The uncomfortable truth is that most businesses don’t find out they’ve been hacked from their own security tools. They find out from a customer complaint, a bank notification, or — in the worst case — a ransom note on their screen. The average time to detect a breach globally is over 200 days. For small businesses without dedicated security monitoring, it’s often longer.
Knowing the warning signs can be the difference between a contained incident and a full-blown crisis.
Early Warning Signs of a Breach
Unusual Login Activity
If you notice logins from unfamiliar locations, at unusual times, or from devices your employees don’t use, that’s a red flag. Pay particular attention to:
- Failed login attempts in large volumes — this suggests a brute-force attack
- Successful logins from foreign IP addresses — especially countries where you don’t operate
- Logins outside business hours — particularly on admin or privileged accounts
- Multiple simultaneous sessions for a single user account
Most business email platforms (Microsoft 365, Google Workspace) provide sign-in logs. Review them regularly.
Unexplained System Slowdowns
Not every slow computer is a sign of a hack, but sudden, persistent performance issues across multiple machines can indicate malicious activity. Malware often runs background processes — mining cryptocurrency, exfiltrating data, or scanning your network — that consume CPU, memory, and bandwidth.
If your systems are suddenly sluggish and restarting doesn’t help, investigate before assuming it’s a hardware issue.
Unexpected Software or Processes
Check for software that nobody installed. Attackers frequently deploy remote access tools, keyloggers, and network scanners after gaining initial access. These tools may appear as:
- Unknown entries in your startup programs
- Services running with generic or randomized names
- New browser extensions that nobody added
- Scheduled tasks that weren’t created by your IT team
Email Anomalies
Email is the most common entry point for attacks and often the first place where evidence of a breach appears:
- Sent emails you didn’t write — Attackers use compromised accounts to send phishing emails to your contacts and clients
- Missing emails — Inbox rules set up by attackers to auto-delete or forward specific messages
- Bounce-back notifications for messages you never sent
- Password reset emails for accounts you didn’t request
Check your email forwarding rules and inbox filters. Attackers commonly set up rules to forward copies of all incoming mail to an external address.
Changes You Didn’t Make
If files have been modified, deleted, or encrypted without explanation, treat it as a potential breach. This includes:
- Website content changed without authorization
- Database records altered or missing
- New user accounts created that nobody recognizes
- Security settings or firewall rules modified
- Antivirus or security software disabled
Suspicious Financial Activity
For many businesses, the first sign of a breach is financial. Watch for:
- Unauthorized transactions on company accounts
- Invoices from suppliers you don’t recognize — a sign of business email compromise
- Customers reporting payment to wrong accounts — attackers intercepted invoices and changed banking details
- Unexpected charges on company credit cards
What to Do If You Suspect a Breach
The first 24 hours after discovering a breach are critical. How you respond determines whether the incident stays contained or escalates.
1. Don’t Panic — But Don’t Wait
Avoid the temptation to immediately shut everything down or start deleting files. Hasty actions can destroy forensic evidence and make recovery harder. Instead, follow a structured response.
2. Isolate Affected Systems
Disconnect compromised machines from the network to prevent the attacker from moving laterally. Don’t power them off — forensic investigators need running memory to analyze the attack. Simply unplug the network cable or disable WiFi.
3. Preserve Evidence
Document everything you observe:
- Screenshots of suspicious activity
- Timestamps of unusual events
- Log files from affected systems
- Names of affected accounts and devices
This evidence is essential for forensic analysis and may be required for legal or regulatory reporting.
4. Reset Credentials
Change passwords for all potentially affected accounts, starting with:
- Admin and privileged accounts
- Email accounts showing suspicious activity
- Financial and banking system credentials
- Any account that shares passwords with compromised ones
Enable multi-factor authentication on every account that supports it. If MFA was already in place and the attacker still got through, your MFA tokens may be compromised — reset those too.
5. Notify the Right People
Depending on the severity:
- Your IT or cybersecurity provider — They can begin forensic analysis and containment
- Your Data Protection Officer — Regulatory frameworks may require notification to the relevant authority
- Affected customers — If their personal information was exposed, they need to know
- Your bank — If financial accounts are compromised, immediate notification can prevent further losses
- Law enforcement — For criminal investigation, especially in cases of fraud or extortion
6. Assess the Damage
Once the immediate threat is contained, conduct a thorough assessment:
- What systems were accessed?
- What data was exposed or exfiltrated?
- How did the attacker gain access?
- How long were they in your systems?
- What is the full scope of the compromise?
How to Prevent This From Happening
Detection is important, but prevention is better. The most effective measures are often the simplest:
- Enable MFA everywhere — It blocks over 99% of automated credential attacks
- Keep systems patched — Most exploits target known vulnerabilities that already have fixes available
- Monitor your logs — You can’t detect what you don’t observe
- Train your staff — Phishing awareness training reduces click rates on malicious emails by up to 75%
- Implement endpoint detection — Modern EDR tools can identify and isolate threats in real time
- Have a response plan — Documented, tested, and updated regularly
Final Thoughts
A breach doesn’t always announce itself. The signs are often subtle — a slow login, a forwarded email, a process you don’t recognize. The businesses that survive breaches are the ones that notice early and respond fast.
If something feels off, investigate. The cost of a false alarm is nothing compared to the cost of a breach you caught too late.