What to Do If Your Business Has Been Hacked
Step-by-step guide for the first 24 hours after a cyber incident. Who to call, what to do first, and what not to do.
If you are in the middle of an active incident
Disconnect affected devices from the internet immediately. Do not turn them off — this preserves evidence. Call the NCSC cyber incident helpline: 0300 303 5222. Then work through the steps below.
Step 1: Don't panic — and don't make it worse
The first instinct when something goes wrong is often to start clicking, deleting, or trying to fix things. This is usually a mistake. Rushed actions can destroy evidence, spread the problem further, or make recovery harder.
Stop what you're doing. Take a breath. Work through these steps in order.
Step 2: Contain the damage
Your immediate priority is stopping the attack from spreading.
Disconnect affected devices from the internet
Unplug the network cable or turn off Wi-Fi on any device you think is compromised. Do not turn the device off — leave it running but disconnected.
Do not pay any ransom immediately
If this is a ransomware attack, do not pay immediately. Contact the NCSC and your insurer first — there may be options to recover without paying.
Change passwords on unaffected devices
From a clean device (not the one that was compromised), change passwords for email, cloud services, and banking. Start with the most sensitive accounts.
Revoke active sessions
In Microsoft 365 or Google Workspace, you can sign out all active sessions. This kicks out any attacker who may have an active login.
Step 3: Call the right people
NCSC Cyber Incident Helpline — 0300 303 5222
Free, confidential advice from the National Cyber Security Centre. Available 24/7 for significant incidents.
Action Fraud — 0300 123 2040
Report the incident to Action Fraud, the UK's national fraud and cybercrime reporting centre. Get a crime reference number — you'll need it for insurance.
Your cyber insurer
If you have cyber insurance, call your insurer immediately. Most policies have a 24-hour incident helpline and will assign a specialist to help you respond. Do not delay this call.
Your IT company or IT support
If you have an IT company, call them now. They can help you assess the damage, contain the incident, and begin recovery.
Your bank
If there's any possibility financial systems have been compromised, call your bank immediately to flag the account and prevent fraudulent transactions.
Step 4: Your legal obligations
If personal data has been accessed, stolen, or lost as a result of the incident, you may have a legal obligation to report it to the Information Commissioner's Office (ICO).
72-hour rule
Under UK GDPR, if a breach is likely to result in a risk to individuals, you must report it to the ICO within 72 hours of becoming aware of it. The clock starts when you first become aware — not when you confirm the full extent.
Not every breach needs to be reported — only those that are likely to result in a risk to individuals' rights and freedoms. If you're unsure, the ICO's website has a self-assessment tool, or call their helpline on 0303 123 1113.
You may also need to notify affected individuals directly if the breach is likely to result in a high risk to them.
Step 5: Document everything
From the moment you become aware of the incident, keep a written record of everything:
- When you first noticed something was wrong
- What you observed — error messages, unusual activity, locked files
- Every action you took and when
- Every person you spoke to and what was agreed
- Screenshots of anything unusual (from a clean device)
Step 6: Recovery
Once the immediate incident is contained, work with your IT company to:
- Identify exactly what happened and how the attacker got in
- Restore systems from clean backups where possible
- Close the vulnerability that was exploited
- Verify that no backdoors or persistent access remain
- Review and improve security controls to prevent recurrence
Do not reconnect affected systems until you are confident the threat has been fully removed.
After the incident: prevent recurrence
Once the immediate crisis is over, the most important question is: how did this happen, and what can we do to prevent it happening again?
A structured assessment against the Cyber Essentials framework is the most useful thing you can do at this point — it identifies the gaps in your security that made you vulnerable and gives you a clear action plan for addressing them. Our 10-minute assessment covers all five control areas and produces a professional report you can use to evidence your remediation work.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required