Hackers haunt the dreams of many a small business owner – most small businesses say that they could not stay open if hit by a major cyberattack. Less than one in four say that they are very prepared. Unlike large corporations, small operations typically lack dedicated security teams (or even a single employee dedicated to cybersecurity) or advanced threat detection tools. All these factors make them tempting targets for criminals. 

However, being the victim of a cyberattack doesn't mean you have to close up shop. Focus on becoming cyber resilient – this is how you both build strong defenses and make it easier to bounce back when you're targeted. Taking a few steps ASAP will help minimize the damage and help your business recover. 

Here are five essential best practices for following a cyberattack on your small business. Please note that this list isn't exhaustive, and every incident is unique – but understanding these best practices will help your company build resilience.  

1. Identify what's happening 

The first step after discovering suspicious activity is to determine the nature of the attack. You can't solve problems you can't identify. Are you getting locked down by ransomware? Did an employee fall for a phishing scam and give out an important password? Was malware installed on your system? Did hackers steal sensitive customer data or simply deface your website? 

Understanding the type and scope of the breach helps you: 

• Determine entry points 

• Assess the data and systems that are compromised 

• Prevent more damage 

A good place to start is by reviewing recent email activity, login logs, and any abnormal network behavior, as common cybercrimes often involve phishing or credential theft.   

Alert your cybersecurity providers and IT teams immediately so they can begin their investigation. Activate your incident response plan and team. Open a line of communication (sometimes called a “bridge”) through a conference call so the incident response team is constantly connected as the investigation develops.   

2. Contain the threat

Once the breach is identified, your priority shifts to containing the threat. You must work to stop further damage. Some common tactics include:

• Reset all passwords, especially admin accounts

• Disconnect affected devices or servers from the internet

• Block malicious IP addresses

• Suspend compromised user accounts

• Implement temporary firewalls or geo-blocking

• Switch to backup systems that are unaffected by the attack if possible

If the attack is widespread, you may need to take your systems completely offline until they can be safely restored. This is also often true when facing a ransomware attack. Remember, every minute counts when containing a breach.

3. Notify customers and partners 

Transparency matters to help others stay safe online. And if personal data was exposed, you may be legally obligated to notify the affected people. You might be worried about your reputation, but the damage will be worse if hackers can attack not just you but your customers and business partners. Check with your legal and security teams, but you should start thinking about notifications quickly: 

• Check state and federal laws for reporting timelines 

• Draft a clear, honest message explaining what happened, what data was lost, the steps you're taking, and how the letter's recipients can protect themselves   

Consider offering support, such as credit monitoring, fraud alert guidance, or a dedicated customer service line. Keeping people informed builds trust while hiding a breach makes the damage worse – just ask Oracle or Uber.  

4. Investigate and report 

Pretty soon after containing a breach, you need to investigate. Bring in cybersecurity professionals to conduct a full investigation. A digital forensics team will: 

• Identify how the attacker got in 

• Determine the extent of the breach 

• Potentially identify the attackers responsible for the breach 

• Close vulnerabilities 

Depending on the hack, you may need to send reports to: 

• Law enforcement like the FBI

• Industry regulators, especially if you handle health, financial, or student data 

• Your cyber insurance provider 

Don’t forget remote and hybrid workers 

5. Rebuild your defenses 

After recovery, take this moment to rebuild and upgrade your security posture to make it harder for future attacks. Now is the time to focus on becoming cyber resilient.  

Update your security by: 

• Rebuilding infected devices from clean backups  

• Enabling multifactor authentication (MFA) and requiring employees to use it 

• Applying software and firmware updates as soon as they're available 

• Encrypting sensitive data  

Create (or update) an incident response plan for your company. This plan should include: 

• An inventory of IT systems 

• Plan for isolating future threats 

• Communication and messaging templates for employees, customers, and the media 

• Steps to restore operations and secure backups 

An incident response plan is also useful for documenting lessons learned, identifying gaps, and creating a remediation plan. Also, set up future incident response testing or tabletop exercises, test backup restoration, and backup systems.   

Build your culture of resilience 

Cyberattacks are stressful, scary, and aggravating, but they don't have to destroy your business. Understanding what to do when criminals come knocking can help you reduce the damage and bounce back faster. And if you're now focusing on becoming cyber resilient, you can even strengthen your defenses starting today.  

Take the next step to educate yourself: sign up for our newsletter covering a wide range of security topics, and consider our CyberSecure My Business program, which we specifically designed for small businesses.