Back to Security

What Happens if I Suffer a Cyberattack or Data Breach?

What Happens if I Suffer a Cyberattack or Data Breach?

You’ve just realised something is wrong. A staff member calls and says they cannot open files. Another says Outlook is “acting weird”. Then you see it, a ransom note on a shared drive, or a message from Microsoft 365 about a suspicious sign-in. In that moment, the only thing that matters is knowing exactly what happens if I suffer a cyberattack or data breach, and what to do next. 

This is a practical, step-by-step walk-through, written like the day it actually happens. 

 

Step 1: Pause, confirm, and contain (first 10–30 minutes) 

You suffered a breach. It might look like ransomware encrypting files, a compromised email account sending invoices, or a server behaving strangely. The instinct is to start clicking around to “fix” it. Don’t. 

Your first job is containment. 

Start by isolating what looks affected: 

  • Disconnect the impacted device from Wi-Fi or unplug the network cable. 
  • If it’s a server or shared storage, restrict access immediately. 
  • If it’s an email breach, disable the suspected user account and force a sign-out. 

This stops the spread while you work out what you are dealing with. The faster you contain, the smaller the blast radius. 

 

Step 2: Escalate internally and assign roles (within the first hour) 

Now you treat it like a business incident, not an IT problem. 

You alert your internal lead (GM, COO, IT Manager), and you nominate one person to coordinate. Not five people making changes at once. 

You also start a simple incident log: 

  • What time did it start? 
  • What systems are affected? 
  • Who noticed it first? 
  • What actions have been taken? 

This becomes crucial later for insurance, legal, and reporting. 

 

Step 3: Preserve evidence before “fixing” everything (first 1–2 hours) 

Here’s where many businesses accidentally make things worse. 

If you wipe machines, delete emails, or restore backups too early, you can lose evidence you need to understand: 

  • How the attacker got in 
  • What they accessed 
  • Whether data was exfiltrated 
  • Whether they still have a foothold 

Preserving logs, alerts, and impacted endpoints (even just snapshots) helps with forensic investigation and reduces the chance of a second incident. 

 

Step 4: Triage the impact, systems, and data exposure (same day) 

This is where the story becomes clearer. 

You work through a triage checklist: 

  • Is this ransomware, account compromise, or unauthorised access? 
  • What systems are affected: endpoints, servers, Microsoft 365, cloud apps? 
  • Is there any evidence of data being copied out? 
  • Are backups intact and recent? 

This step determines whether it’s a recoverable disruption or a notifiable breach. 

 

What happens if I suffer a cyberattack or data breach (the practical next steps) 

Once you’ve contained and triaged, you shift into structured response. This is the point where businesses either recover cleanly or drift into days of confusion. 

Here is the step-by-step sequence that works in real life. 

Step 5: Lock down access across the environment (same day) 

You reset passwords where needed, enforce multi-factor authentication, remove suspicious sessions, and check admin accounts. You also review mailbox rules and forwarding, which attackers often use to stay hidden. 

Step 6: Eradicate the cause, not just the symptoms (same day to next day) 

This is where patching, removing persistence, closing exposed ports, and cleaning up endpoints actually matters. If you only restore files without removing the entry point, the attacker often returns. 

Step 7: Recover in the right order (next 1–3 days) 

Recovery is not “turn everything back on”. 

You restore the most critical systems first, validate them, then bring services online in stages. Good backups are essential, but tested recovery is what saves you. Affinity MSP’s approach aligns with business continuity planning, not just file restoration. (If you want a deeper dive, the ACSC also outlines support available during incidents.)  

Step 8: Communicate clearly, early, and appropriately (same day onward) 

You decide what staff need to know now, what customers need to know, and who handles external communication. This reduces panic internally and protects trust externally. 

If personal information may be involved, you also consider reporting obligations (Australia and New Zealand have specific privacy requirements). This is why your incident log and evidence matter. 

Step 9: Improve controls so it does not happen again (after recovery) 

This is the part many businesses skip, then get hit again. 

You review gaps and implement practical controls, often based on proven frameworks like the Essential 8. You also update your incident response plan, train staff, and tighten monitoring so the next suspicious event is caught earlier. 

 

The real takeaway 

If you remember one thing, it’s this: what happens if I suffer a cyberattack or data breach is largely determined by what you do in the first hour. 

Contain quickly. Preserve evidence. Triage properly. Recover in a controlled order. Then harden the environment so the same path cannot be used again. 

Franchesca Michaela Antonio
Franchesca Michaela Antonio
January 15, 2026
Back to Security

You might also like

See All