TL;DR

  • The first 60 minutes after a breach determine how bad the damage gets — contain, don't wipe
  • Call your cyber insurer before you do anything else, or you risk voiding coverage
  • Don't pay ransom until you've checked free decryption resources at nomoreransom.org
  • Disclosure deadlines are real and fast — GDPR gives you 72 hours, the Australian Notifiable Data Breaches scheme requires prompt notification

You've just realised something is wrong. Files are encrypted. A customer called saying their data is on the dark web. Your accounting software won't open. Whatever the trigger — the next 60 minutes will define how bad this gets.​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

Most small businesses don't survive a major breach. Not because the attack was unsurvivable, but because they panicked, made the wrong calls, and destroyed their own recovery options. According to Hiscox's 2025 Cyber Readiness Report — based on 5,750 businesses surveyed globally — 59% of SMEs experienced a cyber-attack in the last 12 months, and a third of those faced substantial fines that directly impacted their financial health [1]. This guide is about responding correctly, so you're not among them.

Related: Zero Trust Explained — Why Trust No One Is the Best Security Strategy for 2026​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

What Should I Do in the First Hour After a Cyberattack?

Your instinct will be to unplug everything and wipe the machines. Resist it.

Isolate affected systems — but don't wipe them. Pull network cables. Disable Wi-Fi. Quarantine infected machines from the rest of your network. But keep them powered on if it's safe to do so. Forensic investigators need live memory to determine what happened, when it happened, and how the attacker got in. Wiping a machine feels like cleaning up — what it actually does is destroy evidence that could help you recover, prove what data was taken (critical for legal and regulatory purposes), and identify the attacker.

Identify the scope immediately. Which systems are affected? What data did those

systems touch? Do you have backups, and are those backups clean? Ransomware commonly sits dormant for two to four weeks before detonating [2]. According to Veeam's 2024 Ransomware Trends Report, 75% of ransomware attacks successfully impacted backup repositories, specifically to prevent recovery [3].

Preserve evidence before anything else. Screenshot every ransom note, error message, and anomaly on screen. Save logs if you can access them safely. NIST SP 800-61r2 — the U.S. federal standard for incident handling — specifically requires evidence preservation as the first containment priority [4].

Related: Why Your IT Guy Isn't Enough — The Case for Dedicated Cybersecurity

Should I Call My IT Person or a Cybersecurity Specialist After a Breach?

Call a cybersecurity incident response (IR) specialist — not your general IT support. Incident response requires a completely different skill set from day-to-day IT administration: forensic evidence collection, attacker attribution, safe recovery sequencing, legal and regulatory compliance, and coordination with law enforcement and insurers. The SANS Institute's incident response framework identifies six distinct phases — Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned — each requiring specialised knowledge that general IT administration does not cover [5].

Call your cyber insurance provider first — before your IR specialist. Many policies require you to notify the insurer before taking remediation steps. Calling your IT person or restoring from backup first can void your coverage.

Should I Pay the Ransomware Ransom?

Do not pay the ransom until you have exhausted all alternatives. According to Veeam's 2024 Ransomware Trends Report, 25% of businesses that paid the ransom still could not recover their data [3]. Paying also funds criminal enterprises and — critically — may violate U.S. OFAC sanctions if the ransomware group is on the sanctioned entities list, making payment a potential federal offence [6].

Before paying anything, check the No More Ransom Project [7] — a joint initiative by Europol, the Dutch National Police, and cybersecurity firms that provides free decryption tools for many ransomware variants. Many attacks can be resolved without paying a cent. lilMONSTER assesses recovery options from clean backups and known decryptors as the first step in every ransomware engagement.

When Should a Small Business Call Law Enforcement After a Hack?

Report to law enforcement early — ideally within the first 24 hours. In the United States, file a complaint with the FBI's Internet Crime Complaint Center (IC3) [8]. In Australia, report to the Australian Cyber Security Centre (ACSC) [9]. The ACSC's 2023–24 Annual Cyber Threat Report notes that reporting enables law enforcement to share threat intelligence, track criminal infrastructure, and in some cases provide decryption keys obtained from seized operations [10]. Reporting is also mandatory in regulated industries including healthcare, finance, and legal services.

