Nobody thinks clearly the moment they realise they have been hacked. The screen is wrong, or the ransom note is there, or a client has just rung to ask why you emailed them asking to change bank details. The adrenaline says do something, fast, and that instinct is exactly the problem. The most expensive mistakes we see are not the attack itself. They are the reaction: the wrong machine switched off, the evidence deleted, the whole team emailed from an account the attacker is quietly sitting in.
None of what follows needs any technical knowledge. It is a running order, and its whole purpose is to keep you from making the situation worse while the right people get involved. Print it, or keep it somewhere you can reach when your main systems are the thing that is down.
First, do not make it worse
Before you touch anything, resist these four instincts. They are the ones that turn a bad day into a much longer one.
- Do not turn the affected computer off if you can avoid it. Pulling it off the network is better. Powering it down can wipe evidence held in memory that tells your IT team what happened and how far it reached.
- Do not delete anything. Leave the ransom note, the suspicious email and any warnings exactly where they are. That is the material your IT team, your insurer and any investigator will need.
- Do not pay a ransom on the spot. That is a considered decision for later, made with other people, not a reflex.
- Do not discuss the attack from a compromised account. If someone is in your inbox, they can read what you write about them. Move to phone calls, or an account you know is clean.
In the first hour, the attacker has already done their part. The damage still in your control is the damage you do reacting.
The step by step
Work through these in order, from the moment you notice something is wrong.
- Get the affected devices off the network. Pull the cable out, and switch Wi-Fi off, on every device that looks caught up in it. This is the single most useful thing a non-technical person can do, because it stops the problem spreading to other machines and, critically, to your backups. The ACSC's guidance is the same: isolate a device from the network rather than powering it down, and only shut it off if there is genuinely no other way to disconnect it.
- Call your IT provider, by phone. Not email, in case the inbox is being watched. If you carry cyber insurance, they are the next call, because most policies require you to bring their incident team in early, and some will not cover work done before you do.
- Leave the evidence alone. Do not wipe, reinstall or tidy up the affected machines yet. Photographs of the ransom note or the dodgy email are handy, but keep the originals in place too.
- If money has left, get the bank on the phone. Ask them to stop and claw back the transfer, and to freeze it if that is still possible. With payment fraud, the first few hours decide whether the money is recoverable at all.
- Reset passwords from a clean device, and switch on multi-factor authentication. Begin with email and any administrator accounts, and do it from a device you are confident is not affected, not the one in front of you.
- Report it. This can help you recover, and in some circumstances it is legally required. Where and how, for an Australian business, is below.
Where to report it in Australia
Report the incident through ReportCyber at cyber.gov.au, or call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371), which is staffed around the clock. If money was moved, tell your bank first and then report, because the bank is the one who can actually chase the funds.
There is a second obligation that catches a lot of businesses off guard. If personal information about your customers or staff may have been accessed or lost, the Notifiable Data Breaches scheme under the Privacy Act may apply. Where a breach is likely to result in serious harm, you are required to notify the Office of the Australian Information Commissioner and the affected individuals as soon as practicable. If you are not certain whether it qualifies, you have up to thirty days to assess it, but that is a ceiling to work well inside, not a deadline to drift toward. Ask your IT provider or your lawyer early, so a compliance problem is not sitting on top of the security one.
An attack is a security incident. A breach of personal information is also a legal one, with its own clock. Treat them as two problems from the start.
Should you pay the ransom?
If it is ransomware, this is the question that dominates the room, and it is worth having a clear view before you are ever in it. The Australian Signals Directorate, like law enforcement generally, advises against paying. A payment buys no guarantee your files return, it advertises you to the criminal world as someone who will pay, and it bankrolls whoever they target next.
It is ultimately your call, but make it alongside your incident-response team, your insurer and, where you can, the ACSC, rather than by yourself in a panic. There is a practical reason to wait for the specialists too: for some strains a free decryption key has already been published, so paying would cost you money for something you could have had for nothing.
The best time to prepare was before
Everything above is dramatically easier if a few decisions were made in advance. You do not need an incident-response binder. A single page will do, covering:
- Who to call first, your IT provider and your insurer, with their numbers kept somewhere you can reach without your main systems, on paper or a phone.
- Where your backups are, and proof they work. A backup you have never restored from is a hope, not a plan, which is the whole point of why a third of all data loss traces back to backups that were never tested.
- Which of your accounts and devices are the crown jewels, so it is obvious what gets protected and checked first.
That one page is enough for most small businesses, and it converts a frantic, guessing morning into a list you simply work down. It is exactly the kind of groundwork a cyber health check is meant to surface, and the reason your cyber insurer keeps asking the questions we covered in answering your renewal without voiding the policy.
Where we land on this
You will not remember six steps under pressure, so remember three, and let whoever you call handle the rest. Disconnect the affected devices. Phone your IT provider. Touch nothing else. If money moved, phone the bank too. Everything else on this page can be done with people who do this for a living beside you, which is the entire argument for having that relationship in place before the day arrives rather than scrambling to find one during it. If you would like help writing the one-page plan, or you are dealing with something right now, that is what AgileSECURE and the phone number at the top of this page are for.
Frequently asked questions
What is the very first thing to do in a cyberattack?
Get the affected devices off the network, by pulling the cable and switching the Wi-Fi off, then ring your IT provider on the phone. Isolating the device this way stops the problem spreading to other machines and to your backups while you wait for help, and unlike powering it down, it does not destroy the evidence sitting in memory.
Should I turn the computer off if I get ransomware?
Where you can, disconnect it from the network rather than shutting it down. Powering a machine off can erase evidence held in memory that helps work out what happened and how far it spread. Only turn a device off if there is no other way to get it off the network.
Should we pay the ransom?
Law enforcement, the Australian Signals Directorate included, starts from no. A payment does not guarantee your data returns, it tags you as someone who will pay, and it bankrolls the next victim's attack. Make the call with your incident-response team, your insurer and, where you can, the ACSC, rather than by yourself under pressure. It is also worth checking whether a free decryptor has already been published for the strain you were hit with before anyone pays a cent.
We paid a fake invoice or wired money to a scammer. What now?
Call your bank immediately and ask them to halt and recall the transfer, then report it to your bank's fraud team and to ReportCyber. The first few hours matter more than anything else, because once the money moves through a few accounts it becomes very hard to recover. Speed is the single biggest factor in getting it back.
Who do I report a cyberattack to in Australia?
Report it through ReportCyber at cyber.gov.au, or call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371), which runs 24 hours a day. Tell your cyber insurer as well, and if personal information about your customers or staff may have been exposed, check your obligations under the Notifiable Data Breaches scheme, because you may be legally required to notify the OAIC and the people affected.