Your Small Business Has Been Hit by a Cyber Attack. Now What?

If you suspect your business has been hit by a cyber attack — ransomware encrypting your files, a phishing email that compromised credentials, unauthorised access to your systems, or a data breach exposing client or employee information — the next 24 hours are critical. Your actions now determine whether this is a contained incident with manageable impact or a catastrophic event that threatens your business.

Immediate Actions: First 2 Hours

1. Isolate Affected Systems

Disconnect compromised devices from the network immediately. Unplug ethernet cables, turn off WiFi on affected devices, and disconnect any remote access connections. Critically: do NOT turn the devices off. Powering down can destroy forensic evidence stored in volatile memory that investigators will need to determine what happened and what data was accessed. Just disconnect them from the network to stop the attack from spreading.

2. Change All Critical Passwords

Using a clean, unaffected device (if possible, a personal phone or a device not connected to your business network), change passwords for: email (Microsoft 365, Google Workspace), banking and financial systems, accounting software (Xero, MYOB), payroll systems, cloud storage (OneDrive, Google Drive, Dropbox), and any other business-critical systems. Enable multi-factor authentication on every system that supports it. If MFA was already enabled and the attacker still gained access, the MFA method itself may be compromised — change to a different MFA method (e.g., switch from SMS to an authenticator app).

3. Contact Your Bank

If financial systems may have been compromised — or if the attack involved a business email compromise (fake invoices, redirected payments) — alert your bank immediately. Banks have fraud teams that can place monitoring on accounts, reverse recent suspicious transactions, and temporarily restrict access to prevent further unauthorised transfers.

4. Document Everything

Start a written log — time, date, and description of every action taken and every observation made. Screenshot any ransom messages, unusual error messages, or evidence of unauthorised access. Record the exact time you discovered the incident, who discovered it, and what was observed. This log will be critical for insurance claims, regulatory reporting, and any law enforcement investigation.

Within 24 Hours

5. Report to Authorities

Report the incident to the Australian Cyber Security Centre at cyber.gov.au. If personal information has been accessed or disclosed, assess whether the incident triggers a Notifiable Data Breach under the Privacy Act 1988. If your business has annual turnover of $3 million or more (or is in healthcare, which has no threshold), and the breach involves personal information that is likely to result in serious harm, you must report to the Office of the Australian Information Commissioner (OAIC) and notify affected individuals. The assessment and notification must occur "as soon as practicable" and no later than 30 days after becoming aware of the breach.

6. Engage Professional Incident Response

Unless you have a managed IT provider with incident response capability already on retainer, engage a professional incident response firm immediately. They will forensically analyse the attack vector (how the attacker got in), determine the scope of the breach (what systems and data were affected), secure your environment against further attack, advise on recovery procedures, and help you meet regulatory reporting obligations. The cost of professional incident response — typically $5,000–20,000 for an SME incident — is a fraction of the cost of an uncontrolled breach. If you have cyber insurance, notify your insurer immediately — they often have preferred incident response providers and the policy may cover the cost.

7. Assess the Scope

Work with your incident response team to determine: what systems were accessed, what data may have been compromised (employee records, client data, financial information, intellectual property), whether data was exfiltrated (copied out of your environment) or just accessed, how long the attacker had access, and whether backdoors or persistent access mechanisms were installed.

Do NOT Do These Things

• Do not pay a ransom without professional advice. Payment doesn't guarantee recovery, it funds criminal operations, and it may violate sanctions laws. Only 8% of businesses that pay ransoms recover all their data.
• Do not try to "fix it yourself" by reinstalling software or wiping drives. You may destroy forensic evidence and eliminate the ability to determine what was compromised.
• Do not communicate about the incident on compromised systems. The attacker may be monitoring your email. Use out-of-band communication — phone calls, personal email, or messaging apps on personal devices.
• Do not delay. Every hour of inaction increases the damage. Attackers who maintain access continue to exfiltrate data, move laterally through your network, and establish persistence mechanisms that make them harder to remove.

After the Crisis: Prevention

The average cost of a cyber incident for an Australian SME is $46,000 — including direct costs (incident response, recovery, legal) and indirect costs (lost revenue, productivity, reputation). For some businesses, a serious incident is terminal: the ACSC reports that one in five small businesses that experience a significant cyber incident never fully recover.

Managed IT with proactive cybersecurity — monitoring, patching, endpoint protection, backup management, and Essential Eight alignment — typically costs $100–200 per user per month. For a 15-person business, that's $18,000–36,000 per year. Less than the average cost of a single incident.