Cyber security incident response plan

How to respond to a cyber attack and develop an effective cyber incident response plan for your business.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

  • prepare for a cyber breach or intrusion
  • deal with it to contain damage
  • recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

  • assess the nature and scope of the incident
  • check all affected systems
  • look for hidden intrusions
  • reroute network traffic or block further attacks, if needed
  • isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

  • IT or security staff - to investigate the breach
  • HR representatives - if employees are involved in the breach
  • PR experts - to control and minimise brand damage
  • data protection experts - if personal data has been misused, leaked or stolen
  • legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

  • identify security gaps that caused the breach
  • clean systems and remove ongoing threats (eg malware)
  • restore systems to full operations
  • deal with any internal or external involvement
  • review failed security controls
  • record findings
  • update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

  • regulators, if personal data is lost or stolen
  • affected individuals (customers, clients or suppliers), if the risk is high
  • sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Actions
NCSC's incident management guide
Invest NI's ICT support for business
Check your cyber security
Free Cyber Action Plan
Also on this site
Business Crime Partnership
UK General Data Protection Regulation (UK GDPR)
Protect your business online
Protect your business from ransomware
Content category
IT

Source URL

/content/cyber-security-incident-response-plan

Links