What to Do If Your Business Is Hacked: A Step by Step Guide
Short answer: stay calm, contain the incident, preserve the evidence, get expert help, and meet your reporting obligations. Acting in the right order in the first hours is the difference between a contained incident and a disaster.
Here is the practical sequence for an Australian business.
In the first hour
- Do not panic, and do not wipe anything. Reformatting or deleting destroys the evidence you need to understand what happened.
- Isolate, do not power off. Disconnect affected systems from the network (unplug the cable, turn off Wi-Fi) to stop the spread, but avoid shutting them down, which can lose volatile evidence.
- Preserve evidence. Keep logs, note times, and do not let well meaning staff "tidy up".
- Reset credentials. Change passwords for affected and privileged accounts, and turn on MFA if it is not already on, ideally from a known clean device.
- Get help. Engage your incident response support, IT provider, or a DFIR specialist early. Speed matters.
Assess the scope
Work out what was actually affected:
- Which systems, accounts, and data are involved?
- Is the attacker still active in the environment?
- Was personal information, financial data, or credentials exposed?
- Is this ransomware, business email compromise, a stolen password, or something else?
You cannot contain or report what you have not scoped.
Contain and remove the threat
- Block the attacker's access: disable compromised accounts, revoke sessions and tokens, and close the entry point.
- Remove malware or any persistence the attacker left behind.
- Confirm they are actually out before reconnecting systems. Reconnecting too early invites them straight back in.
Recover
- Restore from clean, tested backups. This is exactly why backups matter.
- Rebuild rather than trust compromised systems where needed.
- Watch closely for any sign the attacker returns.
Meet your reporting obligations (Australia)
- ReportCyber: report the incident to the ACSC at cyber.gov.au. It is quick and recommended for any business.
- Notifiable Data Breaches (NDB) scheme: if an eligible data breach involves personal information and is likely to cause serious harm, you must notify the affected individuals and the OAIC. Assess this early, because timing matters.
- Cyber insurer: notify them promptly. Many policies require it, and they often provide response support.
- Others: depending on the situation, this may include your bank, affected customers or partners, and in some cases the police.
When in doubt about obligations, get advice quickly. Getting notification right protects you legally and reputationally.
Learn and prevent the next one
Once you are stable, run a review:
- How did they get in, and what would have stopped it?
- Close those gaps. MFA, patching, backups, and access control are the usual culprits.
- Write or update your incident response plan so next time is calmer and faster.
The businesses that recover well treat an incident as a lesson, not just a fire to put out.
Common mistakes to avoid
- Wiping or rebuilding before anyone understands what happened.
- Paying a ransom on impulse. Get expert and legal advice first; payment is risky and sometimes regulated.
- Going quiet and hoping it blows over, which can breach your obligations.
- Reconnecting systems before the attacker is confirmed out.
Frequently asked questions
Should we pay the ransom? Treat it as a last resort, and never without expert and legal advice. Payment does not guarantee recovery and can carry legal risk.
Do we have to tell anyone? Possibly. If personal information was exposed and serious harm is likely, the NDB scheme requires notification. Reporting to ReportCyber is always recommended.
How fast do we need to act? Immediately. The first hours shape the outcome.
Hit by an incident, or want to be ready before one?
Cyber Legion provides incident response and digital forensics for Australian businesses, plus IR planning so you are ready before it happens. If you are dealing with an incident right now, get in touch.