What to Do When Your Business Gets Hacked (Step by Step)
14 April 2026
It's 9am on a Tuesday. Someone on your team clicks a link in an email that looked legitimate. Or a password that was reused across sites gets compromised in a data breach. Or your Microsoft 365 account starts sending emails you didn't write. However it happens, the reality hits: you've been hacked.
What you do in the next 60 minutes determines whether this is a contained incident or a full-blown crisis. Speed matters more than perfection here.
First 15 Minutes: Contain
Don't panic, but don't wait. The instinct is either to freeze or to start deleting things. Don't do either.
- Reset the compromised account's password immediately. Change it to something long and random. If you don't know which account is compromised, start with the one that's showing suspicious activity.
- Revoke all active sessions. In Microsoft 365, go to the user's account in the admin centre and click "Sign out of all sessions." This forces the attacker to re-authenticate — which they can't do if you've changed the password.
- Enable MFA if it wasn't already on. If the compromised account didn't have multi-factor authentication, enable it now. This prevents the attacker from getting back in even if they obtain the new password.
- Check for mail forwarding rules. Attackers often set up forwarding rules to send copies of all incoming email to an external address. Check the compromised mailbox for rules you didn't create and delete them.
Next 30 Minutes: Assess
Understand what happened and how far it went.
- Check the sign-in logs. In Microsoft Entra (Azure AD), review the compromised account's sign-in history. Look for sign-ins from unusual locations, unfamiliar IP addresses, or sign-ins using legacy authentication protocols.
- Check what was accessed. Did the attacker access SharePoint, OneDrive, or Teams? Did they download files? Did they access other users' mailboxes? The audit logs will show this.
- Check for other compromised accounts. If one account was breached through credential stuffing (reused password), others might be too. Review sign-in logs for other users showing the same suspicious patterns.
- Check for sent emails. Look in the compromised account's Sent Items and Deleted Items for emails you didn't send. Attackers often use compromised business accounts to send phishing emails to your contacts — which is both embarrassing and potentially liable.
Next 15 Minutes: Communicate
Tell the right people.
- Your team: Let them know there's been an incident. Tell them not to click on any unusual emails from the compromised account and to report anything suspicious.
- Your IT provider: If you have managed IT support, call them now. They can do a deeper investigation, check for persistence mechanisms, and help with remediation.
- Your clients (if affected): If phishing emails were sent from your account to clients, tell them promptly. "Our account was compromised. Please ignore any unusual emails from us in the last 24 hours." Honesty and speed here protects both your clients and your reputation.
Within 72 Hours: Report
If personal data was accessed or exfiltrated, you may have a legal obligation to report the breach:
- ICO (Information Commissioner's Office): Under GDPR, reportable breaches must be notified within 72 hours. Not every incident is reportable — only those that risk people's rights and freedoms. When in doubt, report.
- Action Fraud: Report the incident to Action Fraud (the UK's national fraud and cyber crime reporting centre) for a crime reference number.
- Your cyber insurance provider: If you have cyber insurance, notify them as early as possible. Many policies have incident response support included.
What Not to Do
- Don't wipe the device immediately. You might destroy evidence needed for investigation.
- Don't ignore it and hope it goes away. Attackers who get access often maintain persistence — they'll come back unless you properly remediate.
- Don't blame the person who clicked the link. Phishing emails are sophisticated. The failure is in the controls that should have prevented it, not in the person who fell for a well-crafted attack.
Key takeaway
After the incident is contained: review what happened, fix the gaps that allowed it, and put controls in place to prevent it happening again. MFA on every account. Email authentication configured. Conditional Access policies active.
After the incident is contained: review what happened, fix the gaps that allowed it, and put controls in place to prevent it happening again. MFA on every account. Email authentication configured. Conditional Access policies active. The basics that should have been there before — make sure they're there now. Our £0 security checklist is a good place to start.
Want to talk about this?
Book a free 15-minute call and we'll discuss how this applies to your business.
Book a Free CallGet IT tips in your inbox
Practical advice for small businesses. No spam.
