Cybersecurity

What to Do When Your Business Is Under Cyber Attack

09 February 2026 · 0x1m3 · 6 min read

<style> @keyframes fadeInUp { from { opacity: 0; transform: translateY(20px); } to { opacity: 1; transform: translateY(0); } } .stat-callout { background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px 24px; margin: 24px 0; animation: fadeInUp 0.6s ease-out both; } .stat-callout .stat-number { color: #1B2A4A; font-size: 32px; font-weight: 700; margin: 0 0 4px 0; line-height: 1.2; } .stat-callout .stat-desc { color: #333; font-size: 15px; margin: 0; } </style>

You Have Been Breached. Now What?

It is 7:14 AM. Your finance team cannot open any files. Your server shares show garbled filenames. A ransom note sits on every desktop.

This is not hypothetical. This is a Tuesday morning for dozens of South African businesses every month. What you do in the next 60 minutes determines whether this is a recoverable incident or an existential crisis.

This is your cyber attack response plan. Print it. Share it with your leadership team. Do not wait until you need it.

<div class="stat-callout" style="animation-delay: 0.1s;"> <p class="stat-number">R49 million</p> <p class="stat-desc">Average cost of a data breach in South Africa in 2024 (IBM Cost of a Data Breach Report)</p> </div>

Step 1 — Isolate Affected Systems Immediately

Do not shut down machines. Disconnect them from the network. Pull Ethernet cables. Disable Wi-Fi. The goal is containment — stop the threat from spreading to unaffected systems while preserving forensic evidence.

If you have SentinelOne deployed, your endpoints may already be isolated automatically. SentinelOne's autonomous response can quarantine a compromised device within seconds of detecting malicious behaviour — no human intervention required. Check your SentinelOne console for containment status.

If you do not have endpoint protection: Physically disconnect every machine showing symptoms. Disconnect shared network drives. Disable remote access.

<div class="stat-callout" style="animation-delay: 0.2s;"> <p class="stat-number">277 days</p> <p class="stat-desc">Average time to identify and contain a breach without automated detection tools</p> </div>

Step 2 — Assess the Scope

Before you can respond effectively, you need to understand the blast radius. Which systems are affected? Is the attack still active? How did the attacker gain access?

SentinelOne's Storyline technology reconstructs the full attack chain automatically. It traces every process, file modification, and network connection back to the original point of entry. This gives your response team — or your managed security partner — the forensic context they need to act decisively.

Without Storyline or equivalent forensics, scope assessment becomes a manual, time-consuming process. Document everything you observe: which machines are affected, when symptoms first appeared, and any suspicious emails or downloads in the preceding days.

Step 3 — Engage Your Security Partner

This is not the time for DIY troubleshooting. Contact your managed security provider immediately. If you are an OAS client, our incident response process activates the moment you call.

A security partner brings three things you likely lack in-house during a crisis:

- Experience across hundreds of incidents — they have seen this attack pattern before. - Tools — access to threat intelligence, forensic analysis platforms, and remediation playbooks. - Objectivity — your internal team is in crisis mode. An external partner provides calm, structured response.

<div class="stat-callout" style="animation-delay: 0.3s;"> <p class="stat-number">73%</p> <p class="stat-desc">of SA businesses that experienced a breach did not have a documented incident response plan (SABRIC)</p> </div>

Step 4 — Check Your Backups

Backups are your last line of defence against ransomware. But not all backups survive an attack. Ransomware operators specifically target backup systems — deleting local copies, encrypting network-attached storage, and disabling backup agents.

This is where cloud-first backup architecture matters. Cove Data Protection stores backups in N-able's private cloud, separate from your production environment. Ransomware that compromises your network cannot reach Cove's immutable cloud storage.

Critical questions to answer immediately:

- When was the last successful backup? - Are backup integrity checks passing? - How long will restoration take? - Do you have backups for Microsoft 365 data (email, SharePoint, Teams)?

Cove's TrueDelta technology produces incremental backups up to 60 times smaller than traditional methods, enabling more frequent backup points and reducing data loss in a recovery scenario.

<div class="stat-callout" style="animation-delay: 0.4s;"> <p class="stat-number">96%</p> <p class="stat-desc">of organisations with immutable backups successfully recovered from ransomware without paying the ransom</p> </div>

Step 5 — Notify Regulators (POPIA Requires It)

Under the Protection of Personal Information Act (POPIA), South African businesses are legally required to notify the Information Regulator and affected data subjects when a breach compromises personal information. This is not optional. Failure to notify carries significant penalties.

Your notification must include:

- Description of the breach and the personal information involved - Steps taken to address the breach - Recommendations for affected individuals to protect themselves - Contact details for your Information Officer

The notification must happen "as soon as reasonably possible." In practice, this means within 72 hours of confirming the breach. SentinelOne's forensic data and Cove's backup audit trails provide the evidence your legal team needs to compile an accurate notification.

Step 6 — Recover and Rebuild

Once the threat is contained and the scope is understood, recovery begins. This is where preparation pays dividends.

With Cove, restoration can begin from the most recent clean backup point. Cove's automated recovery testing means you already know your backups work — you are not discovering problems during a crisis.

Recovery priorities:

1. Restore critical business systems first (email, finance, customer-facing applications). 2. Rebuild compromised endpoints from clean images. 3. Reset all credentials — assume every password is compromised. 4. Patch the vulnerability that enabled initial access. 5. Re-enable network connectivity only after confirming containment.

After the Crisis: Build Your Resilience

Every incident is a lesson. Use it to build the resilience your organisation lacked before the attack.

- Deploy SentinelOne on every endpoint — not just servers. Ransomware enters through workstations. - Implement Cove backup with automated recovery testing. Verify your backups before you need them. - Engage OAS for managed security — 24/7 monitoring through N-able ensures threats are detected before they escalate. - Document your incident response plan and test it quarterly. The plan you never practise is the plan that fails.

With over 40 years securing South African businesses, OAS has the proven track record and local expertise to help your organisation prepare for — and recover from — the threats that define today's landscape.

---

<div style="background: linear-gradient(135deg, #1B2A4A 0%, #2E5090 100%); padding: 40px; border-radius: 8px; text-align: center; margin: 32px 0;"> <p style="color: #FFFFFF; font-size: 20px; font-weight: 700; margin: 0 0 12px 0;">Every hour without a plan costs your business.</p> <p style="color: #E0E0E0; font-size: 16px; margin: 0 0 24px 0;">OAS incident response starts with a call.</p> <a href="/contact/sales" style="background: #FFFFFF; color: #1B2A4A; padding: 12px 32px; border-radius: 4px; text-decoration: none; font-weight: 700; display: inline-block;">Get Emergency Support &rarr;</a> </div>

---

Related solution

Read more →

Want to Discuss This Further?

OAS's specialists are available to talk through how this applies to your organisation.

Request a Demo Explore Solutions