The First Hour: Cyber Attack Containment Checklist.
Six things to do, in order, the moment you suspect a cyber attack. This is the detailed version of step one on our "Been Hacked?" page: contain first, investigate second.
Get In Touch
Fill out the form and a member of our Cyber Attack Response team will be in touch. No hard sales, just honest advice.
Published by Holker IT · Last updated 1 July 2026
If you landed here directly, start with our main guide, My Business Has Been Hacked? What To Do Right Now, for the full picture. This page goes deeper into step one: containment, the part that decides whether a single infected laptop stays a single infected laptop.
Why the first hour matters: according to the UK government's 2025/2026 Cyber Security Breaches Survey, 43% of UK businesses identified a breach or attack in the past year. How well the first hour is handled, before anyone starts investigating root cause, is often what separates a contained incident from a business-wide outage.
Six Steps, In Order.
1Isolate the affected device
Disconnect it from the network rather than switching it off: unplug the ethernet cable, or turn off Wi-Fi from the physical switch or settings menu if you can't reach the router. Leaving the device powered on preserves evidence held in memory that an investigator may need. Don't use the infected device to search for advice or download tools; use a different, unaffected computer or your phone. If the infection has already spread to more than one machine, or you're not sure how far it's gone, isolate the whole network segment or VLAN rather than device by device.
2Disable and rotate compromised credentials
Reset passwords for any account you suspect is compromised, and if you're unsure of the scope, reset admin and finance accounts as a precaution. Force sign-out of all active sessions: in Microsoft 365 this means revoking sessions in the admin centre, not just changing the password. Turn on multi-factor authentication anywhere it isn't already active. If you suspect email compromise, check inbox rules and mail forwarding settings; attackers often hide a forwarding rule so they can keep reading email after the password changes.
3Preserve evidence
Don't wipe, reinstall or "clean up" anything yet, even if it looks like the obvious next step. Photograph any ransom note or unusual screen with your phone. Note the exact time you first noticed the problem and what you saw; this timeline matters for both investigation and any ICO reporting. Where you can do so safely, keep a copy of relevant logs: firewall logs, antivirus or EDR alerts, and Microsoft 365 or Google Workspace audit logs.
4Check your backups, but don't restore yet
Confirm your most recent backup completed successfully and, ideally, that it predates the attack. If your backup appliance or cloud backup account is on the same network as the affected systems, consider disconnecting it too, since ransomware increasingly targets backups directly. Hold off on restoring anything until you know how the attacker got in; restoring onto an unpatched entry point just invites a repeat.
5Loop in leadership, and legal if you have it
A director or senior manager needs to know within the hour, both to authorise decisions such as engaging specialist help and because they may carry personal reporting obligations. If personal data might be involved, get your Data Protection Officer or legal advisor looped in early: the ICO's 72-hour reporting clock starts from when the organisation becomes aware, not from when the investigation concludes. Don't communicate externally, to customers, suppliers or on social media, before this group has agreed what to say.
6Bring in specialist help
An internal IT team can usually manage step one, isolating the immediate problem. Working out the full scope of an intrusion, eradicating it completely, and recovering safely without missing a hidden foothold is specialist incident response work. This is what Holker IT's Cyber Attack Response team does daily, and the National Cyber Security Centre recommends using an NCSC-assured provider wherever possible.
What Isolation Actually Looks Like.
A single laptop or desktop
Unplug the network cable or turn off Wi-Fi. Leave it powered on. Don't reconnect it to charge via a docking station that's also networked.
A server
Disconnect its network interface rather than shutting it down where possible. If it's virtualised, isolating the network adapter at the hypervisor level is often faster than physical access.
A cloud or email account (Microsoft 365, Google Workspace)
Reset the password, revoke all active sessions from the admin centre, and check for forwarding rules or new app registrations you don't recognise.
A whole office network
If multiple devices are affected or the source is unclear, isolate the affected VLAN or segment at the firewall or switch rather than chasing individual machines.
Frequently Asked Questions.
Should I disconnect the whole office network or just the affected device?
Start with the affected device. Widen to a full network segment or the whole office only if more than one machine is showing symptoms, or you can't quickly confirm how far the problem has spread.
What if we don't have an IT team to help isolate systems?
Call Holker IT's Cyber Attack Response team on 0333 305 2020. We can talk a non-technical team member through safe isolation over the phone and take over from there.
Can we keep using unaffected computers in the same office?
Usually yes, once the affected device is isolated, but avoid logging into shared systems (email, finance software, file servers) from any device until you know the scope of the incident.
How do we preserve evidence without technical expertise?
Take photos of anything unusual on screen, write down the time you noticed the issue, and leave affected devices powered on but disconnected. That's enough for a specialist to work with when they arrive.
What information should we have ready when we call for help?
Roughly when you first noticed the problem, which devices or accounts seem affected, whether you've seen a ransom note or unusual message, and whether your backups are confirmed intact.