A cyber incident is stressful, and it’s very serious. Whether it’s a hacked email account, ransomware, or suspicious activity on your network, you may be facing data loss, business disruption, legal obligations, and reputational damage. In these situations, the first hours matter most. If you’re asking what to do if you’ve been hacked, this checklist walks you through the critical steps. It is written for SMEs and organisations without a large internal IT team, focusing on what to do first, what not to do, and how to limit damage.
Step 1 – Evaluate the situation
Before taking any action, take stock of what’s happening. Assess which systems, accounts, or files are affected, and gather as much information as possible.
Common signs of a hack:
- You cannot log in to accounts
- Emails are being sent that you didn’t write
- Files are encrypted, missing, or suspiciously modified
- Systems are slow or behaving unpredictably
- Ransom messages or unusual alerts appear
This step ensures you make informed decisions in the next phases instead of acting blindly.
Step 2 – Get expert help
Once you have an initial understanding of the situation, contact your IT partner or cybersecurity expert (like ITAF).
Expert guidance can:
- Contain the incident and prevent further spread
- Preserve evidence for investigation or compliance
- Help you avoid missteps that could worsen the situation
Tip: Many organisations lose time and data by guessing solutions under pressure. Early expert involvement often makes the biggest difference.
Step 3 – Isolate the problem
The next priority is to stop the spread of the breach:
- Disconnect affected devices from the network (Wi-Fi & cable)
- Log out compromised accounts on all devices
- Disable suspicious user accounts
- Stop syncing services (email, cloud storage) if needed
This helps limit further damage while keeping systems available for investigation.
Step 4 – Secure accounts and change passwords
Password resets are essential, but timing is critical.
- Start with admin, email, and cloud accounts
- Use strong, unique passwords (no reuse)
- Reset from a clean, uncompromised device
- Check if Multi-Factor Authentication (MFA) settings were changed or disabled
Changing passwords too early, without expert guidance, can alert attackers or cause more issues.
Step 5 – Identify what was accessed
Understanding the scope of the incident is key:
- Review login logs and sign-in locations
- Check for email rules or forwarding set by attackers
- Look for new admin accounts
- Investigate access to sensitive data (files, customer info, financial data)
This step helps determine whether it’s a limited breach, a full network compromise, or a data leak.
Step 6 – Communicate internally
Silence can worsen the situation. Inform your team clearly:
- Not to click suspicious emails
- Not to reconnect affected devices
- To report anything unusual immediately
Clear internal communication reduces panic and prevents further damage.
Step 7 – Check legal and compliance obligations
Depending on the incident and the evaluation you receive from your IT partner, you may need to:
- Notify customers or partners
- Report a data breach (GDPR)
Correct timing and wording are critical; mistakes can create additional risk. Wait on your IT partner’s evaluation before taking any steps.
Step 8 – Recover safely
Recovery is not just “turning things back on.” A safe recovery includes:
- Verifying backups before restoring
- Cleaning or reinstalling infected systems
- Monitoring systems after recovery
- Confirming attackers no longer have access
Restoring too quickly can reinfect your environment.
Step 9 – Fix the root cause
A hack is usually a symptom, not the real problem. Address underlying weaknesses:
- Weak or reused passwords
- Missing MFA
- Unpatched systems
- Lack of monitoring or detection
- Employees not trained to recognise threats
This is where prevention starts.
How ITAF helps after (and before) an incident
As an IT partner supporting SMEs with cybersecurity, IT infrastructure, and cloud environments, ITAF regularly helps organisations respond to cyber incidents. Services include:
- Incident response & containment
- Security assessments
- Backup & recovery strategies
- Endpoint, email, and network security
- Ongoing monitoring and guidance
The goal is simple: limit damage today and prevent the next incident tomorrow.
Quick Checklist: What to Do If You’re Hacked
- ❏ Evaluate the situation – Assess which systems, accounts, or files are affected and gather key information.
- ❏ Call your IT partner – Early expert guidance prevents mistakes and limits damage.
- ❏ Isolate affected systems – Disconnect compromised devices and accounts to stop the spread.
- ❏ Secure accounts & credentials – Reset passwords from a clean device and check MFA.
- ❏ Identify what was accessed – Determine whether data, email, or systems were compromised.
- ❏ Inform employees – Give clear instructions to avoid panic and further mistakes.
- ❏ Check legal and compliance obligations – GDPR, customer notifications, and insurer requirements may apply.
- ❏ Recover from clean backups – Restore only after confirming the threat is gone.
- ❏ Address the root cause – Fix weak passwords, missing MFA, unpatched systems, and gaps in employee training.
If you’re unsure at any step, don’t guess. Getting help early can make a huge difference.
