EN
EN
Book an introduction
Blog

Business hacked? These are the first 7 steps you need to take

Your company has been hacked. Now what? Discover the 7 critical steps to limit damage, comply with notification requirements and recover your business quickly.
Crisisteam bespreekt 7-stappenplan op whiteboard na cyberaanval op hun bedrijf

Encrypted files. Employees who can no longer log in. A ransom message on your screen. If your company has been hacked, first hours count. Not next week, not tomorrow. Now.

In 2025, an average Belgian company faced some 1,288 cyber attacks per week, up 14% from the previous year. Almost half of Flemish companies will be victims of a cyber attack in 2024. And with NIS2 legislation in place since October 2024, you risk fines of up to 10 million euros if you don’t respond correctly and in a timely manner.

This roadmap will help you take back control. No technical jargon, just concrete actions you can take today.

1. Alert your IT manager or cybersecurity partner

The first thing you do when your company is hacked: call your IT manager. Do you have an outside cybersecurity partner? Engage them immediately. Every hour you wait gives attackers more time to penetrate deeper into your systems.

Modern attacks work at lightning speed. Whereas hackers used to take days to do damage, today, with automated tools, it takes a few hours or even minutes. The purpose of this first step is triage: determining exactly what is going on, the extent of the damage and whether the attack is still active.

Specifically:

  • Call your IT team or external partner. No email, no Teams message, call.
  • Report any suspicion, even if you are not 100 percent sure. Better a false alarm than a missed attack.
  • Preferably use your cell phone or a private phone, not the corporate network. Attackers can listen in on your internal communications.

Don’t have an established cybersecurity partner? Cyberplan offers a 24/7 emergency line for companies that are currently hacked. One phone call, and you have an expert on the line right away.

2. Isolate affected systems (but do not shut them down).

Once it is clear which systems are affected, isolate them from the network. Pull out the network cable or disable the Wi-Fi connection. This will prevent the attack from spreading further to other computers, servers or sites.

But, and this is crucial: do not turn off the computers. Malware leaves traces in your computer’s working memory (RAM). Those traces are essential for forensic investigation afterwards. Once you shut down a computer, those traces are gone forever.

Specifically:

  • Unplug the network cable from the affected computers and servers.
  • Turn off wifi on affected devices.
  • Leave the power supply intact.
  • Switch to alternative communications: private cell phones, a WhatsApp group outside the corporate network.

3. Assemble a crisis team

A cyberattack is not just an IT problem. It affects your entire business: legal, financial, operational and communications. Therefore, immediately establish a core team that may make decisions.

Who is on that crisis team?

  • Yourself (or another board member) as the person ultimately responsible.
  • The IT person responsible for the technical overview.
  • Your DPO (Data Protection Officer) or privacy officer, as you may need to notify the Data Protection Authority (GBA) in the event of a data breach.
  • A legal advisor, especially when contracts with customers or suppliers are touched.
  • Your external cybersecurity partner for forensic expertise.

Under the NIS2 legislation, management bears explicit responsibility for cybersecurity risk management. This is not something you can delegate entirely to your IT team.

4. Document everything in an incident log

From the moment you discover the attack, keep a log. Record times, actions taken, people involved and technical findings. This log is not a formality. It is your main weapon at three things:

  • Reporting to the authorities (CCB and possibly GBA).
  • Your cyber insurance, which will require a detailed survey.
  • The recovery process, so your IT team knows exactly what steps have already been taken.

Have your IT team or outside partner collect forensic evidence: log files, system changes, suspicious connections. The sooner this is done, the more likely the cause of the attack will be found out.

Important: Do not pay a ransom without professional advice. Payment does not guarantee data recovery and may encourage further extortion.

5. Comply with your legal reporting requirements.

This is where things get exciting for many companies. Since the NIS2 Act came into force on Oct. 18, 2024, there are strict notification requirements for companies covered by the Act. And the scope has expanded significantly: from 7 to 18 sectors.

