What to Do When You’re Hit by a Cyberattack: A Business Survival Guide

It happens faster than most business owners expect. One morning, systems are slow. Then they’re unavailable. Then someone finds a ransom note on their screen, or worse — a client calls to say their data has been leaked online.

A cyberattack in progress is one of the most disorienting crises a business can face. The pressure is immediate, the decisions are consequential, and most people have no rehearsed plan to fall back on. This guide changes that.

Step 1: Don’t panic — but act immediately

The first instinct is often to start investigating: opening files, checking logs, calling IT support. Resist the urge to troubleshoot before you contain.

The priority in the first minutes is isolation. If you suspect a system has been compromised:

  • Disconnect it from the network (unplug the ethernet cable or disable Wi-Fi)
  • Do not shut it down — forensic evidence lives in RAM and may be needed later
  • Do not wipe or reformat anything
  • Alert your IT team or security contact immediately

Containment prevents the attack from spreading to other systems. Every minute an infected machine stays connected, the blast radius grows.

Step 2: Activate your incident response team

If you have an incident response plan (and you should), now is the time to open it. Call your designated security contact, whether that’s internal IT, an external consultant, or a managed security provider.

If you don’t have a plan or contact list, start building one now — before you need it. The worst time to search for a cybersecurity expert is during an active incident.

Key people to have on your contact list:

  • Your IT administrator or managed service provider
  • A cybersecurity incident response consultant
  • Your legal counsel (for regulatory and liability questions)
  • Your insurance provider (if you have cyber insurance)

Step 3: Assess the scope

Once containment is underway, begin understanding what happened:

  • Which systems are affected?
  • What type of attack is this? (ransomware, data exfiltration, account compromise, etc.)
  • What data may have been accessed or stolen?
  • When did the attack start? (This determines your notification obligations)

Document everything as you go. Timestamps, screenshots, log entries — this documentation matters for insurance claims, regulatory notifications, and any future legal action.

Step 4: Notify the right people

Incident response is not just a technical problem — it’s a legal and communication one.

Regulatory notification

If personal data has been compromised, GDPR requires notification to your supervisory authority within 72 hours. Other jurisdictions have similar requirements. The clock starts when you become aware of the breach, not when the investigation is complete.

Client and partner notification

If client data has been exposed, those clients may need to be informed. This is uncomfortable, but proactive, transparent communication preserves more trust than a delayed or discovered disclosure.

Internal communication

Employees need to know what happened, what they should and should not do, and who to direct inquiries to. Control the narrative internally before it leaks externally.

Step 5: Recover with evidence, not urgency

The pressure to restore operations quickly is enormous. Resist rebuilding from compromised systems. Before restoring from backups, verify that your backups are clean and predate the attack. Many ransomware campaigns run silently for weeks before triggering — your backups may be infected too.

A security professional can help you identify the root cause, confirm the threat has been eliminated, and rebuild on a clean foundation. Rushing this step risks a second incident.

After the incident: learn and strengthen

Every incident is a forcing function for improvement. Once you’re operational again:

  • Conduct a post-incident review: how did the attack succeed, and what would have stopped it?
  • Update your security controls, policies, and employee training based on what you learned
  • Test your incident response plan with a tabletop exercise so your team is ready if it happens again

The best defense is preparation

None of the steps above require expensive technology. They require planning, documentation, and the right contacts in place before an incident occurs. A business with a tested response plan can contain a breach in hours. A business without one can spend weeks in chaos.

Fortress IT helps SMEs and growing businesses build incident response plans that work in the real world — proportionate to your size, tailored to your risks, and tested before you need them.

Contact us to discuss your business continuity and incident response needs.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fortress IT
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.