PBIT
Cyber SecuritySelf-help

What to do if you think your business has been hacked

14 July 2026 · 5 min read

Maybe a client says they received a strange email from you. Maybe a login alert arrived from a country you have never visited. Maybe files will not open. Whatever raised the alarm, what you do in the first hour matters more than anything else. Here is the order of operations.

1. Do not switch everything off

The instinct is to pull plugs. Resist it, mostly. Powering machines off can destroy the evidence needed to work out what happened and what was taken, and with ransomware it can make recovery harder. The exception: if you can see files being encrypted in front of you, disconnecting the machine from the network (unplug the cable, turn off Wi-Fi) is right. Off the network, not powered off.

2. Change the passwords that matter, from a clean device

Start with email, because email resets everything else. Then banking, then Microsoft 365 or Google Workspace admin accounts. Use a device you believe is clean, ideally a phone on mobile data. If multi-factor authentication is not on, turn it on as you go.

3. Check for the attacker's backdoors

With email compromise, attackers almost always leave quiet persistence behind: mailbox rules that forward or hide messages, new sign-in methods, or authorised apps you do not recognise. If these are not found and removed, changing the password only inconveniences them. This is the step where professional help earns its keep.

4. Preserve evidence and write down the timeline

Note when you first noticed, what alerts arrived, who reported what and when. Do not delete the suspicious emails, do not wipe the machine yet. If money moved, contact your bank immediately, and report it at cyber.gov.au through ReportCyber. Speed matters for fund recovery.

5. Consider your notification obligations

If personal information may have been accessed, Australian privacy law may require you to assess and report an eligible data breach. Medical practices and firms holding sensitive client data should take this seriously and early. It is a legal question with deadlines, not an IT afterthought.

6. Only then, rebuild and harden

Once access is cut off and evidence preserved: patch, restore from clean backups where needed, and fix the gap that let it happen, usually a missing second factor, a reused password or an unpatched system. A compromise investigated properly ends with your business more secure than before it happened.

We run incident response to a documented playbook, from the first phone call through evidence, containment and hardening. If something feels wrong right now, call us on 07 5631 4365. Faster is always better.

Want your setup checked against this? Book a free IT review or call 07 5631 4365.

Ready for IT that just works?

Tell us what's frustrating you and we'll come back with a free, no-obligation IT review: where your setup stands, what needs fixing first, and what it should cost.

  • Free review of your current IT and security
  • Clear, fixed monthly pricing, no surprises
  • Gold Coast technicians, response under 15 minutes
Andre Minnaar, founder of Premium Business IT

Prefer to talk? Andre answers. Call 07 5631 4365

5.0on Google · 3 reviews

No spam, no obligation. We reply within one business day.

Call usFree IT review