A Birthday Card. That's All It Took -- A Cyber Incident Response Plan for Artists
Years of irreplaceable work, gone. Thirty years of security experience in the house. Didn't matter. Here's the plan I built from that day.
In this article:
The incident that changed my perspective
Why artists and solo creatives are attractive cyberattack targets
Cyber incident response plan basics: preparation that actually works
What to do in the first 15 minutes (first response checklist)
Data breach notification laws and deadlines for client data
The Cyber Incident Response Plan for Artists: what’s included
The Incident That Changed My Perspective
Years ago, someone I care about received an electronic birthday card by email. The animated kind — a link you click to hear a little song and see some cartoon figures wave. It came from someone who meant well. It was genuinely sweet.
They clicked it.
They clicked it.
I watched what happened next. The machine started behaving strangely within seconds. We couldn’t stop it or save it. By the end of that day, the machine became as useful as a brick. The recovery effort was painful, expensive, and incomplete. Years of files — irreplaceable personal work — were lost. The machine had to be replaced.
I am a senior information security professional. Thirty years in this field. Five top-level security certifications. A career built around protecting systems exactly like that one for Fortune 500 companies. I could not stop it. By the time I understood what had happened, there was nothing I to do.
That day is a significant part of why Essential Risk Management exists.
I don’t write about it often. But I’m writing about it today because I want to be direct with you about something: if it happened in my house, with everything I know — it can happen in yours.
The Part Most Artists Get Wrong (Why Photographers Get Hit With Ransomware)
Here is what the people who run cyberattack operations understand, and what most creative professionals don’t: you are a more attractive target than a large corporation.
That sounds backward. It isn’t.
Large companies have IT security teams, firewalls, monitoring systems, and incident response contracts. You have a laptop and a Wi-Fi password. The people doing this are running a business. They want return on time invested. The math consistently favors going after you.
According to the Verizon Data Breach Investigations Report, 99% of cyberattacks on small businesses are financially motivated. They are not after your art. They’re after your client data to sell, your accounts to exploit, and your files to hold hostage. Your work is the leverage, not the prize.
This isn’t theoretical. It plays out constantly, in ways that don’t make the news because there’s no dramatic headline in “local photographer loses five years of client files.” Ransomware is the highest financial return for the least effort attack on solo creative businesses — and in practice, that often looks like ransomware for photographers. Email accounts taken over and used to scam subscriber lists. Stolen laptops with unencrypted drives handing thieves years of client contact information. These things happen every day. The fact that they don’t trend doesn’t mean they don’t happen to people exactly like you.
According to a 2022 article in Dark Reading, more than 24 billion stolen usernames and passwords were available for purchase on criminal marketplaces. We can easily assume that number has increased in the last four years. Your email address — and an old password you’ve used somewhere before — are almost certainly among them. This is not speculation. It is documented.
What Preparation Actually Looks Like (Cyber Incident Response Plan Basics)
Most artists don’t have an incident response plan. Not because they don’t care, but because every plan written for non-technical people either reads like a legal contract or assumes you have an IT department. Neither is useful at 11 p.m. when your screen is showing a message you’ve never seen before.
Preparation comes down to three things, and none of them require a technical background.
A tested backup in two locations. Ransomware — the attack that locks your files and demands payment — has exactly one reliable defeat: a clean backup made before the attack hit. Not a backup you set up once and forgot about. A backup you’ve tested by actually restoring a file from it. One copy stored somewhere offline, one copy in the cloud.
An article at Spacelift.io summarizing data breach reports from Verizon Data Breach Investigations Report, IBM Cost of a Data Breach Report, FBI Internet Crime Complaint Center (IC3), Hiscox Cyber Readiness Report, CrowdStrike, Sophos, KnowBe4, and several newly published studies from 2025 and early 2026 showed:
88% of small business data breaches in 2025 involved ransomware, compared with just 39% for large organizations.
80% of small businesses experienced at least one cyberattack in 2025, and 41% of those incidents were AI-driven.
Only 34% of small businesses have a formal incident response plan.
A tested backup is the difference between a two-day disruption and a business that doesn’t survive.
