If your small business has just been hit by a cyber attack, the most important steps in the first 24 hours are: disconnect affected devices from the internet, do not pay any ransom, preserve evidence, notify your IT provider, and report the incident to the Canadian Centre for Cyber Security (CCCS). Acting quickly — and in the right order — can limit the damage, protect your customers, and keep your business running.
Cyber attacks on small businesses are no longer rare. According to the Canadian Internet Registration Authority (CIRA), 25% of Canadian small and medium-sized businesses reported a cyber attack in 2023, and the average cost of a breach for a small business exceeded $200,000. Here in the South Okanagan — from Oliver and Osoyoos to Penticton and Okanagan Falls — no business is too small to be a target. Attackers don't pick victims based on size; they pick based on vulnerability.
This guide tells you exactly what to do, in plain language, with no technical jargon. You don't need an IT background. You just need to follow the steps.
Step 1: Stay Calm and Isolate the Problem (Hours 0–2)
The first instinct many business owners have is to try to fix it themselves — clicking around, restarting computers, or deleting suspicious files. Resist that urge. Actions taken in the first few minutes can destroy the digital evidence needed to identify what happened and who did it.
Do this immediately:
- Unplug affected computers from the network. Pull the ethernet cable or turn off Wi-Fi on any device that is behaving strangely, showing ransom messages, or that you suspect has been compromised. Do not shut the computer down — just disconnect it from the internet.
- Do not turn off servers unless instructed by an IT professional. Turning off a server can wipe volatile memory that contains clues about the attack.
- Separate affected devices from healthy ones. If only one workstation looks infected, keep it isolated so the attack does not spread to others.
- Secure your network perimeter — change your firewall and wireless access point admin passwords, and disable any remote management ports if you suspect your network has been compromised.
One of the most common mistakes we see is a business owner rebooting everything hoping it will "reset." It won't — and it often makes recovery harder.
Step 2: Call Your IT Provider Right Away (Hours 1–3)
This is not the time to search YouTube or ask a friend who "knows computers." You need a professional who understands cybersecurity incident response. Call your managed IT services provider as soon as the affected devices are isolated.
If you are in Oliver, Osoyoos, Penticton, or Okanagan Falls and you don't already have an IT provider on call, contact DSB IT Solutions — we respond to active incident calls as a priority.
When you call, be ready to tell us:
- When you first noticed something was wrong
- What you saw (error messages, locked files, ransom note on screen)
- Which computers or systems are affected
- Whether any employees clicked a suspicious link or email recently
- Whether your backups are stored separately from your main network
Your IT provider will guide the rest of the technical response from here.
Step 3: Do Not Pay the Ransom
If you are facing ransomware — software that locks your files and demands payment — the instinct to pay and make it go away is understandable. Do not pay. The RCMP and the Canadian Centre for Cyber Security both advise against paying ransoms. Paying does not guarantee your files will be restored, and it marks your business as a willing payer, making you a target for future attacks. Ransomware victims who pay are re-attacked at a significantly higher rate than those who do not.
Step 4: Preserve Evidence (Hours 2–6)
Before your IT team begins remediation, evidence needs to be documented. This matters for insurance claims, police reports, and any future legal action.
- Take photos of any ransom notes or error messages displayed on screen (use your phone)
- Write down the exact time you first noticed the problem
- Note which staff members were working on affected machines
- Do not delete any suspicious emails — they are evidence
- Ask your IT provider to create a forensic copy of affected drives before cleaning them
A South Okanagan retailer we worked with deleted a suspicious email from their inbox before calling us, thinking they were cleaning up the problem. That email would have helped identify the attack vector. Preserving everything — even things that seem like the source of the problem — is critical.
Step 5: Notify the Right People (Hours 4–12)
Once the immediate technical situation is being handled, you have legal and ethical obligations to notify affected parties. In British Columbia, the Personal Information Protection Act (PIPA) requires businesses to notify affected individuals if a breach creates a real risk of significant harm.
| Who to Notify | When | Why |
|---|---|---|
| Your IT provider | Immediately (Step 2) | Technical response and containment |
| Your cyber insurance provider | Within 4 hours | Most policies require prompt notification or coverage may be voided |
| Canadian Centre for Cyber Security (CCCS) | Within 24 hours | Free reporting resource; helps track national threats |
| Local RCMP | Within 24 hours | Required for insurance claims; creates official record |
| Customers whose data may be affected | As directed by IT/legal | Required under PIPA if significant harm is likely |
| Your bank or payment processor | If financial systems affected | To freeze transactions and prevent further fraud |
The CCCS reporting portal is free and confidential: cyber.gc.ca. Reporting does not mean an investigation will be launched against you — it is a resource, not an accusation.
Step 6: Begin Recovery — Carefully (Hours 12–24)
Once the incident is contained and evidence is preserved, your IT provider will guide you through recovery. This typically means:
- Restoring systems from clean, verified backups
- Changing all passwords across all accounts — email, accounting software, banking, point-of-sale systems
- Enabling multi-factor authentication (MFA) on every account that supports it
- Scanning all other devices on the network for signs of compromise
- Reviewing how the attack got in so it does not happen again
The single biggest factor in recovery speed is whether you had current, offline backups. A business with clean, recent backups can often be back up and running the same day. Without them, recovery can take days or weeks.
First 24-Hour Response Checklist
- Disconnect affected devices from the internet (do not shut them off)
- Call your IT provider
- Do not pay any ransom
- Take photos of error screens and ransom notes
- Document the timeline of what happened
- Notify your cyber insurance provider
- Report to CCCS at cyber.gc.ca
- File a report with local RCMP
- Change all passwords once systems are clean
- Enable multi-factor authentication everywhere
Frequently Asked Questions
What is the first thing I should do if my small business is hacked?
The very first thing to do is disconnect the affected device from the internet by unplugging its ethernet cable or disabling its Wi-Fi. Do not shut the computer off — turning it off can destroy evidence. Then call your IT provider immediately. Do not try to fix it yourself, as this can make the situation worse and destroy the forensic trail needed for insurance claims and police reports.
Should a small business pay ransomware demands?
No. Neither the RCMP nor the Canadian Centre for Cyber Security recommend paying ransomware demands. Payment does not guarantee your files will be restored, and businesses that pay are statistically more likely to be targeted again. The better approach is to restore from clean backups, which is why maintaining regular, offline backups is the most important preventive step a small business can take.
Do I have to notify my customers after a cyber attack in BC?
In British Columbia, the Personal Information Protection Act (PIPA) requires businesses to notify individuals affected by a privacy breach if the breach creates a real risk of significant harm. This includes exposure of personal information such as names, contact details, payment information, or health data. If you are unsure whether your breach meets this threshold, consult your IT provider or a legal professional as soon as possible.
What is a cyber attack response plan and does my small business need one?
A cyber attack response plan is a written document that tells your team exactly what to do, who to call, and in what order, if a cyber incident occurs. It does not need to be complex — even a one-page checklist counts. Every small business needs one, because when an attack happens is the worst time to figure out your response. A local managed IT provider can help you formalize and test it.
Don't Wait Until It Happens
A cyber attack is survivable — especially if you had a plan, kept clean backups, and called a professional immediately. DSB IT Solutions helps South Okanagan businesses put proactive cybersecurity and incident response in place before they need it. If you're dealing with an active incident right now, or want to make sure you never have to use this guide, contact our team.
Get a Free Security Consultation