Hacked? Here's What To Do: Incident Response Guide

Discovering your business has been hacked is stressful. Your mind races, your heart pounds, and you're not sure what to do first. Take a breath. This guide walks you through exactly what to do, step by step, to minimize damage and recover as quickly as possible.

Professional calmly responding to security incident
Stay calm and follow the incident response plan

Signs You've Been Hacked

The first step is recognizing that something is wrong. Here are common signs of a security breach:

Unusual system behavior

Slow performance, crashes, programs starting on their own

Locked out of accounts

Passwords no longer work, unexpected password reset emails

Ransom messages

Files encrypted, messages demanding payment

Strange network activity

Unexpected data transfers, connections to unknown servers

Security alerts

Warnings from antivirus, firewall, or monitoring tools

Customer complaints

Reports of spam from your email, suspicious invoices

Immediate Steps: The First 15 Minutes

When you suspect a breach, these first actions are critical:

1

Don't panic

Take a breath. Rushed decisions often cause more damage. You have time to think.

2

Document what you see

Take photos of screens, note error messages, timestamps. This evidence is crucial.

3

Don't turn off computers

Unless ransomware is actively spreading. Evidence may be lost on shutdown.

4

Isolate affected systems

Disconnect from network (unplug cables, disable Wi-Fi). Don't turn off.

5

Call your IT partner

If you have one, contact them immediately. They can guide next steps.

Step-by-Step Response Plan

1

Contain

Stop the spread

  • Disconnect affected computers from the network
  • Disable remote access and VPN connections
  • Change passwords for critical accounts (from a clean device)
  • Block suspicious IP addresses at the firewall
  • Preserve evidence—don't delete or modify anything
2

Assess

Understand what happened

  • Identify which systems are affected
  • Determine what data may be compromised
  • Check backup systems—are they intact?
  • Review security logs for entry point
  • Identify the type of attack (ransomware, data theft, etc.)
3

Communicate

Inform the right people

  • Brief management and key staff
  • Prepare customer communication if data affected
  • Notify cyber insurance provider
  • Consider legal counsel for GDPR obligations
  • Document all communications
4

Recover

Restore operations

  • Verify backups are clean before restoring
  • Rebuild systems from known-good images
  • Restore data from offline backups
  • Reset all passwords across the organization
  • Patch vulnerabilities that enabled the attack
5

Report

Notify authorities if required

  • NIS2: Report significant incidents within 24 hours
  • GDPR: Notify data protection authority within 72 hours if personal data affected
  • File police report for criminal investigation
  • Notify CCB at cert@ccb.belgium.be for technical assistance
6

Learn

Prevent it from happening again

  • Conduct post-incident review
  • Identify what allowed the attack to succeed
  • Update security policies and procedures
  • Implement additional security controls
  • Train staff on lessons learned

Who to Contact

Having the right contacts ready before an incident saves precious time:

Your IT partner — They should be your first call. Have their emergency number accessible.
CCB CERT — Belgium's Computer Emergency Response Team: cert@ccb.belgium.be or +32 2 501 05 60
Local police — File a report for insurance and potential investigation
Cyber insurance — If you have a policy, notify them immediately
Legal counsel — For GDPR obligations and liability questions

NIS2 Reporting Requirements

If your organization falls under NIS2, you have strict reporting obligations:

24 hours Early warning to competent authority
72 hours Incident notification with initial assessment
1 month Final report with root cause analysis

Should You Pay the Ransom?

This is one of the most difficult decisions businesses face. Our recommendation: don't pay.

Why not to pay:

  • No guarantee you'll get your data back
  • Funds criminal organizations and encourages more attacks
  • Paying marks you as a target for future attacks
  • Decryption tools often don't work properly
  • May violate sanctions regulations

Cyber Insurance Considerations

If you have cyber insurance, act quickly:

  • Notify your insurer as soon as possible (check policy for timeframe)
  • Document everything—insurers need evidence for claims
  • Follow their incident response requirements
  • Keep receipts for all incident-related expenses
  • Don't admit liability without consulting your insurer

Preventing the Next Attack

Once you've recovered, strengthen your defenses:

Regular backups — Test them regularly. Keep offline copies.
Employee training — Most breaches start with phishing. Train your team.
Multi-factor authentication — Enable it everywhere possible.
Keep systems updated — Patch vulnerabilities promptly.
Incident response plan — Have a written plan before the next incident.
Security monitoring — Consider managed detection and response services.

Frequently Asked Questions

How do I know if I've been hacked?

Common signs include: unusual system slowness or crashes, locked accounts, ransom messages, unexpected password resets, strange emails sent from your accounts, or alerts from security software. If something feels wrong, investigate. Trust your instincts.

Should I turn off my computer?

Usually no. Turning off a computer can destroy forensic evidence in memory. Instead, disconnect it from the network (unplug the ethernet cable, disable Wi-Fi) but leave it running. The exception: if ransomware is actively encrypting files and spreading, shutting down may limit the damage.

Do I need to report a breach?

It depends. Under GDPR, breaches involving personal data must be reported to the data protection authority within 72 hours if they pose a risk to individuals. Under NIS2, significant incidents must be reported within 24 hours. Even if not legally required, reporting to CCB (cert@ccb.belgium.be) can help you get assistance and helps protect others.

Should I pay a ransom?

We strongly advise against it. There's no guarantee you'll get your data back, it funds criminal organizations, and it marks you as a target for future attacks. Focus on restoring from backups instead. If you don't have backups, consult with law enforcement and cybersecurity experts before making any decisions.

How can I prevent this from happening again?

Focus on the basics: maintain regular tested backups (with offline copies), enable multi-factor authentication everywhere, keep systems patched and updated, train employees to recognize phishing, and have an incident response plan ready. Consider implementing the CyberFundamentals framework for structured security improvement.

Related Articles

Sources

  1. CCB CERT Belgium — Computer Emergency Response Team
  2. NIS2 Directive (EU) 2022/2555 — Incident reporting requirements
  3. IBM Cost of a Data Breach Report — Breach statistics and costs
  4. ENISA — EU Agency for Cybersecurity