Two-step login on every account. Microsoft’s Digital Defense Report 2025 found that accounts with multi-factor authentication enabled are 99.9% less likely to be compromised. This applies to your email, your social media, your cloud storage, your booking system. One setting change per account. Nothing else available to you produces this level of protection for this little effort.
Disk encryption on your laptop. If your machine is stolen and the drive isn’t encrypted, the thief doesn’t need your password. They remove the drive, connect it to another computer, and read everything on it — your client files, your financial records, your saved passwords — as easily as reading a flash drive. FileVault on Mac and BitLocker on Windows 11 are free, built into the operating systems you already own, and require one toggle in your settings to activate.
None of these things prevent every attack. What they do is ensure that when something happens, the story ends with inconvenience rather than catastrophe.
When It Happens — And It Will Happen to Someone You Know
The First Fifteen Minutes of a Cyberattack Are the Most Important (Including Account Takeover Recovery)
Ransomware can often be limited if you disconnect from the internet immediately, before the malicious software finishes calling home for the encryption keys that lock your files. An account takeover can be stopped if you change your password before the attacker locks you out. A stolen laptop is either a data breach or a financial loss, depending almost entirely on whether you act within the hour and disk encryption is active.
Most people freeze.
Not because they’re not smart — because they haven’t thought through what they would do before it happened. Research psychologists call this cognitive tunneling:
under stress, your attention narrows to the immediate emergency, and problem-solving that would normally take ten minutes takes an hour because you keep losing the thread.
The people who respond effectively to incidents aren’t calmer. They’re the ones who are prepared and practiced.
Data Breach Notification Law: The Legal Dimension Most Artists Don’t Know About
All 50 U.S. States have data breach notification laws requiring you to notify affected clients when personal information you hold is compromised. (See state-by-state requirements at ncsl.org.) Some states require notification within 72 hours of discovery. That clock starts when you find out, not when you finish figuring out how bad it was. Not knowing this doesn’t exempt you from it.
An Incident Response Plan for Artists
A written plan — one you can grab in ten seconds, on paper within reach of your desk, whether or not your computer is online — gives you the steps before you need them. Who to call. What to do first. What not to do. What you’re legally required to report, and when.
What I Built: A Cyber Incident Response Plan for Artists
I spent thirty years providing this level of preparation to major organizations. This is the same approach, translated into a cyber incident response plan for artists in language that doesn’t require a security degree to act on.
The Cyber Incident Response Plan for Artists is a complete package built specifically for photographers, videographers, podcasters, musicians, and physical-medium artists running a solo creative business.
Here’s what you get:
The Incident Response Plan (IRP) Template
A fillable Word document covering macOS and Windows 11 side by side. It walks you through what to fill in before anything happens — your contacts, your devices, your accounts, your backup location. And it walks you through exactly what to do during four specific incidents: ransomware or malware, account takeover, data breach or leak, and device theft. Platform-specific steps for Mac and Windows appear side by side throughout. A printable Quick Reference page is included for the moment when your computer isn’t available and you need the answer in ten seconds.
The Companion Guide.
A comprehensive explanation of why every step in the template matters. The research behind each recommendation. What happens when people skip it. Written in plain English, no jargon. Read it once before you fill in the template. Read it again after any incident.
The Explainer Video.
A walkthrough of the key concepts for anyone who processes better by watching than reading.
The Audio Guide: Why Criminal Cartels Target Solo Creatives.
A direct conversation, in podcast format, about who is actually targeting creative professionals, what they want, and what that means for your specific exposure.
This is the plan I wish had existed the day that birthday card arrived.
Wrap Up
The attack that destroyed that machine years ago happened to someone who had no reason to expect it. That’s how these things always happen — to careful people, not careless ones, in moments that look perfectly ordinary right up until they don’t.
You know enough now to expect it. The question is whether you’ll have a plan ready when it arrives.
PAID Subscribers can download the Cyber Incident Response Plan for Artists below.
Not ready to become a PAID subscriber? Check out the plan at the link here.
Have you ever had an account taken over, a device stolen, or a file you couldn’t get back? I’d like to hear what happened — not for any reason except that every story like that is a reminder of why this work matters.