Don’t hit the panic button: What to do if you think you’ve been hacked

There’s a lot of hyperbole and alarmism within our industry. At times this can be self-defeating, muddling the email security must-haves with the not-so-necessaries, and leaving CISOs, CIOs, and IT Managers resenting the would-be protectors almost as much the hackers attacking them.

Hence why it’s important to stick to the facts around the risks posed to your business. The Government tells us that more than two in five UK businesses uncovered breaches in 2018. Given that it takes an average of almost 200 days after the initial occurrence to identify a typical data breach, combined with the truth that not every breach is reported, it seems reasonable to estimate that more than half of UK businesses are being hacked every single year.

Creating your response strategy

Now, alarmism aside, this means your business is odds-on to be attacked before Santa Claus next comes to town, making it the ideal time to audit your existing cyber defenses and ensure you’ve taken every step to minimize the potential entry avenues that could be exploited by hackers.

But it’s also high time to create a response strategy in preparation for the event that your business is penetrated at some stage in the future. After all, blind panic is rarely a helpful form of remediation, and a great many companies manage to escalate potentially serious cyber scenarios to out-and-out crises by failing to keep a cool head and thus missing vital response steps – some of which carry their own legal or regulatory ramifications.

So, below we’ve included a walkthrough of how to avoid panic and address the essentials should you discover that you’ve become a hacking victim:

  • Close the door: If it’s an individual machine that’s been compromised, disconnect it from the internet and other machines. If you fear multiple points of entry, consider what needs to be disconnected and for how long, to assess the extent of the attack. In extreme cases, a temporary shut-down may be the only viable means of isolating the incident.
  • Alert the leadership: Businesses need to assume collective responsibility for cyber breaches from the top down – this is too big a burden to be born by the IT department. Making the wider leadership team aware of the issue is an essential early step, given the range of compliance procedures that will have to be fulfilled further down the line.
  • Assess the damage: This may be easier said than done if a hack attack is widespread, but you should attempt to get an early read on the level of damage as this will inform the steps that must follow around comms and legal proceedings. If a broader assessment is needed, assign a team to investigate more thoroughly and/or bring in a trusted third-party to help undertake the work and arrive at certainty.
  • Seek legal guidance: You should talk to your company’s legal team about cybersecurity irrespective of whether you’ve been hacked, in order to formulate a response plan covering as many types of breach as possible. This gives your legal eagles the chance to construct well-considered guidance for each scenario about the necessary remedial steps that must be taken to. If in doubt, when the attack happens, get your legal team on the phone at the earliest opportunity.
  • Internal and external comms: Every hack will have different ramifications, but it’s likely that employees will have to be informed as quickly as possible – particularly if they need to change practises/behaviours as a consequence. It may be necessary to communicate the information to suppliers, as many cyberattacks originate within firms’ broader supply chain networks. Finally, from regulators to insurers to the media, it’s crucial that your communications strategy considers every audience that needs to know about the hack. Do some advance planning and formulate a communications strategy – again based on a variety of incident types – with a clear timeline for engaging each audience in each circumstance.
  • Tell your customers/the public: Informing your customers, or the public at large, should form a central part of the communications strategy. However, it’s worth singling out this audience, as it’s your customers that need to be kept on-side at all costs, particularly if their data has been compromised. Many companies suffer far more reputational damage in the aftermath of a breach than they do during the attack itself, almost always due to a failure to communicate clearly, quickly, and honestly with the audiences that matter most.
  • Review the causes, plug the gaps: Being hacked once doesn’t make you immune to the risk of future attacks. In fact, if there’s a vulnerability in your organizational defences, whether the result of a poorly patched network of machines or a lack of employee awareness, then hackers will go on exploiting it until the vulnerabilities are eradicated. So once the above mitigation steps have been taken, get to work on figuring out how the hack occurred and how future attacks can be prevented.

Remember, creating an effective response strategy is not a task that can be solved by a simple checklist. This is a serious business; indeed, an entire industry has arisen that is dedicated to helping companies respond to cyberattacks more effectively. But before you shell out for third-party support on building your response strategy, it’s worth checking out the NCSC’s website to help you better determine what the most appropriate steps are for your business. And whatever you do, don’t panic!

To find out more about how Red Sift can help protect your business from cyberattacks, get in touch.

Get in touch


Clare Holmes

28 Mar. 2019



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more