How we saved a business from a Google Workspace breach within 1 hour.
One morning we were called in by a UK business that suddenly lost control of its Google Workspace. Mailboxes were acting oddly, a few users couldn’t log in, and a handful of unexpected meeting invites had gone out. Panic was starting to ripple through the office — invoices, HR documents and client correspondence all live in that cloud environment. The good news: with a calm, methodical approach and some simple safeguards in place, the situation was contained inside an hour. Here’s what that looked like, why it mattered, and what you can do to make sure your business isn’t learning the hard way.
Why an hour matters
For most UK small and medium-sized businesses, an hour is the difference between a small operational hiccup and a full-blown reputational problem. In that time attackers can export contacts, send phishing emails from trusted accounts, or change recovery settings to lock you out. Every minute can translate into cost — lost billable hours, confused clients, and the risk of a reportable data breach under GDPR.
What we focused on first (business impact, not tech theatre)
When you’re under pressure, the temptation is to dive into technical forensic detail. We focus on five business-first actions that stop the damage and restore confidence.
1. Stop the attacker’s access
Immediate containment is about cutting off active sessions and preventing further misuse of accounts. We forced account sign-outs, suspended any accounts we suspected had been used to send fraudulent messages, and revoked third-party app access that didn’t need to be connected right then. The goal is simple: stop more harm, fast.
2. Protect your most valuable things
We prioritised what would bite the business most: finance inboxes, director and HR accounts, and document folders used for client work. Restricting who can access these areas reduces the chance of invoices being altered, sensitive data being exfiltrated, or clients being misled.
3. Prevent further impersonation
Compromised accounts often get used to send phishing or fake invoicing. We reset authentication and enforced multifactor authentication (MFA) on critical accounts, which stops attackers who might have a password but not the second factor. This is the single change that most reduces rapid repeat damage.
4. Preserve the evidence you need
You don’t need a full forensic lab immediately, but you do need logs and a snapshot of affected accounts. We secured audit logs and took screenshots of suspicious configuration changes. This preserves the facts you’ll need for any regulatory reporting, insurance claims or future police involvement.
5. Communicate with the right people
We briefed the leadership team and the person responsible for client communications. Messaging is: we’ve contained the issue, here’s what’s affected, and here’s the expected short-term impact. Clear, calm communication to customers and staff stops rumours and reduces follow-up damage — which often costs far more than the initial incident.
What this looked like in practice (short, sharp and UK‑centric)
We worked with the business to identify which accounts were sensitive under UK obligations — payroll, client contracts and personal data covered by GDPR. We checked whether the incident met the threshold for a mandatory ICO notification (72-hour rule) based on data type and likely harm. We then restored access in a controlled way so staff could return to the work that keeps the lights on.
All of which sounds tidy written down. In practice it meant calm people doing specific things in a set order: contain, protect, preserve, communicate, restore. That order protects revenue and reputation. It’s what stops something annoying from becoming existential.
Practical steps for UK businesses (what to do now)
The best time to prepare was yesterday. The next best time is today. These are straightforward, practical steps that make a real difference.
- Enforce MFA for everyone with access to email or documents — it’s the single biggest deterrent.
- Review third-party app permissions and revoke anything unnecessary. Fewer integrations = fewer attack vectors.
- Identify critical accounts and give them extra protection and monitoring. Think finance, directors and HR.
- Keep audit logging enabled and know how to access it. If something goes wrong, logs are your evidence and your roadmap.
- Create an incident playbook that names responsibilities (who signs off, who calls clients, who talks to insurers). Practice it once a year with a tabletop exercise.
Why UK businesses should take this seriously
Regulatory risk in the UK is real. If personal data is involved and the breach meets the legal threshold, you have 72 hours to notify the ICO and you must be prepared to explain mitigation steps. Then there’s the commercial side: clients expect you to protect their data and will notice if invoices or contracts are tampered with. Fast containment keeps both regulators and clients calm.
FAQ
How quickly can an incident be contained?
Often within the first hour if you have a clear plan and the right admin access. The early moves are about stopping active sessions and limiting permissions — things that don’t take long if someone knows what to click.
Will customers need to be notified?
Not always. It depends on the data involved and the likelihood of harm. You should assume that if personal data has been accessed, you may need to notify the ICO and affected individuals. Having logs and evidence helps you make that decision quickly and accurately.
How much downtime should we expect?
That depends on your setup and the extent of the compromise. For many businesses, a few hours of reduced capability is realistic; full recovery can take longer if systems need rotation or deep inspection. Prioritise restoring core commercial functions first — billing, client contact and operations.
What should we do before anything happens?
Enforce MFA, tidy up third-party app access, document who has admin rights, and practice an incident playbook. Also make sure someone knows how to access audit logs and has permissions to act outside office hours. These are low-cost, high-impact measures.
Final thought
Breaches are stressful, but they don’t have to be catastrophic. The key is preparation and a set of simple, repeatable steps that focus on business impact rather than technical bravado. With those in place, you can stop a breach escalating in an hour and get back to the work that pays the bills.
If you’d like help building a one‑hour readiness plan that protects your cashflow, credibility and calm, we can run a short review focused on outcomes — what will keep you open, billable and trusted, as quickly as possible.
