First, Slow Down and Contain the Damage
If your business may have been hacked, the first response matters. Panic causes mistakes. Ignoring the problem makes it worse. The right approach is to slow down, preserve information, contain damage, and get qualified help.
A hacked business may involve malware, ransomware, stolen passwords, email compromise, fraudulent payments, remote access abuse, or a compromised vendor. The response depends on what happened.
Signs Your Business May Be Compromised
- Users cannot access files
- Files are renamed or encrypted
- Email is sending messages users did not send
- Unexpected MFA prompts appear
- Passwords stop working
- Banking or invoice changes are reported
- Antivirus or EDR alerts appear
- Unknown remote access tools are installed
- New administrator accounts appear
- Systems are unusually slow or behaving strangely
Disconnect Affected Devices When Needed
If active malware or ransomware is suspected, disconnect affected machines from the network. Do not simply keep using them. Disconnecting can help stop spread while preserving the device for review.
Do not randomly wipe systems before understanding what happened. Evidence may be needed for insurance, legal review, or determining the scope of compromise.
Change Passwords Carefully
Password resets may be necessary, but they should be done from a clean device. If a computer is infected with credential-stealing malware, changing passwords from that computer may simply give the attacker the new password.
Check Microsoft 365
Business email compromise is common. Review sign-in logs, forwarding rules, inbox rules, MFA status, connected apps, suspicious sent mail, and administrator activity.
If email was compromised, also review whether customers, vendors, or employees received fraudulent messages.
Review Backups Before Restoring
If ransomware or destructive activity is involved, verify backups before restoring. Make sure backups are clean, recent enough, and protected from the same compromise.
Notify Insurance and Legal Contacts
If the business has cyber insurance, notify the carrier according to the policy requirements. Some policies require approved incident response providers. Legal requirements may apply if sensitive data was exposed.
Do Not Assume the First Symptom Is the Whole Problem
A locked account, a suspicious email, or one infected workstation may be only the visible part of the problem. Attackers may have created forwarding rules, added accounts, stolen data, or accessed other systems.
Build a Recovery Plan
Recovery should include containment, investigation, password resets, endpoint cleanup, account review, backup restore, security hardening, monitoring, and documentation.
Frequently Asked Questions
Should I turn off a hacked computer?
If active malware is suspected, disconnect it from the network. Whether to power it off depends on the situation and incident response needs.
Should I change passwords immediately?
Often yes, but use a clean device and prioritize critical accounts such as Microsoft 365, banking, remote access, and administrator accounts.
Should I call cyber insurance?
If you have cyber insurance and the incident may be significant, review the policy and notify the carrier as required.
Can backups fix everything?
Backups help restore data, but they do not automatically fix stolen credentials, exposed data, or attacker persistence.
Who should help with a business hack?
Use qualified IT, cybersecurity, legal, and insurance resources depending on the severity and type of incident.