What Actually Happens When a Small Business Gets Hacked

Most people picture hacking as something from a film. A hooded figure in a dark room, lines of green code scrolling down a screen, a dramatic countdown clock. The reality is considerably less dramatic and, in some ways, more unsettling for that.

Real cyber attacks on small businesses tend to be quiet, methodical, and frequently discovered by accident. A staff member notices files have odd names. An email comes back as undeliverable from an account nobody sent anything from. The accounting system just stops working. That’s often how it starts.

Understanding what actually happens during a cyber attack, not the Hollywood version but the real one, is one of the most useful things a business owner can do. Because when you know what to look for, you stand a much better chance of catching it early.

The vast majority of successful cyber attacks on small businesses don’t start with a dramatic breach. They start with something mundane. A member of staff clicking a link in a convincing email. A password reused across a personal and work account. A piece of software that hasn’t been updated in six months with a known security gap in it.

Attackers aren’t usually specifically targeting your business. Most of the time, you’re caught in a wide net of automated tools scanning the internet for common vulnerabilities, which are just easy entry points. Think of it less like a burglar casing your premises and more like someone going down a street rattling door handles to see which ones are unlocked.

Once inside, an attacker doesn’t usually announce themselves. They look around. They find out what systems you use, where your data is stored, whether your backups are connected to your main network. They’re patient. And in many cases, they’ve been quietly active in a business’s systems for weeks before anything visible happens.

The two most common types of attack affecting small and medium businesses in the UK right now are ransomware and business email compromise. They’re very different in how they work, but both can cause serious damage.

Ransomware is where software gets installed on your systems, usually through a malicious email attachment or a compromised website and then systematically encrypts your files. You can’t open them. You can’t access your accounting software, your customer records, your documents. A message appears demanding payment for the key to unlock them. Modern ransomware variants are smart enough to find and encrypt backup systems too, which is why so many businesses find themselves genuinely stuck.

Business email compromise is subtler. An attacker gains access to a genuine email account, usually yours or a senior colleague’s, and sits in the background reading your correspondence. Then, at the right moment, they send emails pretending to be you. Changing supplier bank details, requesting urgent transfers, diverting payments. By the time anyone realises, the money is gone.

Both of these are happening to small businesses across the UK every week. Not just to large corporations with complex systems. To the kind of business where one or two people run the whole IT situation and the budget for cybersecurity has historically been “whatever the antivirus subscription costs.”

Discovery is usually jarring precisely because things seem normal right up until they don’t. One minute everything is fine. The next, someone can’t log in, files won’t open, or a supplier calls to say they’ve received a suspicious payment request from your email address.

The first instinct for most business owners is to try to fix it immediately. Reboot the server. Reinstall from backup. Change all the passwords. This instinct, understandable as it is, can make things significantly worse. Rebooting can spread malware further. Restoring from a backup that’s itself been compromised just restores the problem. Changing passwords without a plan can alert an attacker that they’ve been spotted, causing them to accelerate whatever they were planning.

The right response in those first minutes is actually to slow down. Disconnect the affected systems from the network to stop anything spreading. Don’t try to fix it yourself. Call your IT support, not email, call. Document what you’re seeing, even taking photos of error messages on screen with your phone. The decisions made in the first hour have a disproportionate effect on how the whole incident plays out.

The surprising thing about these incidents is that the technical side is frequently the easiest part to sort out. Yes, it takes time and it costs money. But it’s fixable.

What takes longer to repair is everything else.

Your customers and suppliers need to know what happened. Depending on what data was involved, you may have legal obligations to notify the Information Commissioner’s Office within 72 hours of becoming aware of a breach. Your insurance company needs to be contacted quickly. Your staff are rattled and need leadership and clear information.

And your reputation, which you’ve spent years building, is suddenly in a fragile position. Not because you did anything wrong, necessarily. But because people feel differently about business. They know you have had a cyber incident, and managing that requires careful, honest communication.

The businesses that come through cyber incidents well are almost never the ones who had perfect security before it happened. They’re the ones who had a plan, stayed calm, and made methodical decisions under pressure.

Having worked with small and medium businesses on cyber security for the better part of 25 years, the pattern of what happens during an incident is remarkably consistent regardless of size, sector, or type of attack.

The businesses that struggle most are those who had never thought about what they would actually do. Who to call. Which systems to disconnect. Who has authority to make decisions in a crisis. What they need to tell their customers. The technical details vary. The leadership challenge doesn’t.

The businesses that manage best have usually done a bit of thinking in advance. Not necessarily complex, expensive preparation. Sometimes just a conversation. A checklist on the wall. A number to call. A simple plan that someone actually knows about.

You don’t need to become a cybersecurity expert to protect your business. But a few basic things make a genuine difference: understanding what your most important business assets are, knowing who you’d call if something went wrong, and making sure your backups are not stored on the same network as your main systems.

None of this requires a large budget or a technical degree. It requires thinking about the question before the crisis, rather than during it. We cover exactly what to do — step by step — in our guide to the first hour of a cyber incident.

• NCSC small business guidance
• ICO breach notification
• The Cyber Security Gap Most Small Businesses Don’t Know They Have
• What to Do in the First Hour of a Cyber Attack