“Locks keep out only the honest.”

That old proverb is as true online as it is in the physical world.

You can have strong passwords, updated firewalls, and multi-factor authentication — but one misstep, one overlooked configuration, or one employee clicking a bad link can open the door to a cyber incident.

So what happens after someone gets in?

A client once told us they didn’t realize they’d been compromised until a vendor called asking why payments hadn’t come through. On the surface, everything looked fine — their systems were online, emails were flowing, and no one noticed anything suspicious. It turned out an attacker had quietly infiltrated their network, forwarding invoices and rerouting payments for weeks.

That’s how cyber incidents really unfold: no alarms, no flashing lights, just small, almost invisible clues.

If you think your business might be compromised, this guide will show you how to recognize the signs, take action immediately, and recover with confidence.

Issue #4: In case of compromise...

Statistically, at some point a cyber criminal will compromise your business &/ home network. It doesn't take much - a misconfiguration of a firewall or a well-intentioned employee inadvertently clicking a malicious link. How will you know you've been compromised? What will you do to remove the threat, plug the hole, and get back to business? This month, we walk you through it.

Signs you've been hacked

Unlike a break-in at your office, cyber incidents rarely leave broken locks or missing equipment. The signs are often subtle—hidden in performance issues, strange messages, or quiet data movement in the background. Spotting these clues early can make the difference between a small incident and a full-blown breach.

Here’s what to watch for:

1. Unusual system or network activity (which means you need to know what normal activity looks like).

   • Computers suddenly slow down, crash, or behave unpredictably.

   • Unknown devices appear on your network or Wi-Fi list.

   • Systems attempt to contact unfamiliar external addresses.

2. Unexpected Software or System Changes

   • New user accounts appear without explanation.

   • Security settings, firewalls, or antivirus tools are disabled.

   • Files are renamed, encrypted, or missing altogether.

3. Unexplained Data Access or Transfers

   • Sensitive files are accessed outside of normal business hours.

   • Unusual volumes of data move to USB drives or cloud storage.

   • You receive alerts about data downloads or logins from unfamiliar locations.

4. Alerts from Security Tools or Third Parties

   • Your antivirus, EDR, or email gateway reports repeated detections or blocked threats.

   • A partner or customer contacts you about strange emails or suspicious behavior coming from your domain.

   • External monitoring tools or regulators notify you of possible exposure.

5. Human Clues

   • Employees mention receiving strange password reset links or requests that “don’t feel right.”

   • Someone reports being locked out of their account for no apparent reason.

   • You notice spoofed emails or fake invoices sent from legitimate company addresses.

If any of these red flags appear, don’t panic - but don’t delay.
Early action is critical. The next section (“Steps to Take Now”) walks you through exactly what to do to contain damage, preserve evidence, and get your business back on stable ground.

Steps to take (NOW!) if you suspect a compromise

When you suspect a cyber incident, time and discipline matter most. Acting too slowly - or too hastily - can make recovery harder. Follow these first-response actions to contain damage and preserve evidence.

1. Isolate Affected Systems: Stop the spread before it gets worse.

   • Disconnect compromised devices from the network (wired and wireless).

   • Disable shared drives or cloud sync tools connected to those systems.

   • If malicious activity is ongoing, power down the device, but only after you’ve captured any visible clues (like suspicious processes or messages).

2. Preserve Evidence: You’ll need proof to understand what happened and meet potential legal or insurance requirements.

   • Do not delete or alter any files, even suspicious ones.

   • Take photos or screenshots of any unusual messages, error pop-ups, or login attempts.

   • Record timestamps, usernames, and any notable changes in system behavior.

   • Keep all notes organized and factual; this will be critical for investigators later.

3. Notify Key Stakeholders: Get the right people involved - quickly and securely.

   • Contact your IT provider, MSP, or security partner immediately.

   • Notify company leadership so they can make operational and communication decisions.

   • Use a trusted communication method not tied to your network (e.g., phone call, Signal, or in-person).

   • If client or partner data may be involved, inform them promptly and transparently.

4. Secure Accounts: Contain potential credential abuse.

   • Change passwords for all affected accounts - especially admin, email, and cloud services.

   • Implement multi-factor authentication (MFA) if not already enabled.

   • Review recent logins for unusual activity and disable suspicious accounts.

5. Assess Impact: Before fixing, understand what’s broken.

   • Identify which systems, files, or data were accessed or altered.

   • Determine if the incident is contained or still active.

   • Keep a list of what’s known, what’s uncertain, and what needs immediate investigation.

6. Engage Professionals: Even if you have in-house IT, consider contacting an incident response (IR) firm or Managed Security Service Provider (MSSP). They can:

   • Forensically analyze affected systems

   • Identify the attack vector

   • Remove hidden persistence mechanisms

   • Guide recovery without destroying key evidence

7. Communicate Carefully: Once you have initial facts, decide what needs to be shared… and how.

   • Be transparent with employees and partners, but avoid speculation.

   • Prepare consistent messaging for customers if their data could be impacted.

   • Document every communication to ensure accuracy and accountability.

Bottom Line

Your first few hours after discovering a breach set the tone for everything that follows. Move quickly but methodically - contain, preserve, communicate, and bring in help. Every action should serve one purpose: limit damage while keeping your options open for investigation and recovery.

People & Processes

Even the best technology can’t fix a confused response. Clear roles, defined communication, and disciplined follow-through turn chaos into coordination. This section focuses on how your people and procedures should work together during and after a cyber incident - so you can manage disruption, make smart decisions, and come out stronger on the other side.