What Are the Data Breach Disclosure Deadlines I Need to Know?

Disclosure deadlines are non-negotiable and vary by jurisdiction. Missing them compounds the damage significantly through regulatory fines:

  • GDPR (EU/UK): 72 hours to notify the supervisory authority from when you become aware of the breach [11]
  • Australian Privacy Act — Notifiable Data Breaches (NDB) scheme: As soon as practicable after becoming aware of a suspected eligible data breach [12]
  • HIPAA (U.S. healthcare): 60 days to notify affected individuals; 60 days for media notice if >500 people affected in a state [13]
  • U.S. state breach laws: Vary — California requires "expedient" notification; many states mandate 30–72 hours

Under GDPR, fines can reach €20 million or 4% of global annual turnover — whichever is higher [11]. Get legal counsel involved within the first 24 hours of breach discovery to manage these timelines.

Related: 5 Free Security Tools Every Small Business Should Be Running Right Now

First Week: Recovery and Post-Incident Hardening

Rebuild from known-clean backups — not the most recent backups, but the most recent clean backups. Your IR team will identify the initial infection timestamp and verify that your restoration point predates it. Reintroducing malware from a compromised backup is one of the most common recovery failures. CISA's incident response guidance recommends a phased restoration with integrity verification at each stage [14].

According to IBM's 2024 Cost of a Data Breach Report, organisations that contained a breach in under 200 days saved an average of $1.79 million compared to those that took longer [15]. Speed and correctness of recovery directly determine your total loss.

Once operational, immediately enforce MFA across every account, audit access permissions, and commission a vulnerability assessment to close whatever gap was exploited.

The Biggest Mistakes Businesses Make After a Cyberattack

  1. Wiping machines immediately — destroys forensic evidence needed for recovery, legal proceedings, and insurance claims
  2. Paying ransom without checking alternatives — 25% still can't recover data, and payment may violate OFAC sanctions [3][6]
  3. Not calling cyber insurance first — remediation steps taken before notification can void coverage
  4. Delayed disclosure — regulatory fines for missing notification windows routinely exceed breach remediation costs [11]
  5. Posting about the breach on social media — anything stated publicly can be used in legal proceedings
  6. Assuming IT support = incident response — completely different disciplines with different certifications and expertise [5]

FAQ

What is the first thing to do after a business cyberattack? The first action is to isolate affected systems from your network — disconnect from the internet, disable Wi-Fi, pull network cables — without wiping or powering down the machines. Live system memory contains forensic evidence critical for recovery and investigation [4]. The second action is to call your cyber insurance provider before taking any further remediation steps.

How long do small businesses have to report a data breach? Disclosure deadlines depend on jurisdiction and industry. GDPR requires supervisory authority notification within 72 hours [11]. The Australian NDB scheme requires notification as soon as practicable [12]. HIPAA gives U.S. healthcare entities 60 days for affected individuals [13]. Many U.S. states mandate 30–72 hours.

Should a small business pay ransomware demands? Payment should be a last resort. Before paying, check the No More Ransom Project [7] for free decryption tools and attempt recovery from pre-infection clean backups. According to Veeam's 2024 report, 25% of businesses that paid still could not recover their data [3].

What is the difference between IT support and incident response? IT support manages infrastructure and day-to-day operations. Incident response is a specialised discipline covering forensic evidence collection, attacker attribution, breach containment, regulatory compliance, and safe system recovery — each requiring different certifications (GCIH, GCFE, GCFA) and toolsets [5].

How much does a cyberattack cost a small business? According to IBM's 2024 Cost of a Data Breach Report, the average cost for organisations with fewer than 500 employees is USD $3.31 million [15]. Beyond direct costs, Hiscox's 2025 Cyber Readiness Report found that 30% of attack victims experienced a reduction in business performance indicators, 29% found it hard to attract new business afterward, and 33% faced substantial regulatory fines [1].

