Article Summary: If your business is hit by a cyberattack, the first hour matters. Disconnect the affected devices from the network instead of powering them off, call your IT provider by phone, and leave the evidence in place. If money was wired to a scammer, call your bank right away. This post is the step-by-step plan, plus where to report an attack in the US, UK, and Australia.
If a cyberattack hits your business, what you do in the first hour really matters.
It’s also the easiest time to make a costly mistake, like turning off the wrong machine, deleting evidence, or replying from an email account the attacker is already reading.
The steps below tell you what to do, in order, so you’re not guessing in the moment.
Doing these steps doesn’t require technical knowledge.
Before anything else: don’t make it worse
Before you touch anything, avoid these:
- Don’t turn the affected computer off, if you can avoid it. Disconnecting it from the network is better, because powering it down can wipe evidence that helps work out what happened.
- Don’t delete anything. Leave the ransom note, the suspicious email, and any alerts exactly where they are. They’re what your IT team and investigators will need.
- Don’t pay a ransom on the spot.
- Don’t use the hacked email or accounts to talk about the attack. If an attacker is in your inbox, they can read those messages. Switch to phone calls or a different account.
The step by step
Work through these in order, starting the moment you notice something’s wrong.
- Disconnect the affected devices from the network. Unplug the network cable and turn off Wi-Fi on anything that looks affected. This stops the problem spreading to other computers and to your backups. CISA’s guidance is to isolate devices rather than power them off where you can, and to shut a device down only if you can’t get it off the network any other way.
- Call your IT provider straight away, by phone. Don’t email, in case the attacker is watching your inbox. If you have cyber insurance, call them next, because many policies require you to involve their incident team early.
- Leave the evidence alone. Don’t wipe, reinstall, or tidy up the affected machines yet. Screenshots of the ransom note or suspicious emails are useful, but keep the originals too.
- If money was sent, call your bank immediately. Ask them to recall the transfer and freeze it if they can. With wire and bank fraud, acting in the first few hours makes the biggest difference.
- Reset passwords from a clean device, and turn on multi-factor authentication. Start with email and any admin accounts, and use a device you know isn’t affected.
- Report it. That can help you recover, and it’s sometimes legally required. Where to report depends on your country.
Where to report it
You’ve reaWhere you report depends on where you are:
- United States: file with the FBI’s Internet Crime Complaint Center (IC3), and report to CISA.
- United Kingdom: report through the NCSC, and to Action Fraud.
- Australia: report through ReportCyber, or call the 24/7 hotline on 1300 CYBER1.
If money was wired to a scammer, report it fast.
The FBI says reporting wire fraud to IC3 within 72 hours gives its Recovery Asset Team the best chance of clawing it back, and that team recovers funds in about 70% of the cases reported in time.
If personal data about your customers or staff was exposed, you may be legally required to notify a regulator and the people affected, sometimes within 72 hours.
The rules depend on where you operate, like GDPR in the UK and Europe, state breach-notification laws in the US, and the Notifiable Data Breaches scheme in Australia.
Ask your lawyer or IT provider early so you don’t miss a deadline.
Should you pay the ransom?
If it’s ransomware, the big question is whether to pay.
The FBI does not recommend it. Paying doesn’t guarantee you get your files back, it marks you as a business that pays, and the money funds more attacks.
It’s ultimately your decision, but it’s one to make with law enforcement, your IT or incident-response team, and your insurer, not alone in the first panicked hour.
Sometimes a free decryption tool already exists for the exact ransomware that hit you, which is one more reason to get the experts involved before you pay anyone.
The best time to prepare is before it happens
All of this is far easier if you’ve decided some of it in advance. You don’t need a thick binder, just a simple plan that covers:
- Who to call first (your IT provider, your insurer) and their numbers, kept somewhere you can reach without your main systems.
- Where your backups are, and proof they’ve been tested by restoring from them.
- Which accounts and devices matter most, so you know what to protect first.
A single page covering those is enough for most small businesses, and it’ll save you a lot of scrambling if the day ever comes.
Frequently Asked Questions
What’s the first thing to do in a cyberattack?
Disconnect the affected devices from the network, by unplugging the network cable and turning off Wi-Fi, then call your IT provider by phone. Getting the device off the network stops the problem spreading while you get help.
Should I turn off the computer if I get ransomware?
If you can, disconnect it from the network instead of powering it off. Shutting it down can wipe evidence stored in memory that helps work out what happened. Only power a device off if you can’t get it off the network any other way.
Should I pay the ransom?
The FBI does not recommend it. Paying doesn’t guarantee you get your data back, and it funds more attacks. Make that decision with law enforcement, your IT or incident-response team, and your insurer, and check whether a free decryption tool already exists first.
We wired money to a scammer. What do we do?
Call your bank immediately and ask them to recall the transfer. If you’re in the US, report it to the FBI’s IC3 within 72 hours, because reported quickly, their Recovery Asset Team recovers the money in about 70% of cases. In other countries, contact your bank and your national reporting service straight away.
Who do I report a cyberattack to?
In the US, the FBI’s IC3 and CISA. In the UK, the NCSC and Action Fraud. In Australia, ReportCyber. Also tell your cyber insurer, and check whether you have a legal duty to notify a regulator if personal data was exposed.
—
