What to Do If Your Business Faces a Cyber-attack: A Simple Response Plan

Discovering your business has been hit by a cyber-attack feels overwhelming. Your heart pounds, your mind races, and you’re not sure where to start. But this is exactly when clear thinking matters most.

Cyber-attacks happen to businesses of every size, from corner shops to major corporations. Whether it’s a phishing email that tricked an employee, ransomware that’s locked your files, or a data breach that’s exposed customer information, the steps you take in the next few hours will determine how quickly you recover.

Above everything else you learn today, remember: stay calm. Panic leads to poor decisions that can make the situation worse. This guide will walk you through exactly what to do after a cyber-attack, step by step, so you can protect your business and get back to normal as quickly as possible.

Recognising a Cyber-Attack: The Warning Signs

Not all small business cyber-attacks announce themselves with flashing warnings or ransom demands. Many start quietly and build over time.

Obvious signs include:

• Ransom messages demanding payment to unlock your files
• Computers running extremely slowly or freezing completely
• Files you can’t open or that have strange extensions like encrypted
• Unknown software appearing on your systems
• Your website displaying content you didn’t put there

Less obvious signs that catch many businesses off guard:

• Unusual network activity, especially outside normal working hours
• Staff receiving angry messages about emails they never sent
• Customers complaining about calls they didn’t expect from you
• Bank statements showing small, unfamiliar transactions
• Password reset emails for accounts you didn’t try to access
• Files appearing in unexpected locations or with odd names

Sometimes you won’t discover an attack until weeks or months after it happened. The M&S breach that was discovered in April, for example, was part of a co-ordinated attack that began as early as February.

Hackers often work in this drawn-out way, quietly copying data bit by bit to avoid being detected by small business cyber security solutions. Regular monitoring and staff awareness training are essential in catching these hidden intrusions before they escalate.

So what happens when you do uncover an attack?

What to Do in the First Hour After a Cyber-Attack

The first hour sets the tone for everything that follows. Your immediate priorities are containing the damage and gathering information. Move quickly, but don’t rush.

1. Contact your IT support or cyber security provider immediately.

The sooner experts can assess the situation, the better chance you have of minimising damage. If you don’t have dedicated IT support, contact a reputable local provider who can respond quickly.

2. Disconnect affected systems, but don’t shut them down completely.

Powering them off can destroy evidence that investigators need later. Unplug network cables or turn off Wi-Fi on any computers showing signs of infection. This stops malware from spreading to other devices and prevents hackers from accessing more of your data.

3. Document everything you can see. Preserve evidence carefully.

Take photos of error messages, ransom notes, or unusual activity on screens. Note the time you discovered the problem and which systems seem affected.

Avoid clicking on suspicious files, moving affected documents, or trying to “fix” problems yourself. This information helps investigators understand what happened, and well-meaning attempts to clean up often destroy crucial evidence that could help trace the attack.

4. Activate your cyber-attack response plan if you have one.

If not, designate someone to co-ordinate the response while others focus on immediate containment. Clear roles prevent confusion and duplicate effort.

What to Do in the Next 24 Hours

Once you’ve contained the immediate threat, focus on understanding the scope of the attack and beginning recovery.

1. Conduct a thorough system assessment. Work with professional teams experienced in providing cyber security solutions in Essex to identify all affected systems, compromised accounts, and potentially stolen data. This assessment will guide your recovery priorities and legal obligations.
2. Check your backups carefully. Verify that your backup systems haven’t been compromised and test whether you can actually restore data from them. Some advanced attacks target backup systems specifically to prevent recovery.
3. Begin communicating with stakeholders. Inform key employees about the situation and what they need to do. Be honest about what you know and what you’re still investigating. Clear communication prevents rumours and helps maintain team focus.
4. Change all passwords. Start with administrator accounts, then move to user accounts and any online services your business uses. Use strong, unique passwords for each account, and consider implementing two-factor authentication where possible.
5. Review financial accounts for suspicious activity. Check bank statements, credit cards, and online payment systems for unauthorised transactions. Contact your bank if you find anything suspicious.
6. Start documenting the incident formally. Create a detailed timeline of events, affected systems, and response actions. This documentation becomes essential for insurance claims, legal requirements, and preventing future attacks.