References

[1] Hiscox, "Hiscox Cyber Readiness Report 2025," Hiscox Group, Sep. 2025. [Online]. Available: https://www.hiscoxgroup.com/hiscox-cyber-readiness-report-2025

[2] Sophos, "The State of Ransomware 2024," Sophos Annual Threat Report, 2024. [Online]. Available: https://www.sophos.com/en-us/content/state-of-ransomware

[3] Veeam Software, "2024 Ransomware Trends Report," Veeam Research, 2024. [Online]. Available: https://www.veeam.com/resources/wp-2024-ransomware-trends-executive-summary-apj.html

[4] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, "Computer Security Incident Handling Guide," NIST Special Publication 800-61 Revision 2, National Institute of Standards and Technology, Aug. 2012. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

[5] SANS Institute, "Incident Handler's Handbook," SANS Reading Room, 2011. [Online]. Available: https://www.sans.org/white-papers/33901/

[6] U.S. Department of the Treasury, "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments," OFAC Advisory, Oct. 2020. [Online]. Available: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

[7] No More Ransom Project (Europol / Dutch National Police), "Free Ransomware Decryption Tools," 2024. [Online]. Available: https://www.nomoreransom.org/

[8] Federal Bureau of Investigation, "Internet Crime Complaint Center (IC3)," FBI Cyber Division, 2024. [Online]. Available: https://www.ic3.gov/

[9] Australian Signals Directorate, "Report a Cyber Incident," Australian Cyber Security Centre, 2024. [Online]. Available: https://www.cyber.gov.au/report-and-recover/report

[10] Australian Signals Directorate, "ASD's ACSC Annual Cyber Threat Report 2023–2024," Australian Cyber Security Centre, Nov. 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024

[11] European Parliament and Council, "Regulation (EU) 2016/679 — General Data Protection Regulation," Official Journal of the European Union, Apr. 2016. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

[12] Office of the Australian Information Commissioner, "Notifiable Data Breaches Scheme," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiable-data-breaches

[13] U.S. Department of Health and Human Services, "Breach Notification Rule," HHS HIPAA for Professionals, 2024. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

[14] Cybersecurity and Infrastructure Security Agency, "Cybersecurity Incident Response Resources," CISA, 2024. [Online]. Available: https://www.cisa.gov/resources-tools/services/cybersecurity-incident-response

[15] IBM Security, "Cost of a Data Breach Report 2024," IBM Research, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

Businesses with a documented incident response plan recover faster, contain damage better, and protect the trust they've built with customers and partners. Book a free consultation with lilMONSTER — we help SMBs build response readiness and, when incidents happen, navigate them without compounding the damage.

What to Do When Hackers Break Into Your Business (Explained Simply)

ELI10 version — real advice, plain language, no jargon.

TL;DR

  • Don't wipe or clean up — that destroys the evidence you need
  • Call your cyber insurer before anyone else, or you might not get paid out
  • Don't pay the ransom until you've checked for free solutions first
  • Get a specialist, not just your regular IT person

Imagine your office is a house. You walk in one morning and the front door is wide open. Drawers are pulled out. Papers everywhere. Someone was definitely here overnight.

What do you do?

Most people's first instinct: clean everything up, make it look normal again, pretend it didn't happen.

That's the worst thing you can do. Here's why.

Why You Shouldn't "Clean Up" First

When police investigate a break-in, they look for fingerprints, footprints, and anything the burglar touched. If you've cleaned the whole house, those clues are gone forever.

Computer forensics works exactly the same way. When investigators look at a hacked computer, they read the "footprints" left in the system — logs, memory, traces of what the attacker did. NIST's federal incident handling standard (SP 800-61r2) specifically requires preserving this evidence before any recovery actions are taken [1]. If you wipe the computer to "fix" it, you destroy all of that.