• Bring in Expert Help: If you don’t have an in-house IT or security team, contact your Managed Service Provider (MSP) or a Managed Security Service Provider (MSSP) immediately. They have the tools and experience to contain the threat, identify the root cause, and start the recovery process. The faster you involve professionals, the less time attackers have to do damage.

• Get Everyone on the Same Page: Notify your leadership, IT staff, and anyone else directly impacted using a communication channel not connected to the potentially compromised network (e.g., Signal, phone calls, or in-person). Clearly assign roles:

  • Who is containing the threat?

  • Who is talking to employees and customers?

  • Who is contacting law enforcement or regulators (if required)?

• Assess the Situation: With your IT or MSSP partner, determine:

  • Which systems are affected

  • What kind of data may have been accessed

  • Whether the attack is ongoing or contained

  Keep detailed notes. They’ll be critical later for insurance, law enforcement, or compliance reports.

• Communicate with Transparency: If customer or partner data might be impacted, don’t hide it. Communicate early, clearly, and calmly. Let them know what happened, what you’re doing about it, and how you’ll help protect them. Honest communication can preserve trust even during a tough event.

• Review and Improve: After recovery, hold a short debrief (often called a post-incident review) with everyone involved. Ask:

  • What worked well in our response?

  • What slowed us down?

  • What can we do to prevent this next time?

  Update your policies, passwords, and training based on what you learn.

Technology & Tools

Your tools are only as effective as your ability to use them in a crisis. This section covers the technical side of response - how to collect evidence, identify the attack path, remove threats, and restore systems safely. It’s not about buying more software; it’s about using what you already have to investigate, recover, and harden your defenses for next time.

• Collect and Analyze Data: Before wiping or restoring anything, gather evidence. Your IT or MSSP team should pull:

  • Security logs

  • Network traffic data

  • Snapshots of affected systems

  This helps determine how the attacker got in and what they accessed.

• Identify and Close the Entry Point: Common ways attackers get in include phishing emails, weak passwords, unpatched systems, or compromised accounts. Once you identify the cause, fix it before restoring systems—otherwise, the attacker might just come back.

• Eradicate the Threat: Remove any malware or unauthorized access. This could mean resetting accounts, reimaging machines, or reinstalling clean software. Be thorough—partial cleanup often leads to repeat compromises.

• Patch, Update, and Harden: Apply any pending updates, patches, or firmware upgrades. Strengthen your defenses:

  • Enable multi-factor authentication (MFA)

  • Review firewall and VPN configurations

  • Limit admin accounts to those who truly need them

• Restore Systems Safely: Only restore from known clean backups—not from backups that might include the infection. Verify data integrity before reconnecting to your production network.

• Strengthen Ongoing Monitoring: If you don’t already have it, consider investing in Endpoint Detection & Response (EDR) software or a Security Information and Event Management (SIEM) tool. These continuously monitor for suspicious activity and alert you to potential threats before they become major incidents.

In the event of a suspected compromise, acting swiftly and methodically is crucial. By following the steps outlined in our newsletter, you can effectively manage and mitigate the impact of a cyber incident. Being proactive and prepared is the best defense against future attacks.

Additional Resources

Want to dig deeper or prepare your team with trusted guidance? These handpicked resources will help your business strengthen its cybersecurity readiness and response. Both focus on incident response - how to prepare for, detect, and recover from cyberattacks or system compromises.

• CISA Incident Response Resources

  CISA’s free Incident Response Training helps organizations prepare for and manage cyber incidents through awareness webinars and hands-on technical labs. It’s especially valuable for small businesses that lack dedicated security teams, offering cost-free, practical education to strengthen response and recovery skills. By improving readiness and credibility, it helps protect operations, data, and customer trust.

  Why it’s useful: Gives small businesses free, practical training to prepare for, respond to, and recover from cyber incidents—helping protect their operations and reputation.

• SANS Incident Handler's Handbook

  Presents a structured six-phase model for managing security incidents: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. It offers actionable guidance, checklists, and templates that IT staff or security teams can adopt or adapt to formalize their incident response (IR) playbooks. The document is aimed at helping all organizations build the foundation of an IR process, ensuring consistent handling, minimizing damage, and continuously improving from past events.

  Why it’s useful: Includes templates and checklists to help organizations plan, execute, and standardize their cyber-incident processes.

• CMMC Decoded Series: Incident Response

  Primes don’t expect contractors to prevent every cyberattack - they expect contractors to be prepared and professional when incidents occur. This article highlights common failures like plans that sit on the shelf, unclear roles, poor communication, and lack of evidence or testing. A robust, practiced IR capability becomes a credibility asset - turning chaos into confidence and protecting your contracts, reputation, and operations.

  Why it’s useful: It translates CMMC’s IR requirements into practical business value, especially when combined with the Reference Sheet.

Cocktail & Song Pairing

Every issue, we wind down with a curated cocktail and song — something to sip, something to vibe to, and maybe a little something to reflect on. This month’s pairing is a toast to preparedness… may you always be ready when challenges arise, quick to respond when threats appear, and confident that your planning will turn chaos into calm.

Until NEX Time…

Thanks for joining us on this month’s journey to the NEX Level. We hope it left you a little smarter, a little sharper, and maybe even a little inspired to take action.

If you’re hungry for more:

Check out our latest insights: quick reads, deep dives, and practical tips.

Discover the CyberNEX experience: see how we help teams like yours stay secure, compliant, and ahead of the game.

Until next time — stay curious, stay resilient, and keep leveling up.