IT professional responding to cyber security incident on server console
Cybersecurity

Your Business Has Been Hacked: The Incident Response Steps to Take Now

PN
Peter Nelson
· · 6 min read

Has your business been hacked? Follow our comprehensive incident response guide to contain the breach and recover your data safely.

Discovering that your business has been compromised is one of the most stressful technology events a business owner faces. The decisions made in the first hours significantly affect how severe the ultimate impact is.

This guide gives you a clear, actionable response sequence for the most common incident types. It is designed to be used under pressure — with concrete steps, not principles.

The Most Important First Step: Do Not Panic and Do Not Touch Anything

The instinct when discovering a cyber incident is to immediately start trying to fix it — unplug things, delete suspicious files, reset passwords everywhere. This impulse, while understandable, can destroy forensic evidence and make the incident worse.

The first step is: stop, assess the situation, and call for help before taking significant action.

Call your IT provider’s emergency line. If you do not have a managed IT provider, call a cyber incident response specialist (the ACSC Hotline is 1300 CYBER1 — 1300 292 371).

Scenario 1: Ransomware Attack

Signs: Files have strange extensions, you cannot open documents, a ransom note appears on screen.

Immediate Steps (First 30 Minutes)

  1. Isolate affected devices immediately. Disconnect compromised computers from the network — unplug the ethernet cable or disable Wi-Fi. Ransomware propagates across network shares; isolation limits spread.

  2. Do not shut down the device. Ransomware may have encrypted files but the encryption keys may still be in memory. A forensic specialist may be able to extract them. Do not power off unless the device is actively encrypting and you cannot disconnect it from the network.

  3. Identify the blast radius. Which devices are affected? Which are not? What network shares were accessible from the affected devices? What cloud services were the affected user accounts connected to?

  4. Preserve the ransom note. Photograph the screen. Note the ransomware variant name if visible — this determines whether free decryption tools exist (check nomoreransom.org).

  5. Do not pay the ransom yet. This is a decision requiring careful consideration with legal advice, your cyber insurer (if applicable), and an incident response specialist. Paying does not guarantee file recovery and may trigger legal issues.

Recovery Phase

  1. Restore from clean, isolated backups to clean, reimaged systems. Do not restore to systems that may still be compromised.

  2. Identify the initial compromise vector (phishing email, exposed RDP, unpatched vulnerability) and close it before bringing systems back online.

  3. Complete a credential reset for all accounts on affected systems.

  4. Notify your cyber insurer before engaging external IR specialists — most cyber insurance policies require this.

Scenario 2: Account Compromise (Email or Microsoft 365)

Signs: Colleagues receive unusual emails from your account, you receive unexpected MFA prompts, inbox rules you did not create appear, sent items you did not send.

Immediate Steps

  1. Revoke active sessions. In Entra ID (for Microsoft 365): Admin Centre → Users → Select user → “Revoke sessions.” This terminates all active authenticated sessions, immediately logging the attacker out.

  2. Reset the account password to something long and unique.

  3. Review and remove inbox rules. Go to Outlook settings → Rules. Delete any rules you did not create — particularly rules that forward email to external addresses or move email to obscure folders.

  4. Check for delegate access and forwarding. Outlook settings → Mail → Forwarding (should be off). Outlook Web → Share and delegate access (remove anything unexpected).

  5. Review sent items. What emails did the attacker send? To whom? This determines whether clients or suppliers have received fraudulent messages you need to countermand.

  6. Notify affected parties. If the compromised account was used to send fraudulent payment instructions, contact affected parties immediately by phone.

Enable MFA Immediately

If MFA was not enabled before the compromise, enable it now — before restoring the account to normal use. A compromised account with MFA enabled is significantly harder to re-compromise.

Scenario 3: Data Breach (Unauthorised Access to Personal Information)

Signs: Unusual access to systems containing personal data, notification from a third party that your data is being sold, discovery of unauthorised data exfiltration in logs.

Immediate Steps

  1. Contain the access point. Identify how unauthorised access occurred and close it: revoke credentials, patch the vulnerability, restrict access.

  2. Preserve logs. Do not restart systems or clear logs until logs have been captured and preserved for investigation.

  3. Identify what data was accessed. What personal information was in the affected systems? Whose? How many individuals? This determines notification obligations.

Australia’s Notifiable Data Breaches (NDB) scheme requires notification to the OAIC and affected individuals when a data breach:

  • Involves personal information
  • Is likely to result in serious harm to affected individuals

You must assess whether the breach meets this threshold. If it does, you must notify within 30 days of becoming aware (and act as soon as practicable).

Engage your legal advisers on notification obligations before communicating externally — the wording and timing of notifications has legal implications.

Notification Obligations Summary

ScenarioWho to notifyWhen
Ransomware with data exfiltrationOAIC, affected individuals, cyber insurer, police (optional)As soon as practicable; within 30 days if NDB threshold met
Account compromise with data accessOAIC (if personal data accessed), affected parties, cyber insurerWithin 30 days if NDB threshold met
BEC/financial fraudBank (immediately), police, ACSCImmediately — banks have fraud recovery procedures that work only if notified quickly

Engaging Your Cyber Insurer

If you have cyber insurance, notify your insurer at the earliest opportunity — before engaging external IR specialists if possible. Most cyber policies:

  • Require prompt notification as a condition of coverage
  • Have an approved panel of IR specialists they prefer (or require you to use)
  • Cover reasonable IR costs, legal costs, and notification costs

An insurer who is not notified promptly may dispute coverage. Call them early.

Building a Pre-Incident Response Plan

The best time to read this guide is before you need it. Document your response procedures, your key contacts, and your recovery sequence while systems are running and pressure is low.

CX IT Services helps Melbourne businesses develop incident response plans and provides emergency IR support for managed clients. Book a Right Fit Call to discuss incident preparedness.

Related Articles

Free Right Fit Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

Book Your Free Right Fit Call

Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.

Step 1 of 8 13%

Takes about 2 minutes · No obligation

4.5★ Google Rated
Valued at $250 - Free
No Lock-In Contracts