Security · 6 min read
Signs Your Business Has Been Hacked, and the First Things to Do
The warning signs that your business network or accounts have been compromised, the first steps to take if they have, and the mistakes that make a breach worse.
Most business breaches are quiet. There is rarely a dramatic message on the screen. Instead there are small, easy-to-miss signs that something is wrong, and the businesses that catch them early lose far less than the ones that find out weeks later. Here are the signs to watch for, what to do in the first hour if you spot them, and the mistakes that turn a contained problem into an expensive one.
The warning signs worth acting on
A single one of these can have an innocent explanation. Several at once, or any one that you cannot explain, is worth treating as a possible breach until you know otherwise.
- Colleagues or clients report emails from you that you never sent.
- You are locked out of an account, or your password suddenly stops working.
- New accounts, mailbox rules, or forwarding you did not set up appear in your email.
- Computers run slow, crash, or show programs and pop-ups nobody installed.
- Files are renamed, missing, or will not open, or you find a ransom note.
- Logins appear from places or at hours that do not match your team.
What to do in the first hour
If you think an account or device is compromised, the goal in the first hour is to contain it, not to investigate everything at once. Speed matters more than a perfect diagnosis.
- Disconnect the affected device from the network, but do not turn it off if ransomware is involved, as that can destroy useful evidence.
- Change the password on the affected account from a different, clean device, and turn on multi-factor authentication.
- Check email for rules or forwarding an attacker may have added to hide their activity.
- Alert your team so nobody acts on a fake message from the compromised account.
- Call your IT partner. This is the moment their monitoring and experience earn their keep.
The mistakes that make it worse
How a business reacts in the first day often matters as much as the breach itself. A few common instincts do real harm.
- Paying a ransom before exploring backups, which funds the attacker and rarely returns everything.
- Wiping or reformatting a machine before anyone can see how the attacker got in, which invites a repeat.
- Staying quiet with staff and clients when the law or basic trust calls for telling them.
- Assuming one changed password fixes it, when attackers often leave a second way back in.
How to lower the odds it happens again
Recovery is the moment to close the door the attacker walked through. Most business breaches trace back to a short list of gaps, and every one of them is fixable.
Multi-factor authentication on every account, business-grade protection on every device, tested backups you can actually restore from, and a little staff awareness training together stop the large majority of attacks. This is the layer we deploy and manage for the businesses we protect, and the same protection is available to you in our store if you want to handle it yourself.
- Require multi-factor authentication on every account, starting with email and banking.
- Run business-grade endpoint protection on every device, managed from one place.
- Automate backups, keep a copy separate, and test a real restore a few times a year.
- Train staff to slow down on anything urgent about money or passwords.
When to bring in help
If client data may have been exposed, if ransomware is involved, or if you simply are not sure the threat is gone, that is the point to bring in a partner. Guessing at a breach is how businesses end up cleaning it up twice.
We help businesses across LA and Orange County contain a problem, understand what happened, and close the gaps so it does not happen again. If you want to know where you stand before anything goes wrong, a free on-site assessment is the place to start.
Close the most common gap: unprotected devices
We deploy Bitdefender GravityZone Business Security for the companies we protect, and it is available to you at 50% off in our store. Buy it yourself, or have us set it up and manage it for you.
Common questions
How do I know if my business has been hacked?
Common signs include emails sent from your account that you did not write, being locked out of an account, new mailbox rules or forwarding you did not set up, machines running slow or showing unknown programs, files that are renamed or will not open, and logins from unusual places or hours. Any one you cannot explain is worth treating seriously.
What should I do first if I have been hacked?
Contain it. Disconnect the affected device from the network, change the account password from a clean device, turn on multi-factor authentication, check email for rules an attacker may have added, warn your team, and call your IT partner. Do not turn off a device hit by ransomware, as that can destroy evidence.
Should I pay a ransomware demand?
Explore your backups first. Paying funds the attacker, marks you as willing to pay again, and rarely returns everything cleanly. A clean, recent, tested backup is what lets you recover without paying. This is exactly why tested backups matter before anything goes wrong.
How can I stop it from happening again?
Most breaches trace to a short list of gaps. Turn on multi-factor authentication everywhere, run business-grade protection on every device, keep tested backups stored separately, and train staff to spot suspicious messages. Together these stop the large majority of attacks.
Can you help after a breach?
Yes. We help businesses across LA and Orange County contain an active problem, work out what happened, and close the gaps that let it in so it does not repeat. If you are unsure whether a threat is fully gone, that is the right time to bring in help.
Want a straight answer about your setup?
Book a free on-site assessment. We walk your locations, tell you what is holding you back, and give you a clear plan and quote.