What should you do if your business is hacked?

Statistically speaking, being hacked is more an issue of ‘when’ and not ‘if’, with a small business being successfully hacked every 19 seconds in the UK.1 If you find yourself on the receiving end of a hack or data breach, it can be easy to panic. Don’t let the situation become more problematic by delaying action. Be prepared and it will be much easier to navigate.

By implementing some (if not all) of the below actions, you can lessen the impact to your business and ensure you are following the letter of the law.

Step 1: Recognise the problem and take action

If you think you have been hacked and can see there is a problem, then act – even if you don’t know exactly what’s wrong. Notify your in-house IT team or external provider, and come up with a plan of action. This may involve a total lock-down where all systems are turned off until you get a handle on what has happened.2 The faster you act, the better chance you have to protect your business and your customers’ data.

Assuming you have a contingency plan it’s time to implement it! A data hack or theft of data can put you out of business for weeks or months until your network is secure again. Ensure you minimise damage with existing clients, and find an alternative way to keep business turning over.

Finally keep staff informed, especially those who deal directly with customers. Although a business data breach may not harm all of your systems, the reputational damage caused by fallout from a breach could be more harmful. Staying on top of communications internally and externally is critical.

Step 2: Data breach notification

Under the laws brought in with the General Data Protection Regulations (GDPR) in May 2018, all organisations have a duty to report certain personal data breaches to the relevant supervisory authority. And you must do this within 72 hours of becoming aware of the breach, where feasible.3

Breaches only need to be reported if it is likely to result in a risk to the rights and freedoms of individuals.2 You’ll be expected to provide thorough information, clearly stating a data breach has occurred, when it occurred, and what kind of information was compromised/stolen. You’ll also need to inform them what steps you are taking to remedy the breach and provide updates when you learn more as the incident progresses.

Be sure to comply with your industry’s regulating bodies. Businesses operating in certain industries, such as financial services or healthcare, may have additional notification requirements, so be sure you are aware of what these are. Contact your local police as well to report the crime. And you must also keep a record of any personal data breaches, regardless of whether you are required to notify.

Step 3: Make a data breach claim

If you have a cyber insurance policy in place, then be sure to contact your broker. You will need to start the claims process as soon as possible. If you don’t already have one in place, then it is highly recommended that you consider it. The right cover can help avoid a major loss in income and potential reputational damage. All of which can be insured against.

Step 4: Investigate your hack

Following a hacking incident you will most likely need to bring in a cybersecurity expert. They will test your network to find out what kind of attack occurred and in which part of your network. You may want to have a cybersecurity firm check for weaknesses in general on a semi regular basis to minimise the likelihood of any future attacks.

Step 5: Protect against cyber attacks in the future

Education is one of the best prevention measures for cyber attacks. Raise awareness and make your employees aware of the danger of phishing scams, encouraging staff to be more vigilant when responding to suspicious emails: we’ve got a handy test for that here. And educate your employees. Front-line staff are your last wall of defence when it comes to phishing scams. Conduct training sessions for your employees with mock scenarios to help them identify phishing emails for example.



1. https://www.hiscoxgroup.com/news/press-releases/2018/18-10-18
2. https://www.principal.co.uk/resources/articles/what-to-do-if-your-business-is-hacked
3. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/