communications?
Write down the impact, the risks, and the exact time the failure started. This isn’t busywork. It’s the foundation of any insurance claim, regulatory incident report, or legal defense you may need later. Starting it now, while the timeline is fresh, protects you in ways that only become clear after the crisis is over. Keep this document. It becomes the foundation of any compliance incident report you may be required to file.
Your first 30 minutes: who to call and what to say
Once you have a basic picture of business impact, the next priority is people.
Start with your most important client relationships. Call them personally, by phone. You don’t need answers yet. You need to get ahead of the problem before they notice it on their end. A calm, direct call from the CEO or account lead, acknowledging the situation and committing to a follow-up by a specific time, preserves far more goodwill than waiting until you have something definitive to say.
Only say what you actually know. Some advisors suggest softening the language – describing the situation as “planned maintenance running longer than expected” for example. That can work, but it can also backfire if clients later learn the full story. Better to say what you know: there’s a system issue, you’re managing the response, here’s how it affects their work, and here’s when you’ll update them next. Most clients respect honesty over polished misdirection.
Next, brief your internal team. Keep it short and factual: what systems are affected, what people should focus on in the meantime, and when to expect an update. Uncertainty is hard to sit with, and a one-hour update cadence gives people something to hold onto.
Finally, notify any vendors or partners with active integrations or SLA agreements. Suppliers expecting automated orders, partners whose systems connect to yours, service providers whose contracts may be affected — these calls are easy to forget under pressure and harder to make after the fact.
One more call belongs on this list if you’re in a regulated industry: your compliance officer or legal counsel. Not after recovery. Now. The notification windows in CMMC, HIPAA, and certain financial regulations are shorter than most businesses realize, and the clock starts at the incident — not when you’ve confirmed the damage.
What regulated businesses have to do that others don’t
This is where an IT outage becomes a different kind of problem for regulated businesses. The obligations below exist regardless of whether data was confirmed lost or compromised. Regulators don’t wait for your investigation to conclude — and neither should you.
Defense and manufacturing. Government contracts involving controlled unclassified information (CUI) under CMMC have their own incident documentation and notification obligations. If your systems handle CUI and were affected, that conversation with your compliance lead can’t wait.
Healthcare. HIPAA requires you to assess whether patient data was potentially accessed or compromised. Your compliance officer should be in the loop within the first hour, not after recovery. If there’s any possibility of a breach, notify your cyber insurance carrier promptly. Most policies have reporting requirements that work against you if you wait.
Professional services. Legal, accounting, and consulting firms need to think about client confidentiality from the first minute. Document what you did to protect client data. If there’s any possibility client data was affected, that disclosure conversation is better coming from you than discovered later.
Financial services. Financial services firms should immediately assess whether the outage triggers notification obligations under SEC Regulation S-P, FINRA rules, or applicable state regulations, particularly if client data or transaction systems were affected. Contact your bonding and insurance carriers early; some policies require notification within 24 to 72 hours of a known or suspected incident. Your compliance officer should confirm your specific obligations before you assume none apply.
The incident log every regulated business needs
Regardless of your industry, build a running incident log from the moment you start responding. Record timestamps, actions taken, who was notified, what decisions were made, and by whom. This document serves triple duty: it satisfies regulatory incident reporting requirements, supports any insurance claim you file, and protects you legally if the outage later becomes a dispute. Start it in the first ten minutes and don’t stop until the incident is closed.
Here’s what to capture, and why each piece matters:
Timestamps for every action taken. Regulators and insurers will scrutinize your timeline. When did you first detect the issue? When did you notify your compliance officer? When did recovery begin? Precise times are more defensible than approximations, but approximates are better than nothing. Gaps in the timeline invite scrutiny; a complete record closes those gaps before they become questions.
Who was notified, and when. Many compliance frameworks specify not just that you notified someone, but how quickly you did it. Logging each notification by name, role, and time demonstrates that your response followed the requirements. It also protects you internally if there’s later disagreement about who knew what and when.
Decisions made, and who made them. Outages force judgment calls under pressure: whether to take a system offline, whether to notify clients before you have full information, whether to bring in outside help. Documenting those decisions and the reasoning behind them shows that your response was managed, not improvised. In a regulatory review or legal dispute, the difference between “we decided” and “we documented that we decided” is significant.
Actions taken by your IT team. You don’t need to understand every technical step, but you do need a record that recovery efforts were underway and progressing. Ask your IT contact to log what they attempted, what they found, and what they changed. This becomes essential if data loss is later alleged. You’ll want to show exactly what was touched and when.
