Incident response: What to do in the event of a cyber attack

Hacker in the hood working with laptop typing text in dark room. Image with glitch effect

Over the past 12 months, there were 7.78 million incidents of cyber crime against UK businesses (Gov.uk). Cyber crime is evolving and increasing at a rapid pace, and the UK government are planning to introduce additional measures including the Cyber Security and Resilience Bill as an effort to boost the nation’s defences against cyber crime.  

Whilst preventative measures including testing, training, and certification services are crucial to keeping your business protected and minimising the risk of a data breach, it’s important to remember that the risk is never completely eliminated. All organisations of any size and sector could be the victim of a cyber attack, and businesses need to be prepared for that potential reality.  

In this blog, we’ll take a deep dive into the importance of incident response planning and how your business can respond to a cyber security incident.  

What to do in a cyber attack: immediate actions

Step 1: Stay calm and isolate the attack  

  • Discovering a cyber incident can be extremely stressful and worrying, but it’s important to remain calm, not panic, and follow the correct procedure without making any rash decisions.  
  • To minimise the damage of a successful attack, isolate the incident and any affected networks and systems, preventing further data exposure. At this stage, make sure all employees change their login credentials and minimise user access controls whilst investigations commence. 

Step 2: Identify the nature of the attack 

  • Cyber threats are ever-evolving, with common attack vectors including phishing, ransomware, DDoS, malware, and supply-chain vulnerabilities.  
  • The sooner you’re able to identify the breach, the faster you can address the incident and minimise impacts. Identification includes assessing the incident, and classifying it based on severity, type, and potential effects on the business. Implementing ongoing monitoring and detection tools to alert you of any suspicious activity and emerging threats is a great way to categorise vulnerabilities and understand their implications. 

Step 3: Inform key stakeholders 

  • Prompt communication is crucial in the event of a cyber attack. This make sure your response to the incident is effective and proactive, minimises damage and repercussions, and maintains stakeholder trust. From an internal perspective, inform your IT team, who’ll provide their expertise and recommended steps for recovery, and executives, who’ll guide the decision-making process and ensure business continuity. From an external perspective, engage with your cyber security providers and Managed Service Providers (MSPs) for any additional support, and involve legal advisors to navigate compliance and liability issues.  
  • In the UK, businesses have a legal obligation to report any data breaches to the ICO within 72 hours of identifying an incident. If you don’t do this, you could get fined and there might even be legal consequences. It’s also recommended to report any cyber security related incidents to the National Cyber Security Centre.  

Understanding the incident response plan

The Cyber Security Breaches Survey 2024 reports that 50% of UK businesses have experienced an attack or breach, with the average time to detect and respond to an incident totalling 277 days (IBM Security). Today, the biggest threats facing organisations are phishing, ransomware, and supply-chain attacks.  

A successful breach can result in devastating consequences, including financial loss, reputational damage, legal consequences, operational disruption, loss of market confidence, and regulatory fines. Preparation is key when it comes to minimising the fallout of an incident; establishing the processes, defining the roles and responsibilities, and encouraging communication is paramount to getting your business back on track.  

An effective incident response plan is made up of seven key principles, preparation, identification, containment, eradication, recovery, communication, and lessons learned.

Long-term recovery and damage control 

Step 4: Assess damage and begin recovery 

There’s no single method for identifying the damage and impacts of a security breach. Assessment methods depend on the type of attack, the severity, and the systems affected. However, a good process to follow includes:  

  1. Identify assets that are affected: The first step is to identify which systems and data have been compromised. This could involve assessing system activity, any files that have been accessed and changed, and checking any alerts during the incident.
  2. Estimate the impact: Understanding the impacts of the breach will allow you to plan ahead and make better decisions as recovery commences. Ask yourself the following questions:
    How important are the affected systems for business operations and your stakeholders? 
    Has any data been compromised? If so, what’s the nature of said data?
    Could the incident impact your customers? 
  3. Determine the severity: The severity depends on how widely the incident has spread and how deeply it has affected key resources.  
  4. Financial and operational impact: Calculate the potential financial impact (including revenue loss from downtime and cost of resources to restore the systems). 

Then you can begin the process of removing the root cause of the incident, such as malware or unauthorised access, but be careful not to destroy any evidence. Identify and analyse the exploited vulnerabilities and implement appropriate defence methods to prevent it potentially happening again. In the event of a breach, you’ll rely on your backups in order to get your systems up-and-running again, so once you’ve confirmed that your systems are secure again, you can begin restoring your data. Make sure your business performs regular, automatic backups and store these in a separate, isolated location.   

Step 5: Communicate with affected parties  

  • Transparency is key for maintaining trust and mitigating the impacts of a data breach and cyber attack. Keeping stakeholders informed ensures accountability, fulfilling legal obligations, and safeguarding your organisation’s reputation. 
  • For effective communication, develop a comms plan and notify stakeholders promptly with essential details, use clear language, provide ongoing updates, and liaise with regulators to ensure compliance. By prioritising transparency, you reinforce stakeholder confidence and demonstrate a commitment to robust cyber security.  

Step 6: Learn from the incident  

  • Following the recovery of your business, conduct a full analysis of the incident. Document the timeline and key events, and assess the actions taken to create lessons for any future incidents. Post-incident evaluations allow your team to review response procedures, identify strengths and weaknesses, and highlight areas for improvement.   
  • Based on the analysis, organisations should enhance security protocols and refine their incident response plan. The insights gathered will provide organisations with areas for improvement and steps to improving resilience against future threats.  

Effectively managing a cyber attack requires a proactive and prepared approach. Key steps include maintaining transparency with stakeholders, conducting a thorough post-incident analysis to identify strengths and weaknesses, and adjusting cyber security procedures accordingly.  

For more information on developing a robust cyber security strategy, speak to a member of our team today on 0333 323 3981 or completing the form here 

Scroll to Top