🛡️ Cybersecurity

What to Do When Your Small Business Gets Hacked

The first 60 minutes after a cyberattack determine how much damage you take. Here is your step-by-step incident response guide -- what to isolate, who to call, and how to recover without losing everything.

By EDCON Team · June 21, 2026 · 9 min read

Nearly half of all small businesses experienced a cyberattack in 2026. Most of them had no written plan for what to do next. If your business is in the other half right now, this guide is your chance to get ahead of it -- before panic makes every decision worse.

The pattern is consistent across hundreds of incidents: organizations that had thought through their response before the attack hit contained the damage quickly and came out the other side. Those that improvised -- calling the wrong people first, shutting down the wrong machines, posting a panicked message to customers before they knew what was compromised -- turned a bad day into a catastrophe.

This guide walks through both: what to do right now if you are in the middle of an incident, and how to build a real plan so you are never improvising again.

The first 60 minutes: containment

Speed in the first hour is not about fixing the problem -- it is about stopping it from spreading. Every minute a compromised machine stays connected to your network is another minute attackers have to move laterally, steal more data, or plant additional tools.

Step 1: Isolate -- do not shut down

Disconnect affected computers from the network immediately. Pull the ethernet cable or disable Wi-Fi on the device. Do not turn the machine off. Powered-down machines lose the volatile memory (RAM) that forensic investigators use to identify exactly what the attacker did and how they got in. Isolate, but leave it running.

Step 2: Switch to out-of-band communication

If attackers are inside your network, they may be watching your email and chat. Do not discuss the incident over your corporate email, Microsoft Teams, or Slack. Switch immediately to personal cell phones or a separate messaging app (iMessage, WhatsApp on personal devices) that runs on a completely different network. One group text with your key people is all you need.

Step 3: Preserve everything you can

Before anyone touches anything else, take screenshots of any error messages, ransom notes, or unusual activity on screen. Note the exact time you first noticed the problem. Write down which systems appear affected. This documentation is critical for insurance claims, law enforcement reports, and forensic investigators.

Who to call -- and in what order

One of the most valuable things your incident response plan can contain is a phone list in priority order. Here is the sequence that incident responders recommend:

1. Your IT provider or managed IT partner. They need to know first -- before you start unplugging cables or restoring backups. A good MSP can guide your immediate actions remotely and dispatch onsite help fast. If you do not have an IT partner, this gap is exactly why most breaches turn catastrophic for small businesses.
2. Your cyber insurance carrier. Call them before you spend money on recovery. Most cyber insurance policies have an incident hotline that connects you to pre-approved forensic firms and legal counsel at no additional cost. Hiring outside of that network can void reimbursements.
3. Your attorney. Legal counsel helps you understand your notification obligations under California law before you say anything publicly. SB 446 requires notifying affected California residents within 30 days -- a lawyer helps you do that without creating additional liability.
4. Your bank. If financial systems were accessed, call your bank's fraud line immediately. They can freeze accounts, reverse unauthorized transfers (if caught early enough), and flag your accounts for monitoring.
5. Law enforcement. File a report with your local police department and submit a complaint to the FBI's Internet Crime Complaint Center (IC3 at ic3.gov). Law enforcement cannot usually recover your data, but the report creates a paper trail that matters for insurance, legal proceedings, and potential prosecution.

The investigation phase: what actually happened

Once the immediate containment is done, the investigation begins. This is where many small businesses make a second expensive mistake: they clean up and restore from backup without understanding how the attacker got in. Then the attacker gets back in the same way, sometimes within hours.

A forensic investigation answers four questions:

• How did they get in? Phishing email, stolen credentials, unpatched software, exposed remote desktop -- the entry point tells you what to fix before you go back online.
• How long were they inside? The average attacker dwells in a small business network for 181 days before being detected. They may have had time to map your systems, steal data, and plant persistence tools that survive a restore.
• What did they access or take? This determines your legal notification obligations. If they only encrypted files and no data was exfiltrated, your obligations differ from a scenario where customer records were copied.
• What other systems are compromised? Attackers rarely stay in one place. Your forensic investigation should cover all connected systems, not just the machine you first noticed.

Your cyber insurance carrier will typically send or recommend a forensic firm. If you do not have insurance, look for firms certified by CISA or carrying DFIR (Digital Forensics and Incident Response) credentials.

Communicating during a breach: the rules that save you

How you communicate during and after an incident shapes your reputation as much as the attack itself. The businesses that handle this well follow a few clear rules.

