What to Do If Your Business Gets Hacked

Step 1: Contain the Incident Immediately

The first priority is to stop the attack from spreading.

This may include:

• Disconnecting affected devices from the network

• Locking compromised user accounts

• Preventing further access to systems or cloud services

Quick containment can limit data loss and operational disruption.

Step 2: Do Not Delete Evidence

It may be tempting to reset systems or delete files, but this can make the situation worse.

Preserving logs, emails, and system activity helps:

• Understand how the attack occurred

• Identify what was accessed

• Support recovery and remediation efforts

Accurate information is critical at this stage.

Step 3: Identify What Was Affected

Not all cyber incidents have the same impact. It’s important to determine:

• Which systems or accounts were compromised

• Whether data was accessed or stolen

• If the attack is still ongoing

This helps guide the correct response and next steps.

Step 4: Secure Accounts and Systems

Once the threat is contained, affected systems and accounts must be secured.

This typically includes:

• Resetting passwords

• Enabling or enforcing multi-factor authentication

• Removing unauthorised access

• Applying security updates and configuration fixes

These actions reduce the risk of re-entry by attackers.

Step 5: Assess Business and Legal Impact

Depending on the incident, businesses may need to consider:

• Customer or supplier notification

• Regulatory or compliance obligations

• Cyber insurance requirements

Understanding these obligations early helps avoid further issues.

Step 6: Strengthen Security to Prevent Recurrence

Most cyber incidents exploit known weaknesses. After recovery, it’s important to address the root cause.

This may involve:

• Improving email and cloud security

• Training staff to recognise threats

• Reviewing access controls and permissions

• Conducting a security assessment

Prevention is always more effective than repeated recovery.