Your small business just got hacked. Here’s exactly what to do.

If you’re reading this with your heart pounding because something on your business’s systems looks very wrong — a strange email went out in your name, files are locked, money moved that you didn’t authorise, or a customer just told you their data is floating around — take a breath. You are going to get through this, and the next hour matters more than the last one. This guide is written for non-technical owners of Indian small businesses and agencies. No jargon, no fear-mongering, just the order of operations.

First, the one-minute version

In the first hour, your job is to contain, preserve, and notify — in that order:

• Contain: stop the bleeding. Disconnect affected devices, change passwords on the accounts that matter, and freeze any payment flow that looks compromised.
• Preserve: don’t delete anything yet. Screenshots, emails, and logs are evidence — for your bank, your insurer, and the police.
• Notify: tell the people who must know — your bank if money is involved, your team, and the customers whose data was affected. Honest and early beats slow and defensive.

If money has already moved, do not wait. Call 1930 (India’s cyber-fraud helpline) and file a report at cybercrime.gov.in immediately — the first few hours give the best chance of freezing a fraudulent transfer.

Step 1: Figure out what kind of incident this is

Most small-business incidents fall into four buckets. Knowing which one you’re in changes what you do next.

Phishing / business email compromise

Someone tricked you or a staff member into clicking a link or sharing a password, or a vendor’s email was spoofed and a fake invoice went out. The risk is that an attacker now has access to an inbox and is quietly redirecting payments. Action:reset the password and sign out all sessions on the affected email account, turn on two-factor authentication, and check the account’s forwarding rules and filters — attackers often add a hidden rule to forward or delete your emails.

Ransomware

Your files are encrypted and there’s a note demanding payment. Action:disconnect the affected machine from the network and Wi-Fi immediately so it can’t spread, but don’t switch it off if you can avoid it (memory can hold useful evidence). Do not pay before getting advice — paying is no guarantee, may be a legal grey area, and marks you as a future target. Check whether you have clean backups.

A leaked or stolen database

Customer data — names, phone numbers, emails, maybe more — is exposed or being sold.Action:find and close the hole (an open server, a leaked API key, a shared spreadsheet), then work out exactly whose data and which fields were affected. This is the incident most likely to trigger notification duties under India’s DPDP Act.

A hacked account or website

Your social media, payment gateway, hosting, or admin account is in someone else’s hands.Action:use the provider’s account-recovery flow, reset the password from a device you trust, enable two-factor authentication, and revoke any connected apps or API tokens.

Step 2: Contain it without making things worse

The instinct to “clean everything up” is exactly what you should resist for the first hour. Containment is about cutting off the attacker’s access, not erasing the scene. Change passwords on the genuinely important accounts first — email, banking, your payment gateway, your domain registrar — and use a different, strong password for each. Turn on two-factor authentication everywhere it’s offered. If a specific computer is involved, get it off the network. If you use a hosting provider or an IT person, this is the moment to call them with a clear, specific ask rather than a panicked “help”.

Step 3: Preserve the evidence

Before you delete the scary email or wipe the machine, capture it. Take screenshots of ransom notes, suspicious emails (including the full headers if you can), unfamiliar logins, and any transaction you didn’t make. Note times and dates. Keep the original emails. This evidence is what your bank needs to dispute a fraudulent payment, what your insurer needs to process a claim, and what the police need for an FIR. A tidy timeline of “what happened and when” is worth its weight in gold later.

Step 4: Notify the right people, in the right order

Your bank and payment provider, immediately, if any money or payment credential is involved. Your team, so nobody clicks the same link or wires the same fake invoice.Affected customers, honestly and promptly — this is where most small businesses get it wrong by going silent. A clear, calm message that says what happened, what was affected, what you’re doing, and what they should do (for example, reset a password or watch for suspicious messages) protects trust far better than silence. The authorities: report cyber fraud at cybercrime.gov.in or call 1930; serious incidents may also need to be reported to CERT-In, India’s national cyber agency, and a personal-data breach may carry obligations under the DPDP Act.

Step 5: Write the paperwork you’ll be asked for

When the dust settles, two documents make the difference between “they handled it” and “they panicked”: a customer notificationthat’s honest without being alarming, and a one-page “what we did” report you can hand to a worried client or attach to an insurance claim. Clients rarely leave because something went wrong; they leave because the response felt chaotic. A short, professional report that lays out the timeline, the actions you took, and the current status often saves the account.

What not to do

• Don’t pay a ransom on impulse. Get advice and check your backups first.
• Don’t go silent with customers. Silence reads as a cover-up.
• Don’t delete evidence in a rush to feel clean.
• Don’t reuse the compromised password anywhere else.

How Calm Breach helps

This is exactly what we built Calm Breach for. You tell it what happened in plain words; it asks a few calm questions, then generates a checklist tailored to your specific incident, ready-to-send notification emails for customers and staff, and that one-page report for clients and insurers — in minutes, without a security retainer. Your first playbook is free.