DEV Community

RoboZilla
RoboZilla

Posted on

What Should I Do in the First Hour After Discovering My Business Has Been Hacked?

#smallbusiness #automation #cybersecurity #ai

In the first hour, stay calm and act deliberately: isolate affected devices from the network (don't power them off), preserve evidence, change critical passwords from a clean device, alert your incident-response contact and leadership, and start a written timeline. Don't pay ransoms or delete anything before getting expert help.

The email looked normal. Then the wire confirmation came back — to a vendor who never invoiced you. Your accounting login fails. A file on the shared drive is now named DECRYPT_ME.txt. Your stomach drops. This is the moment that decides how much the breach costs you. What you do in the next sixty minutes matters more than almost anything you'll do in the following sixty days.

The stakes are real. IBM's Cost of a Data Breach Report 2024 put the global average breach at $4.88 million — the highest ever recorded and up 10% year over year. And the FBI's IC3 2023 Internet Crime Report logged more than $12.5 billion in reported losses in a single year. Small and mid-sized businesses aren't spared; they're targeted precisely because attackers expect no plan to be in place. Here's the plan.

What should I do in the very first minutes after discovering a breach?

Stop and breathe. Panic causes the two worst mistakes: deleting evidence and tipping off the attacker. Then work the list:

  • Start a written timeline. Note the exact time you noticed, what you saw, and every action you take afterward. This becomes your single source of truth for insurers, law enforcement, and responders.
  • Tell one decision-maker immediately. A breach needs an owner. Loop in the business owner or a designated incident lead — not the whole company yet.
  • Assume the attacker is watching. Don't discuss the breach over the compromised email or chat system. Switch to phone or a personal device.

Takeaway: The first move is information control, not heroics.

How do I contain the attack without destroying evidence?

Containment and evidence preservation pull in opposite directions, so be precise.

  • Disconnect, don't power down. Unplug the network cable or disable Wi-Fi on affected machines. Powering off can wipe memory-based forensic evidence that tells responders how the attacker got in.
  • Isolate, don't reimage. Resist the urge to "just wipe it and start fresh." That destroys the evidence trail and often leaves the attacker's backdoor untouched on other systems.
  • Change critical passwords from a clean device — email, banking, admin, and remote-access accounts — and turn on multi-factor authentication everywhere it isn't already.
  • Preserve the ransom note or phishing email. Screenshot it. Don't delete it.

The NIST Computer Security Incident Handling Guide (SP 800-61) frames response as a cycle of Detection → Containment → Eradication → Recovery for exactly this reason: rushing to eradicate before you understand the scope usually means you miss something.

"In the first hour, the goal isn't to fix the breach — it's to stop the bleeding without burning the evidence," says the RedCore incident-response team at RoboZilla. "The businesses that recover fastest are the ones that isolated, documented, and called for help instead of trying to quietly clean it up alone."

Who should I call — and in what order?

Make these calls inside the first hour:

  1. Your incident-response provider (like RoboZilla's RedCore). They triage scope and stop active spread before more systems fall.
  2. Your cyber-insurance carrier. Most policies require prompt notice and have a 24/7 hotline. Acting outside their process can void coverage.
  3. Your bank, if any financial system or wire was touched. Fast fraud reporting is often the only path to recovering funds.
  4. Law enforcement — file with the FBI's IC3 (ic3.gov) and contact CISA, which offers free incident guidance to U.S. businesses.
  5. Legal counsel, who advises on breach-notification obligations that vary by state and industry.

Takeaway: You don't need every answer in the first hour — you need the right people moving.

What should I absolutely NOT do in the first hour?

  • Don't pay the ransom on impulse. The FBI advises against it; payment funds future attacks and rarely guarantees clean recovery.
  • Don't delete files, logs, or accounts. You're erasing the map of what happened.
  • Don't email the whole staff yet. A premature "we've been hacked" message can cause panic, leaks, and legal exposure before you know the facts.
  • Don't reconnect "fixed" machines to the network. Reinfection from a single missed foothold is one of the most common second-day disasters.

How do I know how bad the breach really is?

You won't know fully in an hour — and that's normal. IBM found the average breach in 2024 took 258 days to identify and contain. Your first-hour job is to map the blast radius, not to close the case: Which systems are affected? Was customer or employee data accessed? Are backups intact and offline? Document what you can confirm versus what you suspect, and hand that to your responders.

The human element is usually the door. Verizon's 2024 Data Breach Investigations Report found 68% of breaches involved a non-malicious human element — a clicked link, a reused password, a convincing fake. That's also the best news: most breaches are preventable with the right monitoring and staff training in place before the next attempt.

FAQ

Should I shut down my computers immediately?
No. Disconnect them from the network instead. A full shutdown can erase memory-based evidence forensic teams need to trace the attack.

Should I pay the ransom to get my data back fast?
The FBI advises against paying. It funds criminal operations and offers no guarantee of recovery. Call your insurer and an incident-response provider first.

Do I have to tell my customers right away?
Notify them — but on legal counsel's timeline. Notification rules vary by state and industry, and a rushed or inaccurate disclosure can create new liability.

Is my business too small to be a real target?
No. Attackers favor small and mid-sized businesses because they expect weaker defenses and no response plan. Size offers no protection.

What's the single most valuable first-hour action?
Isolate affected systems and start a written timeline. Containment plus documentation shapes every recovery, insurance, and legal step that follows.

About RoboZilla — RoboZilla helps small and mid-sized businesses defend, automate, and grow with RedCore cybersecurity and incident response, business automation, and AI lead generation. If you've been breached — or want a plan before you are — call RoboZilla's RedCore team at (877) 692-8992 or visit https://robozilla.ai.

RoboZilla — cybersecurity (RedCore), business automation & AI lead generation for small & mid-sized businesses. https://robozilla.ai · (877) 692-8992

Top comments (0)