What Your Cyber-Attack Response Plan Should Look Like Over the Following Days

In the days following a cyber-attack, you’ll need to strike a careful balance between getting back to business and ensuring you’ve properly secured your systems. Rush this phase and you risk repeat attacks.

1. Rebuild affected systems from clean backups or fresh installations. Don’t simply remove malware and carry on. Sophisticated attacks often leave hidden backdoors that allow hackers to return later. Starting fresh provides better long-term security.
2. Review and update your security policies. Use lessons learnt from the attack to strengthen your defences. Update password policies, email security procedures, and incident response plans based on what you’ve experienced.
3. Conduct staff training sessions about the incident. Help your team understand what happened and how to prevent similar attacks. Focus on practical skills like spotting phishing emails and following security procedures. Consider professional user awareness training to ensure comprehensive coverage of current threats.
4. Implement additional monitoring and security measures. Consider engaging with Essex cyber security and backup solutions specialists who understand local business requirements and can provide ongoing protection tailored to your specific risks and compliance needs.

Who Should You Tell If You Think You’ve Been Hit by a Cyber-Attack?

Knowing who to inform and when can be confusing, but getting this right protects both your business and the people affected by the breach.

At the employee level:

If you think you’ve clicked a suspicious link or downloaded a dodgy file, tell your IT support or manager immediately. Don’t try to fix it yourself or hope it will go away. Quick reporting often makes the difference between containing an attack and watching it spread throughout your organisation.

Your company’s cyber-attack response plan should outline who you need to tell and how.

At the business level, your legal and practical obligations include:

• The Information Commissioner’s Office (ICO) must be notified within 72 hours if the breach poses a risk to people’s rights and freedoms. This includes most breaches involving personal data, even if it’s just employee records.
• Affected individuals should be informed without undue delay if the breach is likely to result in high risk to their rights and freedoms. This might include customers whose payment details were stolen or employees whose personal information was accessed.
• Your insurance provider also needs to know as soon as possible. Many cyber insurance policies require immediate notification and can provide expert support for incident response and recovery.
• Law enforcement should be contacted if the attack involved significant financial fraud or if you suspect organised criminal activity. The National Cyber Security Centre provides guidance on when and how to report incidents.
• Key suppliers and partners may need to know if their data was involved or if the attack could affect shared systems or services.

Small Business Cyber Security Solutions: Making Sure It Doesn’t Happen Again

Recovering from a cyber-attack is only half the battle. The real test comes in strengthening your defences to prevent future incidents. Don’t be put off hearing what larger organisations are spending on their defences; cyber security solutions in Essex don’t have to be complex or expensive to be effective.

1. Implement strong password policies and multi-factor authentication. Require complex passwords and change default passwords on all devices and systems. Multi-factor authentication adds an extra layer of protection even if passwords are compromised.
2. Keep all software updated automatically. Many attacks exploit known vulnerabilities that patches have already fixed.
3. Make regular staff security training mandatory. Human error causes most successful cyber-attacks, so investing in user awareness training provides an excellent return on investment.
4. Establish robust backup and recovery procedures. Test your backup systems regularly and ensure you can restore data quickly when needed. Consider both on-site and cloud-based backup solutions for maximum protection.
5. Create and test incident response plans. Regular drills help ensure everyone knows what to do after a cyber-attack and can respond quickly when incidents occur.
6. Consider professional monitoring services. Many small businesses benefit from outsourced security monitoring that watches for threats around the clock.

What a Cyber-Attack Means for Your Business’s Future

Surviving one cyber-attack doesn’t mean it will – or won’t – happen to you again. It all comes down to your approach moving forward. With the right preparation, training, and security measures, you can significantly reduce your risk and ensure faster recovery if future incidents were to occur.

Remember that small business cyber security is an ongoing process, not a one-time fix. Threats evolve constantly, so your defences need to adapt too. Regular reviews, updates, and training ensure your cyber-attack response plan stays ahead of emerging risks.

Most importantly, learn from the experience. Every attack teaches valuable lessons about your vulnerabilities and response capabilities. Use these insights to build a stronger, more resilient business that can handle whatever digital threats come next.

If a Cyber-Attack Hits, Will Your Team Know What to Do?

Let’s build a plan together and keep you ahead of the chaos. Give us a call to get started.