Your Small Business Just Got Hacked — What to Do Right Now

A cyber attack on a small business is terrifying. Whether it's ransomware locking all your files, a data breach exposing customer information, or an account takeover draining funds — the first 24 hours are critical. Most small businesses don't have an IT department or incident response team. This guide is written for business owners who need to act immediately without technical expertise. The steps below are ordered by priority. Do them in sequence — don't skip ahead.

Your first goal is to stop the attack from spreading. 1. Disconnect affected devices from the internet and your network — unplug ethernet cables, turn off Wi-Fi. Don't turn the devices off (you may need them for forensic evidence later) — just disconnect them from the network. 2. Don't pay any ransom yet — ransomware attackers are not honest. Paying doesn't guarantee recovery and marks you as a target who pays. 3. Preserve evidence — take photos of error messages, ransom notes, and anything unusual on screens. Do not delete anything. 4. Identify the scope — which devices are affected? Is this one computer or your entire network? Talk to every employee to map the spread. 5. Change passwords on all business accounts from an unaffected device — especially email, banking, and any cloud services. Do this from your phone if necessary.

Once you've contained the spread: Call your bank: If any financial accounts may have been accessed, call your bank immediately. They can freeze accounts and reverse unauthorized transactions faster if notified quickly. Contact your cyber insurance provider: If you have cyber insurance, call them now. They typically provide incident response services as part of your coverage — free professional help you've already paid for. Determine if customer data was exposed: This is critical for legal reasons. Was any customer personal information (names, emails, payment details, health information) potentially accessed? Document everything: Start a timeline of events — when did you notice the attack, what was affected, what actions you've taken. You'll need this for insurance claims, regulatory reporting, and forensic investigation.

This is the section most small business owners don't know about — and it's where they get into serious trouble. Data breach notification laws exist in almost every US state and country. If customer personal data was exposed, you likely have a legal obligation to notify: 1. Affected customers — typically required within 30-72 hours depending on jurisdiction 2. State Attorney General — required in most US states 3. Federal regulators — if you handle health data (HIPAA), financial data, or serve EU customers (GDPR) GDPR fines alone can reach 4% of annual revenue. US state fines vary widely. If you're unsure about your obligations, contact a lawyer who specializes in data privacy before notifying anyone — you want to make sure your notification is legally compliant. Do not ignore this step. Attempting to hide a breach is almost always worse than the breach itself.

For ransomware: 1. Check if free decryption tools exist at nomoreransom.org before paying anything 2. Restore from clean backups if you have them — this is why backups are non-negotiable 3. If no backups exist, consult a professional ransomware recovery firm before deciding to pay For account takeovers: 1. Regain access using account recovery options 2. Audit all financial transactions for the compromise period 3. Change credentials on all connected systems For data breaches: 1. Identify exactly what data was accessed and by whom 2. Patch the vulnerability that was exploited before reconnecting systems 3. Consider bringing in a cybersecurity firm for forensic investigation and remediation Reconnecting systems: Only bring devices back online after they've been wiped and restored from clean backups or had malware professionally removed.

Most businesses that get hacked get hacked again within a year if they don't change their practices. The three most impactful things for small businesses: 1. Backups — maintain the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 stored offsite or in the cloud. Test your backups monthly. 2. MFA on everything — especially email, banking, and remote access. This single change blocks the majority of account takeover attempts. 3. Employee training — 90% of attacks start with a phishing email clicked by an employee. Monthly security awareness training is inexpensive and highly effective.