What to do if your business gets hacked
Discovering Your Business Has Been Hacked Is Terrifying. Here's Exactly What to Do.
It happens more than most people realise. A staff member clicks a suspicious link, a password gets compromised, or ransomware silently encrypts your files overnight. One moment everything is fine, the next your business is in crisis.
If you discover your business has been hacked, the next few hours are critical. The actions you take, and the mistakes you avoid, in those first moments can mean the difference between a contained incident and a catastrophic breach.
This guide walks you through exactly what to do, step by step, so you can act fast, limit the damage, and get your business back on its feet.
Step 1: Don't Panic, But Act Immediately
The worst thing you can do when you discover a breach is freeze. The second worst thing is act without thinking and accidentally make things worse.
Stay calm and get the right people involved immediately. If you have a managed IT provider, call them first. This is exactly the situation they exist for and they will know what to do.
If you don't have an IT provider, keep reading.
Step 2: Isolate the Affected Systems
The moment you suspect a breach, disconnect the affected devices from your network immediately. Unplug the ethernet cable, turn off Wi-Fi, and isolate any device that may have been compromised.
This is critical. Many cyberattacks, particularly ransomware, spread rapidly across networks. Every second a compromised device remains connected gives the attacker more time to move through your systems, encrypt more files, and cause more damage.
Do not turn the devices off completely unless instructed to do so by your IT provider. Turning a device off can sometimes destroy forensic evidence needed to understand what happened and how.
Step 3: Change Your Passwords Immediately
From a clean, unaffected device, change the passwords for every business account you can access. Start with the most critical ones first:
Email accounts
Microsoft 365 or Google Workspace admin accounts
Banking and financial platforms
Your website and hosting accounts
Any CRM, ATS, or business management software
Social media accounts
Enable multi-factor authentication on every account if you haven't already. This adds a second layer of security that makes it significantly harder for attackers to maintain access even if they have your password.
Step 4: Assess What Has Been Compromised
Once the immediate threat is contained, you need to understand the scope of the breach. Work with your IT provider or a cybersecurity specialist to establish:
Which systems and devices were affected
What data may have been accessed, stolen, or encrypted
How the attacker got in
How long the breach may have been active before it was discovered
Whether the attacker still has access to any part of your systems
This information is critical not just for recovering your systems, but for fulfilling your legal obligations under UK GDPR.
Step 5: Report the Breach If Required
Under UK GDPR, if personal data has been compromised in a breach, you are legally required to report it to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. Failing to report a notifiable breach can result in significant fines on top of the damage already caused by the attack itself.
You may also need to notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms, for example if financial data, medical records, or sensitive personal information has been exposed.
If you are unsure whether your breach is notifiable, the ICO's website has clear guidance on what qualifies as a notifiable breach.
Step 6: Restore From Backups
If your data has been encrypted by ransomware or deleted by an attacker, your backups are your lifeline. This is why having a reliable, regularly tested backup solution is one of the most important investments any business can make in its IT.
A good backup solution means:
Your data is backed up automatically every day
Backups are stored separately from your main systems so ransomware can't reach them
You can restore your data quickly and completely without paying a ransom
If you don't have backups, or your backups were also compromised, recovery becomes significantly more complex, time-consuming, and expensive. In some cases, data may be permanently lost.
Step 7: Do Not Pay the Ransom
If you have been hit by ransomware and are being asked to pay to recover your files, our strong advice is do not pay.
Paying the ransom does not guarantee you will get your data back. It does not guarantee the attacker will not publish your data anyway. And it marks your business as a target willing to pay, making you more likely to be attacked again in the future.
Work with your IT provider and, if necessary, a specialist cyber incident response team to explore all recovery options before considering payment.
Step 8: Communicate With Your Team and Clients
Your team needs to know what happened, what systems are affected, and what they should and should not do while recovery is underway. Clear internal communication prevents panic and stops staff from accidentally making things worse.
If client data has been compromised, you have both a legal and ethical obligation to let them know. Be clear about what happened, what data was involved, what you are doing to fix it, and what steps you are taking to prevent it happening again.
Step 9: Conduct a Full Post-Incident Review
Once the crisis is over, conduct a thorough review of what happened and why. Work with your IT provider to understand:
How the attacker got in
What security gaps existed that allowed the breach to happen
What could have been done to detect it sooner
What changes need to be made to prevent it happening again
This review should result in a concrete action plan, not just a list of observations. Every gap identified should have a clear owner, a timeline, and a resolution.
Step 10: Strengthen Your Defences
A cyberattack is a painful experience. But it is also an opportunity to build a significantly stronger security posture than you had before. Use the lessons learned from the incident to implement the protections that should have been in place already:
Multi-factor authentication on all accounts
Endpoint protection on every device
Regular security awareness training for all staff
Automated, offsite backups tested regularly
Device management with Microsoft Intune
Email security filtering
A clear incident response plan so you know exactly what to do if it happens again
How Blackgate Tech Can Help
At Blackgate Tech, we help London businesses respond to cyber incidents, recover their systems, and build the defences needed to prevent future attacks. If your business has been compromised, call us immediately. We respond fast, work methodically, and get you back on your feet as quickly as possible.
We also help businesses that have never been attacked put the right protections in place before an incident occurs, because prevention is always faster, cheaper, and less stressful than recovery.