7 Signs Your Business Has Been Breached (and What To Do)
The average time to detect a breach is 197 days. That's over six months of attackers having access to your systems. Here's how to spot the warning signs earlier.
Sign 1: Unusual Account Activity
What to Look For
- Logins at odd hours (3 AM on a Sunday?)
- Logins from unusual locations
- Multiple failed login attempts
- New admin accounts you didn't create
Red Flag Example
Your office manager notices she's logged into her email from a location she's never been to.
Sign 2: Unexpected Software or Processes
What to Look For
- Programs you don't recognize
- Processes consuming unusual resources
- Disabled antivirus or security tools
- New browser extensions
Red Flag Example
Task Manager shows a process called "svchost32.exe" using 90% CPU (the real one is "svchost.exe").
Sign 3: Network Anomalies
What to Look For
- Dramatic increase in network traffic
- Connections to unfamiliar IP addresses
- Data transfers at unusual times
- Slower than normal network performance
Red Flag Example
Your internet is unusably slow, but no one is streaming or downloading large files.
Sign 4: Ransomware Indicators
What to Look For
- Files with strange extensions (.encrypted, .locked)
- Ransom notes appearing on desktops
- Unable to open common files
- File shares becoming inaccessible
Red Flag Example
Desktop background changed to a message demanding Bitcoin payment.
Sign 5: Email Compromise Signs
What to Look For
- Sent emails you didn't send
- Email rules forwarding mail externally
- Password reset emails you didn't request
- Contacts reporting spam from your address
Red Flag Example
A client calls asking why you sent them a strange link at 2 AM.
Sign 6: Suspicious Financial Activity
What to Look For
- Unauthorized transactions
- Changed payment information with vendors
- Wire transfer requests from "executives"
- New bank accounts added to payroll
Red Flag Example
Accounting receives an urgent email from the "CEO" requesting a wire transfer—but the CEO is on vacation with no cell service.
Sign 7: Security Tool Alerts
What to Look For
- Antivirus quarantine notifications
- Firewall blocking unusual traffic
- Failed backup notifications
- Security software disabled
Red Flag Example
Windows Defender notifications keep appearing, then the icon disappears from the system tray.
Immediate Response Steps
If you notice any of these signs:
Step 1: Don't Panic, Don't Ignore
Take it seriously, but don't make rushed decisions that could make things worse.
Step 2: Document Everything
Screenshot alerts, note times, preserve evidence. Don't delete anything.
Step 3: Contain the Threat
- Disconnect affected systems from the network (don't turn them off)
- Disable compromised accounts
- Block suspicious IP addresses
Step 4: Assess the Scope
- What systems are affected?
- What data might be compromised?
- How long has this been happening?
Step 5: Get Expert Help
This is not the time for DIY. Contact:
- Your IT provider
- A cybersecurity incident response team
- Legal counsel (especially if regulated data is involved)
- Law enforcement (for serious incidents)
Step 6: Communicate Appropriately
- Internal stakeholders need to know
- Consider customer notification requirements
- Document all communications
Building Detection Capabilities
Prevention is ideal, but detection is critical:
- Enable logging — You can't investigate what you didn't record
- Monitor alerts — Someone needs to actually review security notifications
- Know your baseline — Understand what "normal" looks like
- Test your response — Tabletop exercises reveal gaps before real incidents
The Cost of Delayed Detection
| Detection Time | Average Cost |
|---|---|
| Under 30 days | $3.6 million |
| 30-90 days | $4.1 million |
| Over 90 days | $4.6 million |
Source: IBM Cost of a Data Breach Report
Every day counts.
Think you might have been breached? Don't wait—contact us immediately: m1k3@msquarellc.net