Any indication of data access or exposure. Even if you don’t confirm a breach, document anything that suggested one was possible: unusual access logs, systems that shouldn’t have been reachable, vendors who reported anomalies. Regulators generally respond better to businesses that flagged uncertainty and investigated than to those who assumed everything was fine and moved on.
The log doesn’t need to be sophisticated — a shared document with a running timestamp works fine. What matters is that it exists, that it’s contemporaneous, and that it doesn’t stop until the incident is formally closed.
This section is an orientation, not legal advice. Your compliance officer, attorney, or industry-specific regulatory contacts are the right people to confirm your specific obligations.
How to manage your IT team during the crisis
Whether you have an internal IT person, a managed services provider, or an emergency contractor, your job during the technical recovery is to be the business leader in the room, not a second technician.
Get a realistic timeline as early as possible, and push back if you’re not getting one. ”We’re working on it” isn’t a timeline. It’s reasonable to ask: what do we know, what still needs to be determined, and what’s the best estimate for when essential systems will be back? You need accurate information to communicate to your team and clients.
Set a cadence for updates. Every 30 to 60 minutes during an active crisis is reasonable. Put one person in charge of the bridge between the technical team and business operations so information flows without everyone interrupting the people doing the work.
Know when to call for outside help. If two hours pass with no resolution timeline, or if data may have been lost or compromised, or internal IT is clearly in over their head — it’s time. Emergency IT support from an experienced provider can be on-site quickly during business hours and will typically start with a business impact assessment before diving into remediation.
What the crisis is telling you
Once systems come back online and employees are back to work, most businesses breathe a sigh of relief and move on. An honest conversation about what happened, and how to prevent it from happening again, rarely follows.
Most businesses never count the cost of an outage, so they don’t see the need to change. But downtime has real costs: lost productivity, lost revenue, recovery costs, and reputational damage. Once you calculate the cost of downtime, though, it becomes much clearer that being proactive is more cost-effective. As the adage goes, “An ounce of prevention is worth a pound of cure”.
An IT outage exposes more than a technical failure. It reveals how well your systems are documented. It shows whether your compliance obligations were understood before the incident, or discovered during it. It demonstrates whether your IT provider has a genuine understanding of your regulatory environment, or whether they’re a generalist who learned about CMMC from your frantic call.
The businesses that come out of these events stronger aren’t the ones with the fastest recovery. They’re the ones whose leaders used the crisis as a forcing function — to assess where the real risks are, close the gaps that made the outage worse, and put a different structure in place before the next one.
That conversation between a business leader and an IT partner who understands their regulatory environment is what most businesses never have, because the urgency fades and they go back to normal before it happens.
If that conversation sounds useful, it’s what we do. A working session with E-N Computers starts with your actual risk posture and ends with a clear picture of where you’re exposed and what closing those gaps looks like. There’s no obligation after that conversation, and no cost.
Case Study: When ransomware hits a government health office
A government health office was already in a vulnerable moment when the crisis hit — their IT manager had recently left, leaving a gap in coverage and institutional knowledge. Then ransomware struck a server and spread to network storage, putting 80 computers and years of locally-hosted files at risk.
On top of that, the FBI had already shut down the ransomer’s infrastructure, which made it impossible to negotiate for a decryption key. There was no one to pay and no clear path to recovery.
The incident revealed a pattern familiar in organizations that have outgrown their original IT setup: backups were limited in both frequency and coverage, there was no DNS-level filtering to block malicious traffic before it reached endpoints, and users hadn’t received recent cybersecurity training on phishing or ransomware vectors. The email spam filtering also needed attention.
How ENC solved the crisis and improved IT maturity
E-N Computers began troubleshooting remotely immediately after being contacted by the health office, but quickly recognized that the problem required on-site support. We were there the next day to begin working on recovery. A partial backup and old emails were used to reconstruct their data as much as possible.
In the weeks that followed, we implemented a new backup system, deployed DNS filtering on endpoints, added Meraki advanced security licensing for network-level protection, and reviewed the spam filtering setup. Our goal was recovery and making sure the same thing could not happen again.
Following this incident, the office enrolled in fully managed IT services to address the gap left by their departed IT manager. When their needs changed a year later, we moved to a co-managed model — E-N Computers handles the infrastructure, monitoring, and security layer while they have a staff IT person for daily support. Our client continues to benefit from a stable and secure IT environment with reliable, regularly tested backups.
If your systems are down right now
If your systems are down and you need emergency support, call E-N Computers’ service desk at 866-692-9082. During business hours, a real person will answer. After hours, our answering service will take your information and we’ll be in touch the next business day.
If the immediate crisis is over and you want to understand what it revealed, book a consultation. We work primarily with defense contractors, healthcare organizations, and financial services firms in the Virginia and DC metro area.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