Do not speculate publicly

In the first 24 to 48 hours, you do not know what was taken or how. Saying something incorrect -- "no customer data was accessed" -- and then correcting it later damages trust far more than waiting to communicate accurately. Acknowledge that you are investigating an incident without making claims you cannot yet support.

Notify the right people on the right timeline

California's SB 446 (effective January 2026) requires breach notification to affected residents within 30 calendar days of discovery. The notification must include: what happened, what information was involved, what you are doing about it, and what steps affected individuals can take to protect themselves. Work with your attorney on the exact wording -- form letters that miss required elements can create additional legal exposure.

Keep your team informed separately

Your employees need to know enough to avoid making things worse -- they should not be using compromised systems, should not be discussing the incident on social media, and should know who is the single point of contact for all media and customer inquiries. A short internal briefing from leadership goes a long way toward preventing accidental disclosure or misinformation spreading.

Recovery: getting back online safely

Recovery starts only after investigation confirms the entry point is closed and no attacker tools remain on your systems. Restoring from backup onto a still-compromised network hands the attacker right back in.

A safe recovery sequence looks like this:

1. Remediate the entry point first. Patch the vulnerability, rotate compromised credentials, rebuild the affected systems from clean images. Do not restore until this is done.
2. Restore from a known-clean backup. Ideally an immutable, offline backup that predates the attacker's dwell time. If you are not sure when the intrusion began, forensics will help identify the last clean point.
3. Reset all credentials across your organization. Even if only one account was compromised, you cannot be certain the attacker did not harvest other credentials while inside. Require password resets for all staff and rotate any API keys or service account passwords.
4. Bring systems back online in stages. Start with your most critical systems, test them in isolation, and add others gradually. Monitoring logs carefully during the first 72 hours back online catches re-entry attempts early.
5. Debrief and document. Once you are stable, document every step taken, every timeline entry, and every decision made. This record is required for cyber insurance reimbursement and is invaluable for strengthening your defenses going forward.

Building your incident response plan before it happens

A plan you write during an incident is not a plan -- it is improvisation with extra steps. The businesses that come through attacks quickly are the ones that built the plan during a calm afternoon in the office.

Your incident response plan does not need to be a 50-page document. A two-page checklist with the following elements is enough to make a real difference:

• Roles and responsibilities. Name the person responsible for leading the response, the person handling technical investigation, and the person managing all communications. Three people with clear jobs move faster than a crowd of confused ones.
• Contact list with 24/7 numbers. IT provider, cyber insurance hotline, attorney, bank fraud line, and a backup for each. Printed on paper and stored somewhere accessible without a computer.
• Asset inventory. A list of every device, server, and cloud account your business uses. You cannot isolate what you cannot identify.
• Backup verification record. When your last backup was taken, where it lives, and when it was last tested. If you have never actually tried to restore from your backup, you do not know if it works.
• Decision thresholds. What counts as an incident that triggers this plan? A suspicious email is different from encrypted files. Define the line so people do not have to decide on the fly.

The math on prevention versus recovery is stark. Building a solid security posture and incident response capability costs $5,000 to $15,000 per year for most small businesses. A single incident without that preparation averages over $500,000 in losses -- not counting the reputational damage, customer churn, and regulatory penalties that follow.

How EDCON supports your incident response readiness

EDCON works with small businesses and childcare centers across Southern California to build the kind of security foundation that shrinks both the chance of an attack and the damage when one happens. That work starts long before anything goes wrong.

We begin with a security assessment that maps every device, account, and entry point on your network -- the same information an attacker would spend weeks gathering. From there we prioritize the gaps that create the most risk: unpatched systems, accounts without multi-factor authentication, backups that have never been verified, and remote access configurations that make your business an easy target.

For clients on our managed IT plans, we provide 24/7 monitoring that catches unusual activity -- failed logins, lateral movement, unexpected data transfers -- before it becomes a full breach. When our monitoring flags something, we investigate and contain it before most business owners would even notice something is wrong. That monitoring advantage is one of the most tangible differences between businesses that get through an attack in days versus months.

We also help clients build and document their incident response plans -- not as a compliance checkbox, but as a working document their team has actually practiced. For childcare centers specifically, we address the layered requirements that apply to organizations holding children's data: California CCPA obligations, notification timelines, and the documentation requirements that cyber insurance underwriters increasingly expect to see before issuing or renewing policies.

If you are reading this guide because you are currently in the middle of an incident and do not have a managed IT partner, call us directly. EDCON provides emergency incident response support, and we will prioritize getting your systems stabilized first before we talk about anything else.

Frequently asked questions