My Business Has Been Hacked? What To Do Right Now.
If you're dealing with a live cyber attack, follow the steps below in order. Holker IT's Cyber Attack Response team can start containment within minutes of your call.
Get In Touch
Fill out the form and a member of our Cyber Attack Response team will be in touch. No hard sales, just honest advice.
Published by Holker IT · Last updated 1 July 2026
If you're reading this because something's wrong right now (files won't open, a ransom note has appeared, an account is locked out, or money has gone missing) stop scrolling social media for answers and follow the steps below in order. This page is written for UK businesses in the middle of a live incident, not a general awareness piece.
What To Do In The Next Five Minutes.
- Don't panic, and don't shut down the affected computer if you can avoid it. Powering off can destroy evidence held in memory that an investigator needs, so disconnect it from the network instead (unplug the cable or turn off Wi-Fi).
- Isolate, don't investigate. Disconnect the affected device(s) from your network so any infection can't spread further, but leave them switched on.
- Call your IT support or security provider straight away, even if you're not 100% sure it's an attack. It's always better to have it checked and be wrong than to wait.
- Don't pay anyone yet. If you've seen a ransom demand, don't respond to it or send any payment before taking advice.
- Tell a colleague. Don't try to handle a live incident alone; get a second person looped in so decisions are recorded as you go.
Containment Checklist.
Once the immediate danger is contained, work through this checklist. It mirrors the approach used by NCSC-assured incident response providers.
- Isolate affected systems. Disconnect infected devices from the network; segment or shut down affected network segments if multiple machines are involved.
- Disable compromised accounts. Reset passwords and revoke active sessions, and turn on multi-factor authentication if it isn't already active.
- Preserve evidence. Don't wipe or reinstall anything yet. Logs, network traffic data and any ransom note are all evidence your response team may need.
- Check your backups. Confirm your most recent backup is intact and predates the attack. Don't restore until you know how the attacker got in.
- Loop in leadership. A director or senior manager needs to know within the hour, both to authorise decisions and because of legal reporting obligations.
- Bring in specialist help. Detecting the full scope of an intrusion, eradicating it, and recovering safely is specialist work. This is exactly what our Cyber Attack Response team does daily.
What Kind Of Incident Are You Dealing With?
Different attacks need different first moves. Attackers often combine several of these at once, so get a specialist to confirm what you're facing.
Ransomware
Files renamed or refusing to open, a ransom note on screen, or servers suddenly failing to boot. Isolate other machines immediately, since ransomware spreads fast. Don't pay or restore from backup before you know how the attacker got in.
Business Email Compromise / Phishing
Unusual sent items, colleagues reporting odd emails from you, invoices redirected to a new bank account, or a login alert from an unfamiliar location. Change the password, enable MFA, and check mail forwarding rules.
Data Breach Or Theft
Unexplained data transfers, a customer or supplier reporting your data has appeared elsewhere, or a vendor breach notification. If personal data is involved, the 72-hour ICO reporting clock has started.
Third-Party / Supply-Chain Breach
A supplier, IT provider or software vendor you rely on has been compromised. Treat it as your incident too: review their access to your systems and consider it compromised until proven otherwise.
Common Mistakes In The First 24 Hours.
- Paying a ransom immediately without exploring alternatives or checking legal and insurance implications first.
- Wiping or reinstalling affected machines before evidence has been captured.
- Restoring from backup before the entry point is closed. This can re-infect newly restored systems within hours.
- Going public (customer emails, social media, press) before the facts are confirmed.
- Not checking cyber insurance requirements before starting remediation. Many policies require an approved provider.
- Assuming a single affected laptop means a single affected laptop. A full scope assessment is essential.
This Isn't A Rare Event.
Source: gov.uk Cyber Security Breaches Survey 2025/2026. Despite this, only around 5% of UK businesses hold Cyber Essentials certification, and just 44% of micro-businesses have an external cyber security provider in place. The National Cyber Security Centre (NCSC) recommends using an NCSC-assured Cyber Incident Response provider wherever possible.
Holker IT's Cyber Attack Response Team.
Whatever your current IT setup, whether that's an existing Holker client, another provider, or no support in place, get in touch to discuss how quickly we can step in.
Containment & Eradication
Isolating affected systems, disabling compromised accounts, removing the threat.
Evidence Preservation
Securing logs and artefacts for investigation, insurance claims, or law enforcement.
Standby Infrastructure
We spin up copies of your servers in Holker's cloud so your business can keep operating.
24-Hour Support
Available around the clock for the moments that can't wait for office hours.
See the full details on our Cyber Attack Response page, or explore PROCYBER, our managed detection and response service designed to catch incidents like this earlier.
Recovery & Preventing A Repeat.
Containing today's incident is only half the job. A proper post-incident review should cover root cause, patching the specific gap exploited, verifying systems are genuinely clean, and a written incident report for your insurer and board.
Penetration Testing
Finds the gaps an attacker would exploit before they do it again.
Cyber Essentials Certification
A government-backed baseline that demonstrates to customers, insurers and suppliers that the fundamentals are in place.
Frequently Asked Questions.
Should I turn my computer off?
Not immediately. Disconnect it from the network instead (unplug the network cable or disable Wi-Fi) and leave it powered on until an investigator has had a chance to look at it, since turning it off can lose evidence held in memory.
Should we pay the ransom?
Take advice before doing anything. Paying doesn't guarantee you'll get your data back, may mark you as a target for future attacks, and can carry legal risk. Call us before making that call.
How quickly can Holker respond?
Our Cyber Attack Response team is available 24 hours a day and can begin containment work within minutes of your call to 0333 305 2020.
Do you only help existing Holker clients?
Get in touch to discuss your situation. Whatever your current IT setup, whether that's another provider or nothing in place, we'll talk through the best way we can help.
What if we don't have cyber insurance?
You can still engage our Cyber Attack Response team directly. Insurance isn't a requirement to get help.
How much does incident response cost?
It depends on the scale and nature of the incident. Call us for a same-day assessment; we'll be upfront about likely cost before starting any chargeable work.