Discovering that your business has been compromised is one of the most disorienting moments a business owner can face. The natural reactions — panic, the urge to immediately wipe everything, uncertainty about who to call — are understandable. They are also dangerous. What you do in the first hour after a breach can determine whether you contain the damage or make it significantly worse. Read this guide now, while things are calm, so you know exactly what to do if the moment comes.
Not every alarming situation is a confirmed breach. An employee clicking a suspicious link, a strange login alert, or an unusual charge on a company card are all warning signs worth taking seriously — but they do not necessarily mean you have been fully compromised. Take sixty seconds to assess: What specifically happened? Which system or account is affected? Who was involved and when?
The goal is not to slow down the response. It is to make sure your response is targeted. Shutting down your entire operation when a single email account may have been phished is an overreaction that causes unnecessary disruption. Act proportionately to what you actually know, and gather more information as you go.
If you have identified a specific device or system that is compromised, disconnect it from the network immediately. Unplug the network cable, or disable Wi-Fi on the device. Do not turn it off — powering down a machine can destroy volatile memory that may contain evidence needed to understand what happened.
Isolation prevents the attacker from continuing to operate through the compromised system and stops malware from spreading laterally to other machines on your network. If you are dealing with ransomware that is actively encrypting files, disconnecting from the network stops the encryption from spreading — even if the original machine is already lost.
This is the mistake that causes the most long-term damage. When people discover a breach, the instinct is often to delete suspicious emails, wipe compromised machines, or remove malware immediately. Resist that instinct.
Evidence — logs, emails, files, browser history — is what allows investigators, law enforcement, and your legal team to understand exactly what happened, what was accessed, and who was responsible. Deleting evidence before it is documented can also create legal liability, particularly if your business is subject to breach notification laws. Preserve everything until a professional has reviewed it.
Once you have isolated the affected system, change passwords for any accounts that may have been exposed — but do this from a device you are confident is not compromised. If the breach involved a compromised machine or email account, changing passwords from that same machine may simply hand the attacker the new credentials.
Prioritize in this order: email accounts, banking and financial platforms, any accounts that use the same password as the compromised one, cloud storage, and any account with access to client data. Enable or re-confirm two-factor authentication on each one as you go.
As events unfold, write everything down. When did you first notice something was wrong? What did you see? Who was notified and when? What actions were taken and in what order? This documentation serves multiple purposes: it helps you reconstruct the timeline, it is required for any insurance claims, it supports legal proceedings if they become necessary, and it is required for breach notification filings in most states.
Use a separate device — your phone, a personal computer — to take notes so that your documentation itself is not on a potentially compromised system.
This call should happen as early as possible — ideally within the first fifteen minutes if you have a provider. A security professional can help you accurately assess what happened, guide your response in real time, preserve evidence correctly, and begin the process of understanding the full scope of the incident.
If you do not have a security provider, this is the moment to find one. Many firms offer emergency incident response services. The cost is significant — but it is a fraction of what an uncontrolled breach costs in the end.
Most states have breach notification laws that require you to notify affected individuals within a specified timeframe — often 30 to 72 hours after discovery. In some industries, regulatory bodies must also be notified. Knowing your obligations before a breach happens means you will not miss a legal deadline in the chaos of responding to one.
Depending on what was accessed, you may have legal obligations to notify clients, employees, business partners, or regulators. Do not attempt to determine these obligations on your own in the middle of an incident — contact an attorney who handles data breach matters.
Also notify your bank if financial accounts may have been compromised. Banks have fraud departments that can place holds on wire transfers, flag suspicious activity, and in some cases claw back fraudulent payments if notified quickly enough.
The businesses that respond best to breaches are the ones that prepared before it happened. That means having emergency contact numbers for your IT provider and an attorney in your phone. It means knowing where your cyber insurance policy is and what it covers. It means having a basic incident response plan — even a one-page document — so that when the moment comes, you are not making decisions from scratch under pressure.
We help clients prepare incident response plans before they are needed — and we are available to our clients around the clock when something goes wrong. The time to prepare is now.