Does your company fall under NIS2 (more than 50 employees or more than 10 million euros turnover in an affected sector)? Then you must report significant incidents to the Center for Cybersecurity Belgium (CCB):

Notification Deadline What you are reporting
Early warning Within 24 hours Signaling of the incident
Incident Report Within 72 hours Impact analysis and initial findings
Final Report Within 1 month Cause analysis and remedial measures

In addition, under the GDPR, there is a separate duty to notify the Data Protection Authority (GBA) if personal data has been leaked. That notification, too, must be made within 72 hours.

Reports are made through the Safeonweb@Work platform. Your cybersecurity partner can help you translate the technical findings into the reports expected by regulators.

6. Restore your systems step by step

After mastering, the actual recovery begins. This is not a matter of “restore everything from backup” and continue working. Recovery requires a methodical approach.

The correct order:

  • First, remove all malware and close the vulnerabilities through which the attackers got in.
  • Check the integrity of your backups before restoring them. Attackers are increasingly infecting backup systems as well.
  • Restore the most critical systems first: email, billing, production.
  • Reset all passwords and activate two-factor authentication (2FA) on all remote connections.

Only when all vulnerabilities are closed and 2FA is active on all access points should the system be considered restored. Going back online too soon with the same vulnerabilities is an invitation for the next attack.

7. Evaluate and strengthen your security for the future

The last step is perhaps the most important: learn from the incident. What went wrong? How did the attackers get in? What security measures were missing?

Under NIS2, this evaluation is not an optional exercise, but part of your duty of care. You must develop an action plan for improvements and actually implement them.

Typical areas of improvement we see in Flemish companies after an incident:

  • Lack of network segmentation (which caused the attack to spread rapidly).
  • No or outdated backup strategy.
  • Employees who did not recognize phishing emails.
  • No incident response plan so precious hours were lost.
  • Insufficient access control and no 2FA on remote connections.

A thorough post-incident cybersecurity audit will identify all these weaknesses and give you a concrete roadmap to address them.

Frequently asked questions about a hacked company

Should I always report a cyber attack to the government?

If your company falls under the NIS2 legislation, you are required to report significant incidents to the CCB within 24 hours. In addition, under the GDPR, there is a duty to report to the GBA if personal data has been leaked. In doubt? Report too much rather than too little.

Do I have to pay ransom with ransomware?

Experts strongly advise against it. Payment offers no guarantee that you will get your data back and encourages criminals to target you again. Engage a cybersecurity specialist first to review your options.

How quickly can my company be operational again after a hack?

It depends on the extent of the attack and your preparation. Companies with a tested incident response plan and reliable backups are often back up and running within days. Without preparation, recovery can take weeks.

Does my SME fall under the NIS2 notification requirement?

In principle, NIS2 applies to organizations with at least 50 employees or more than 10 million euros in turnover operating in one of the 18 covered sectors. But smaller companies in the supply chain of NIS2 entities may also have indirect obligations. Use Safeonweb ‘s scoping test to check.

Does my cyber insurance cover damage from a hack?

This varies greatly by policy. Many policies cover forensics and business interruption, but impose conditions such as demonstrable security measures and timely notification. Check your policy now, not after an incident.

How do I prevent my company from being hacked again?

By investing structurally in security: regular pen tests, network segmentation, phishing training for employees and a tested incident response plan. An annual cybersecurity audit gives you insight into where your organization stands and what improvements should be prioritized.

Hacked and need help? Cyberplan is standing by

A cyber attack is stressful, but you don’t have to solve it alone. Cyberplan helps Flemish businesses every step of the way: from initial isolation to forensics, from NIS2 notification to structurally strengthening your security.

With a team of more than 20 certified ethical hackers (OSCP, CISSP, CEH, CISM) and a 24/7 emergency line, you are never alone when things go wrong.

And the good news? Through the VLAIO SME Portfolio, you as a small business get up to 45% back on your investment in cybersecurity advice. So you pay for expertise without straining your budget.

Want to prepare before it comes to this? Book a no-obligation consultation and find out how a cybersecurity audit protects your organization.