Insight
What to do if your business has been hacked: a calm, step-by-step response plan to contain the breach, secure accounts, report it, and recover safely.
What to do if your business has been hacked: a calm, step-by-step response plan to contain the breach, secure accounts, report it, and recover safely.
If your business has been hacked, act calmly and in order: disconnect the affected device from the internet, change the passwords on compromised accounts from a clean device, turn on multi-factor authentication, tell your IT support, and report it to the Australian Cyber Security Centre. Fast, methodical action limits the damage far more than panic does.
Being hacked is stressful, but most incidents are recoverable if you respond well. Here is a clear, step-by-step plan you can follow in the moment, and what to do afterwards so it does not happen again.
Common signs include being locked out of an account, colleagues or clients receiving strange emails from you, unexpected password-reset messages, files suddenly encrypted or renamed, or new logins from odd locations. If something feels off, treat it seriously rather than waiting to be sure.
Warning: Treat the first odd sign as real and act, because the time you spend second-guessing whether you have been hacked is the time an attacker uses to spread.
Contain it first: disconnect the affected device and secure the accounts involved. Speed matters, because the sooner you cut off access, the less an attacker can do.
Report the incident to the Australian Cyber Security Centre through ReportCyber, and to any other body your situation requires. If personal data was exposed, you may have obligations under the Notifiable Data Breaches scheme, so get advice quickly.
Once contained, restore from a clean backup, reset all relevant credentials, and close the gap that let them in. This is where a tested backup pays for itself. Afterwards, review what happened honestly, without blaming the person who clicked, because the fix is better systems, not shame.
Best practice: Run the review without blaming whoever clicked, since people report incidents far faster when they know the response is a fix rather than a telling-off.
Most repeat incidents are prevented by the same basics: MFA everywhere, updates, tested backups, and a team that can spot a phishing email. If you would rather have someone watching for this, that is what our cyber security service does.
Tip: Keep a short, printed incident plan with the key steps and phone numbers, because the middle of a breach is the worst time to work out who to call.
The short version: contain, change passwords, enable MFA, report it, then recover from backup and fix the root cause. Move quickly and methodically.
Disconnect the affected device from the internet to cut off the attacker, then change your passwords from a separate, clean device starting with email.
The ACSC advises against paying, because it funds crime and does not guarantee your files back. If you have a tested backup, you can restore instead. Get expert advice before deciding.
If the breach is likely to cause serious harm and involves personal information, the Notifiable Data Breaches scheme may require you to report it to the OAIC and affected people. Seek advice promptly.
IT support can review account activity, sign-in logs and connected systems to trace it. This is why keeping the affected device intact, rather than wiping it, matters.
Usually yes, if you have a recent, tested backup you can restore from. That single control is what lets most businesses avoid paying.
Worried about how your business would cope with an incident? Take the free business health check and we will help you get ready before anything goes wrong.
Tell us where your business is at, and we will tell you where we would start.