Insight

What to do if your business has been hacked

What to do if your business has been hacked: a calm, step-by-step response plan to contain the breach, secure accounts, report it, and recover safely.

Published

June 18, 2026

Reading time

6
min read
Operate
What to do if your business has been hacked

What to do if your business has been hacked: a calm, step-by-step response plan to contain the breach, secure accounts, report it, and recover safely.

In this article

If your business has been hacked, act calmly and in order: disconnect the affected device from the internet, change the passwords on compromised accounts from a clean device, turn on multi-factor authentication, tell your IT support, and report it to the Australian Cyber Security Centre. Fast, methodical action limits the damage far more than panic does.

Being hacked is stressful, but most incidents are recoverable if you respond well. Here is a clear, step-by-step plan you can follow in the moment, and what to do afterwards so it does not happen again.

What are the first signs you've been hacked?

Common signs include being locked out of an account, colleagues or clients receiving strange emails from you, unexpected password-reset messages, files suddenly encrypted or renamed, or new logins from odd locations. If something feels off, treat it seriously rather than waiting to be sure.

Warning: Treat the first odd sign as real and act, because the time you spend second-guessing whether you have been hacked is the time an attacker uses to spread.

What should you do first?

Contain it first: disconnect the affected device and secure the accounts involved. Speed matters, because the sooner you cut off access, the less an attacker can do.

  1. Disconnect the affected device from the internet (unplug or turn off Wi-Fi), but don't wipe it, you may need the evidence.
  2. Change passwords for affected accounts from a different, clean device, starting with email.
  3. Turn on MFA so the attacker is locked out even if they still have a password.
  4. Tell your IT support so they can check how far it spread.
  5. Warn your team and clients if fake messages may have gone out in your name.

Who should you report it to?

Report the incident to the Australian Cyber Security Centre through ReportCyber, and to any other body your situation requires. If personal data was exposed, you may have obligations under the Notifiable Data Breaches scheme, so get advice quickly.

  • ACSC and ReportCyber: cyber.gov.au/report
  • Your bank, if any financial details or payments were involved.
  • The Office of the Australian Information Commissioner, if client data was breached.

How do you recover and stop it happening again?

Once contained, restore from a clean backup, reset all relevant credentials, and close the gap that let them in. This is where a tested backup pays for itself. Afterwards, review what happened honestly, without blaming the person who clicked, because the fix is better systems, not shame.

Best practice: Run the review without blaming whoever clicked, since people report incidents far faster when they know the response is a fix rather than a telling-off.

Most repeat incidents are prevented by the same basics: MFA everywhere, updates, tested backups, and a team that can spot a phishing email. If you would rather have someone watching for this, that is what our cyber security service does.

Tip: Keep a short, printed incident plan with the key steps and phone numbers, because the middle of a breach is the worst time to work out who to call.

The short version: contain, change passwords, enable MFA, report it, then recover from backup and fix the root cause. Move quickly and methodically.

Frequently asked questions

What is the very first thing to do if I've been hacked?

Disconnect the affected device from the internet to cut off the attacker, then change your passwords from a separate, clean device starting with email.

Should I pay a ransomware demand?

The ACSC advises against paying, because it funds crime and does not guarantee your files back. If you have a tested backup, you can restore instead. Get expert advice before deciding.

Do I have to report a data breach in Australia?

If the breach is likely to cause serious harm and involves personal information, the Notifiable Data Breaches scheme may require you to report it to the OAIC and affected people. Seek advice promptly.

How do I know how far the hack spread?

IT support can review account activity, sign-in logs and connected systems to trace it. This is why keeping the affected device intact, rather than wiping it, matters.

Can I recover without paying a ransom?

Usually yes, if you have a recent, tested backup you can restore from. That single control is what lets most businesses avoid paying.

Worried about how your business would cope with an incident? Take the free business health check and we will help you get ready before anything goes wrong.

June 18, 2026
Ryan Pigram
Ready when you are

One partner.
Marketing and technology, run as one.

Tell us where your business is at, and we will tell you where we would start.