What to do instead: Pull the network cable out (so no one can still be sneaking around inside) but leave the computer on. Don't delete anything. Don't reformat anything. Just disconnect it from everything else.

Check If Your Spare Key Was Already Copied

Your backups are like a spare copy of everything in your business. But ransomware often breaks in quietly, weeks before anything obvious happens. It sits and waits. Then it strikes.

According to Veeam's 2024 Ransomware Trends Report, 75% of ransomware attacks successfully impacted backup repositories specifically to prevent recovery [2]. That means your backup from last Tuesday might already have the bad stuff inside it. You need to find a backup from before the attackers got in.

Call Your Insurance Company Before Anyone Else

If you have cyber insurance, call them first — before your IT person, before the police, before you start fixing anything. Many insurance policies say: "If you start fixing things before calling us, we won't pay." It's like calling your home insurer before you start rebuilding after a flood.

No cyber insurance? This is exactly what it costs to not have it.

Should You Pay the Ransom?

Ransomware is like a bully who locks your school locker and demands your lunch money for the combination back. The problem: sometimes the bully takes your lunch money and keeps the locker locked anyway. According to Veeam's 2024 report, 1 in 4 businesses that paid still couldn't get their data back [2].

Also important: the U.S. Treasury's OFAC has warned that paying certain ransomware groups may violate federal sanctions law [3].

Before you pay anything: Go to nomoreransom.org [4]. It's a free website run by Europol and police agencies worldwide that has free "unlock codes" for many ransomware programs. You might not need to pay at all.

Your IT Person vs. a Security Specialist

Your regular IT person is skilled at keeping things running. Incident response — figuring out what happened and fixing it properly — is a specialist skill requiring different certifications, different tools, and a completely different approach [1]. Using your IT admin for incident response is like asking the building manager to also investigate the burglary.

After It's Over: Fix the Hole

The break-in happened because there was a way in. Once you're back up and running, you need to find that hole and seal it. That means:

  • Turning on two-factor authentication everywhere (like needing both a key AND a PIN)
  • Getting an expert to check for other weak spots
  • Having a plan written down for next time — because there's always a next time

Your Action Items

  • Save your cyber insurer's emergency number somewhere you can find it in a panic
  • Know where your backups live and when they were last taken
  • Bookmark nomoreransom.org right now [4]
  • Turn on MFA (two-factor login) for your email, banking, and key systems today
  • Know who to call for incident response — lilMONSTER offers a free consult

FAQ

What's the very first thing to do when I get hacked? Disconnect affected computers from your network immediately — pull the cable or turn off Wi-Fi — but do NOT turn them off or wipe them. Then call your cyber insurer before anything else. NIST SP 800-61r2 defines this isolation-without-destruction as the critical first containment step [1].

Why shouldn't I just reformat my computer after a hack? Reformatting destroys the forensic evidence investigators need to understand what happened, what data was accessed, and how the attacker got in. That evidence matters for insurance claims, legal cases, and making sure you don't get hacked the same way again [1].

Is there a free way to get ransomware removed? Often yes — check nomoreransom.org [4] for free decryption tools. This site is run by Europol and major police agencies and covers hundreds of known ransomware strains at no cost.

References

[1] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, "Computer Security Incident Handling Guide," NIST Special Publication 800-61 Revision 2, National Institute of Standards and Technology, Aug. 2012. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

[2] Veeam Software, "2024 Ransomware Trends Report," Veeam Research, 2024. [Online]. Available: https://www.veeam.com/resources/wp-2024-ransomware-trends-executive-summary-apj.html

[3] U.S. Department of the Treasury, "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments," OFAC Advisory, Oct. 2020. [Online]. Available: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

[4] No More Ransom Project (Europol / Dutch National Police), "Free Ransomware Decryption Tools," 2024. [Online]. Available: https://www.nomoreransom.org/

Worried your business isn't ready for this? Book a free consultation with lilMONSTER — we'll help you build a plan before you ever need it. Prevention costs a fraction of recovery.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation