What to Do When Your Business Gets Hacked: A Step-by-Step Guide

A cyber attack on your business is one of the most disorienting things you can experience as a business owner. Systems go down, emails stop working, files are encrypted, or you suddenly cannot access your own accounts. Your first instinct might be to panic — or to start trying to fix things immediately.

But your response in the first few hours of a cyber incident can make the difference between a manageable disruption and a catastrophic, unrecoverable loss. Acting quickly is important, but acting in the right order is what matters most.

This guide gives you a clear, step-by-step framework for responding to a cyber incident — whether it is a ransomware attack, a data breach, an account compromise, or any other significant security event.

Before Anything Else: Stay Calm and Do Not Make It Worse

The most common mistakes in the first moments of a cyber incident come from acting too quickly without thinking:

• Attempting to "clean" an infected system without proper tools, which can destroy forensic evidence and spread the infection further
• Paying a ransom immediately without exhausting other options or taking professional advice
• Turning systems off in ways that destroy evidence before it can be captured
• Continuing to use potentially compromised systems, giving attackers more access
• Posting about the incident on social media before you have a clear picture of what happened

Take a breath. Follow the steps below in order.

Step 1: Identify and Contain

Your first priority is to stop the attack from spreading further. You cannot fix everything immediately, but you can limit the damage.

Identify what is affected

Quickly assess the scope of the incident. Which systems, devices, or accounts are involved? Is this limited to one computer, or has it spread across your network? Is your email compromised? Are customer data systems affected?

Disconnect affected systems from the network

If you suspect an active attack — particularly ransomware — disconnect affected devices from the network immediately. Unplug the ethernet cable or disable the WiFi connection on each affected machine. Do not turn the machines off — this can destroy valuable forensic evidence and may interrupt a running decryption process that could help with later analysis.

Preserve other systems

Identify which systems appear unaffected and ensure they are isolated or protected. Change passwords on critical accounts immediately from a known-clean device.

Revoke compromised credentials

If you know or suspect specific accounts have been compromised, reset those passwords immediately from an unaffected device. Enable MFA if it was not already in place.

Step 2: Call Your IT Support

Unless you have significant in-house IT expertise, your next call should be to your IT provider or Managed Service Provider (MSP). This is not the time to try to resolve things yourself — professional assistance can dramatically reduce recovery time and prevent further damage.

If you do not have an IT provider and need emergency assistance, the ACSC maintains a list of certified incident response providers. In Australia, look for providers that are part of the ASD Cyber Incident Response (CIR) Partner program.

If you have cyber insurance, contact your insurer at the same time. Many cyber insurance policies include access to incident response services as part of the coverage — using them may be faster than finding a provider independently, and it preserves your ability to make a claim.

Step 3: Report the Incident

Reporting is important both for your own protection and for helping authorities track and respond to cyber crime in Australia.

ReportCyber.gov.au

Report the incident to the ACSC via ReportCyber.gov.au. This is the Australian Government's national reporting mechanism for cyber incidents. Reporting is free and confidential. It generates a report reference number that can be useful for insurance claims, law enforcement, and regulatory purposes. The ACSC may also be able to provide advice specific to the type of attack you have experienced.

Australian Federal Police or State Police

If the incident involves financial theft or extortion, contact the AFP's cybercrime division or your state police. Obtain a formal police report number — this is often required for insurance claims.

Your bank

If any financial accounts are involved or if money has been transferred fraudulently, contact your bank immediately. Banks have procedures for flagging and potentially reversing fraudulent transactions, but speed is critical.

Scamwatch

If the incident began with a scam or fraud (such as a Business Email Compromise), also report to Scamwatch.gov.au — run by the ACCC.

Step 4: Assess the Data Impact and Legal Obligations

Once containment is underway and you have engaged professional assistance, you need to assess whether personal data has been compromised.

Under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, if your business is subject to the Privacy Act (generally, businesses with an annual turnover over $3 million, plus certain other categories), you must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm.

Following the Cyber Security Act 2024, reporting obligations for significant cyber incidents are expanding — seek legal advice early if you are unsure of your obligations. The key questions to assess are:

• What personal information was potentially accessed or exposed?
• Whose information was it — customers, employees, contractors?
• Could the exposure result in serious harm to those individuals?
• What is the scope of the breach — how many records?

You have 30 days to assess whether a breach is notifiable once you suspect one has occurred, and notification must happen as soon as practicable after you confirm it. Document your assessment process carefully.

Step 5: Preserve Evidence

Before beginning recovery and restoration, ensure that evidence of the incident is preserved. This supports any law enforcement investigation, insurance claim, or regulatory inquiry.

• Do not delete any emails, logs, or files related to the incident
• Take screenshots of ransom notes or suspicious activity before taking any action
• Ask your IT provider to capture system logs, network traffic logs, and any forensic images before restoring from backup
• Document a timeline of events: when was the incident first noticed, what actions were taken and when

Step 6: Recover and Restore

With containment done, professional support engaged, and reporting underway, you can begin recovery. The sequence matters:

1. Clean or rebuild affected systems — do not restore data to a machine that may still be compromised. Either rebuild from scratch or have your IT provider confirm the system is clean first.
2. Restore from a known-clean backup — use your most recent backup that predates the attack. If you are unsure how far back the attack goes, your IT provider can help determine a safe restore point.
3. Verify the restored data — confirm that restored files are intact and usable before resuming normal operations.
4. Reconnect to the network carefully — do not reconnect systems until you are confident they are clean and secured.
5. Reset all credentials — change all passwords across all systems, not just the ones directly affected. Enable MFA everywhere.

Step 7: Communicate

Depending on the severity and nature of the incident, you may need to communicate with:

• Staff — what has happened, what is being done, what they should and should not do
• Customers — particularly if their data was involved (you may be legally required to notify them)
• Suppliers and partners — if they may be affected by the breach or are likely to receive contact from attackers impersonating you
• Media — only if the incident is significant enough to attract media attention, and only after consulting with a communications professional

Be honest but measured in your communications. Do not speculate about what happened before you have confirmed the facts. Focus on what you are doing to address the situation and protect those affected.

Step 8: Learn and Improve

Once the immediate crisis is resolved, conduct a post-incident review. What happened? How did the attackers get in? What controls failed? What would have made recovery faster or easier? Use the answers to strengthen your defences — update your disaster recovery plan, close the vulnerability that was exploited, and improve your monitoring.

Key Takeaways

• In the first moments of an attack, contain and isolate — disconnect affected systems from the network without turning them off
• Call your IT provider and cyber insurer immediately — professional assistance dramatically improves outcomes
• Report to ReportCyber.gov.au, your bank, and the AFP if financial crime is involved
• Assess your data breach obligations under the Privacy Act 1988 and the Notifiable Data Breaches scheme — notify the OAIC if required
• Preserve evidence before beginning recovery — logs and forensic data support insurance claims and law enforcement
• Restore only to clean, verified systems from a known-clean backup point
• Reset all credentials and enable MFA across all systems as part of recovery
• After recovery, conduct a post-incident review and update your disaster recovery plan

The best time to prepare for a cyber incident is before it happens. Flagged is a free cyber risk assessment built for Australian small businesses — it helps you identify your vulnerabilities and get a clear action plan before something goes wrong. Visit flagged.com.au to run your free assessment today.