Skip to main content

Smaller businesses can be uniquely affected by cyber attacks, as they are often more vulnerable to attack and less resilient to a serious incident. The financial and reputational costs can be significant, so planning ahead is crucial.

Below are some practical steps to help your organisation prepare for, respond to, and recover from a cyber incident.

Relevant Links

Contact Us IOM Information Commissioner NCSC Incident Management

1. Prepare for incidents

Make plans to handle incidents that are most common or most likely to occur. It is not practical to prepare for every possible incident. Identify the information, systems, accounts, and services that are critical to keeping your business running.

  • Make regular backups of essential information. Consider using the 3-2-1 rule: keep three copies of your data, on two different types of storage, with one copy stored off-site.
  • Keep a list of key people and organisations with contact details so they can be notified quickly if an incident occurs. This may include customers, suppliers, banks, insurers, IT support, the CSC, Police, the ICO, and your internet service provider.
  • Record the contact details of external people who can help identify, investigate, or support recovery from an incident.
  • Ensure there is shared responsibility so there is cover when a staff member is unavailable.
  • Make sure key incident response documents are available, up to date, and accessible to more than one person.
  • Decide in advance who can make urgent decisions, such as isolating a device, disabling an account, contacting IT support, or notifying customers.
  • Create a simple first actions checklist so staff know what to do in the first few minutes of an incident.
  • Add risk to the agenda, as organisational risk should be part of normal business discussions.
  • Make an incident plan and review it regularly.
  • Minimise reputational damage by building good relationships with partners and customers and keeping them updated where appropriate.
  • Test your staff’s ability to recognise incidents and practise your response from time to time, even if this is only through a short tabletop exercise.
  • Plan how you will preserve useful evidence, such as logs, screenshots, suspicious emails, and notes of what happened and when.

2. Identify what's happening

The first step in dealing effectively with an incident is identifying that it has occurred and understanding the likely impact.

Signs of an attack may include:

  • Computers running slowly.
  • Users locked out or unable to access documents.
  • Messages demanding a ransom.
  • Strange emails coming from your domain.
  • Redirected internet searches.
  • Requests for unauthorised payments.
  • Unusual account activity.
  • Repeated login failures or unusual password reset activity.
  • Unexpected changes to privileged accounts, permissions, or cloud services.
  • Unusual outbound network traffic or connections to unfamiliar services.

After an incident has been identified, initial actions may include:

  • Analysing antivirus, system, and audit logs to help identify the cause of the incident.
  • Running a full antivirus or endpoint protection scan and researching any findings using trusted sources.
  • Recording what has been observed, when it was noticed, and who reported it.
  • Considering whether the incident affects only one device, or whether user accounts, email, cloud services, or suppliers may also be involved.

Useful questions to ask:

  • What problem has been reported, and by whom?
  • What services, programs, hardware, accounts, or systems are affected?
  • Are there any signs that data has been lost, deleted, changed, disclosed, or made unavailable?
  • Have your customers noticed any problems, and can they still use your services?
  • Who designed and who maintains the affected system?
  • When did the problem occur, or when did it first come to your attention?
  • What areas of the organisation are affected?
  • Is your supply chain affected, or could a supplier be the cause of the incident?
  • What is the potential business impact of the incident?

3. Resolve the incident

It is crucial to act quickly to reduce the consequences of an incident. If your IT is managed externally, contact your IT advisers immediately. If you manage your own IT, activate your incident plan.

This may involve the following:

  • Isolating infected or affected devices from the network to stop the incident spreading further.
  • Disabling compromised accounts, changing passwords, and revoking active sessions where possible.
  • Blocking malicious email senders, domains, or connections linked to the incident.
  • Contacting suppliers or service providers if their systems or services may be involved.
  • Preserving evidence before wiping, rebuilding, or restoring systems. This may include saving logs, screenshots, emails, and a timeline of what happened.
  • Replacing infected hardware if necessary.
  • Restoring services from known good backups or clean systems.
  • Patching vulnerable software and updating affected systems.
  • Cleaning infected machines and checking that they are safe before reconnecting them to the network.
  • Rotating tokens, API keys, or other credentials if accounts or services may have been compromised.
  • Restoring the most important systems first and monitoring closely for signs that the incident has returned.
  • Checking that important files, transactions, and communications are complete after recovery.

4. Report the incident

You are legally obliged to report certain incidents to the Information Commissioner’s Office (ICO). Check https://inforights.im to find out which incidents qualify. You should also report incidents to the CSC and Police using the cyber concerns reporting form on our website or by calling 686060.

It is also important to:

  • Keep your staff and customers informed of anything that might affect them, for example if personal data has been compromised or services are unavailable.
  • Consider preparing simple communications templates in advance so updates can be shared quickly and consistently.
  • Keep a record of the decisions, actions, and notifications made during the incident.
  • Consider seeking legal advice if the incident has had a significant impact on your business or customers.
  • If you have cyber insurance, contact your insurer as they may be able to provide additional advice and support.

5. Learn from the incident

Reviewing an incident after it has happened is important as it helps you learn from mistakes, improve your response, and reduce the likelihood of the same thing happening again.

  • Review the actions taken during the response.
  • Make a list of things that went well and things that could be improved.
  • Record key timings, such as when the incident was first noticed, when it was contained, and when recovery was completed.
  • Identify delays or bottlenecks, such as unclear roles, missing contact details, or gaps in logs or evidence.
  • Review and update your incident plan to reflect the lessons learned.
  • Reassess your risks and make any necessary changes to your defences.
  • If supplier security contributed to the incident, consider whether contracts, supplier questionnaires, or oversight arrangements need to be strengthened.
  • Use lessons learned to improve staff awareness, technical controls, and future exercises.



This page was last reviewed 23/04/2026