Discovering that your business has been hacked is one of the most stressful experiences a business owner can face. The instinct is to act immediately — and that instinct, if misdirected, can make things significantly worse.
The good news: businesses that respond quickly and correctly recover faster, with less data loss, lower costs, and fewer regulatory complications. This guide gives you the exact steps to follow.
First: What NOT to Do
Before the step-by-step, here are the most common mistakes businesses make in the first hours — and why they're so damaging:
Don't turn off affected computers
You'll destroy forensic evidence needed to understand what happened and how far the attacker got. Leave them on but disconnect them from the network.
Don't pay the ransom immediately
Payment doesn't guarantee you'll get your data back. It funds criminal operations and marks you as a payer — increasing the likelihood of being targeted again. Explore recovery options first.
Don't tell everyone at once
Limit initial communication to those who need to know. If the attacker still has access, broadcasting the situation can cause them to escalate or cover their tracks.
Don't try to clean up yourself
Well-meaning attempts to remove malware or restore systems without proper forensics often make things worse and destroy evidence. Get expert help first.
Don't use potentially compromised accounts to communicate
If email accounts may be compromised, communicate via phone or a separate, unaffected channel.
The Step-by-Step Response Playbook
Before doing anything, confirm you're actually dealing with a security incident. Common signs: ransomware messages on screen, files suddenly renamed or inaccessible, accounts locked, unusual login alerts, or colleagues reporting the same issues simultaneously.
- Identify which systems, accounts, or files appear to be affected
- Note exactly what you're seeing — take photos of screens if needed
- Identify whether the incident is still actively unfolding
The most important early action is containment. Disconnect affected devices from your network to prevent the attack from spreading — but do not turn them off.
- Unplug the network cable or disconnect from Wi-Fi on affected devices
- Do NOT shut down or restart affected computers
- Disconnect any network-attached storage or shared drives that may be affected
- If you use cloud services, consider temporarily suspending sync on unaffected devices
This is not the time to figure it out yourself. Call your managed security provider, IT support, or incident response specialist immediately. If you're a Kapagate Digital client, call our emergency line now.
- Call your security provider's emergency line
- Describe exactly what you're seeing and which systems are affected
- Follow their instructions — they've handled this before
- If you don't have a security provider, call a specialist incident response firm
Work with your security team to understand how far the attacker has gotten. This is critical for knowing what data may be exposed, which systems need to be recovered, and what you'll need to disclose.
- Identify all affected systems, accounts, and data
- Determine the likely entry point (phishing email, compromised account, etc.)
- Check whether backups are intact and accessible
- Preserve log files and other evidence before they're overwritten
Depending on the nature of the incident, you may have legal and regulatory obligations to notify certain parties. Get legal advice early — don't delay notifications you're required to make.
- Notify your cyber insurance provider immediately (check your policy for timeframes)
- Consult a lawyer about regulatory notification requirements
- Notify affected clients or staff if their data may be compromised
- Contact your bank if financial systems or accounts may be affected
Only begin restoring systems once your security team has confirmed the attacker has been fully removed and the entry point has been closed. Restoring into an environment that's still compromised just reinfects your systems.
- Confirm the attacker has been evicted and the entry point closed
- Restore from clean backups — verify they predate the compromise
- Reset all passwords across all systems, starting with admin accounts
- Re-enable MFA on all accounts before bringing systems back online
- Monitor closely for signs of re-infection in the days following
After the Incident: Don't Go Back to Normal Too Quickly
Once immediate recovery is complete, there's a temptation to put the incident behind you and return to business as usual. Resist this. The period after an incident is critical for understanding how it happened, fixing the underlying weaknesses, and implementing controls to prevent recurrence.
Conduct a post-incident review with your security team. Document what happened, what worked in your response, and what gaps need to be addressed. Use the incident as a catalyst for improving your overall security posture.
The Best Time to Prepare Is Before It Happens
Having an incident response plan in place before an incident occurs makes an enormous difference. Businesses that have practised their response — even in tabletop exercises — consistently respond faster and more effectively than those who are figuring it out in real time.
If you don't have an incident response plan, or aren't sure your current security posture would withstand an attack, now is the time to find out.
Experiencing an Incident Right Now?
Call our emergency line immediately. If you're not yet a client and need help, reach out — we'll do our best to assist.