top of page

Navigating the Aftermath: What Businesses Should Do After a Cyber Attack

Being targeted by a cyber-attack can be a terrifying experience for any business. Data breaches, ransomware, and system outages can disrupt operations, damage reputation, and lead to financial losses.

If an organisation thinks it has been subject to a cyber-attack there will initially be the uncertainty about whether it is real or something unusual that turns out to be just a temporary system glitch.

Whatever… the key is not to panic, stay calm and take swift action! If the attack is real this is crucial to minimize the damage caused and recover effectively.

For businesses without a specialist IT function, the advice would be to seek an expert… immediately. Matters relating to cyber-attacks have always been complex, and new attack vectors emerge on a regular basis.

If your business does have an IT specialist on board, they are unlikely to be specialised in cyber security, which is a mixture of IT, psychology, and systematic analysis. Nevertheless, here's a guide, to help the IT function of a business to navigate the aftermath of a successful cyber-attack:


Immediate Actions


  1. Contain the Threat: Find out which devices/systems have been compromised and isolate them to prevent the attack from spreading. This will mean disconnecting affected devices from the network and shut down infected servers. This is essential!


  1. Assess the Damage and Investigate: While systems are down, business is unlikely to continue normally. Identifying the nature and extent of the attack will require specialist and expert help and may take some time.


It is essential to determine what data was accessed, stolen, or encrypted and the Information Commissioner will expect this. Further analysis of logs and system activity will help the specialist to understand the attacker's methods and conduct a thorough investigation. This includes things like what happened and why, how many people were involved, a timeline of when it all happened, and what actions have been taken so far.


  1. Secure Critical Systems: Focus on restoring essential functions and protecting sensitive data. Implement additional security measures like multi-factor authentication and stronger passwords.


  1. Activate Your Incident Response Plan: If you have one, follow your pre-defined steps for responding to cyber incidents. This will ensure a coordinated and efficient response.


  1. Enact a Business Continuity Plan: You should also enact your business continuity plan (BCP) which should have previously been rehearsed. If you do not have one, then this highlights the need to create and rehearse one.


  1. Notify Authorities: Depending on the severity of the attack and data involved, you may be legally obligated to report it to the National Cyber Security Centre (NCSC) or the Information Commissioner's Office (ICO). Action Fraud should also be notified if financial loss is involved.

7.     Preserve Digital Evidence: Document and preserve digital evidence for potential legal and forensic investigations. Work closely with law enforcement to support their efforts.


At this point, it is worth observing that many small businesses will have no incident response log or plan, or business continuity plan. Many things can go wrong, quite apart from a cyber-attack, and it is important to, as the Boy Scouts’ motto goes, “Be prepared”.


One advantage of IASME’s Cyber Assurance is that these, and other processes and policies, have to be in place to get certification. A business that has both Cyber Essentials and Cyber Assurance will be much better prepared for an attack, and to recover from that attack.


Recovery and Communication


If the last section concerns you, as a small business, what you need to do next will be even more concerning, especially if you haven’t already had contact with a friendly expert, who will have advised you accordingly.


This is what you need to do to get back to normal:


  1. Recover Lost Data: Implement your data recovery plan, prioritizing critical business data. If backups are compromised, seek professional assistance.


  1. Communicate Effectively: Inform affected stakeholders, including employees, customers, and investors, about the attack in a timely and transparent manner. Be honest about the incident and avoid speculation.


  1. Evaluate and Improve Security: Conduct a thorough post-incident review to identify vulnerabilities and weaknesses exploited in the attack. Implement stronger security measures and update security policies to prevent similar attacks in the future.


  1. Seek Professional Help: Consider engaging cyber security experts to investigate the attack, recover data, and strengthen your defences. Their expertise can be invaluable in navigating complex situations.


The time taken to do all this can be weeks, or even months. Cyber security experts first estimated many years ago that any business that doesn’t get up and running within ten days is likely to go out of business, and the figures haven’t changed much.


Cyber Essentials reduces the chances of an attack by an estimated 80%, which is quite impressive, but successful attacks will still happen (the hacker only needs to get lucky once!) By taking further measures such as those suggested in this article, a small business can be much more confident of surviving an attack, if it occurs.

Additional Measures


These, and others, are covered in IASME’s Cyber Assurance, but worth mentioning here:

1.     Employee Training and Awareness: Conduct cybersecurity training for employees to enhance awareness and prevent future incidents. Emphasize the importance of reporting suspicious activities promptly.

2.     Continual Improvement: Conduct a post-incident review to identify areas for improvement. Update and enhance cybersecurity protocols based on lessons learned.

3.     Collaborate with Industry Peers:  Share information about the attack with industry peers through appropriate channels. Collaborate on best practices and lessons learned to enhance collective cybersecurity.

4.     Review and Strengthen Security Policies: Evaluate existing cybersecurity policies and update them to address identified vulnerabilities. Implement stricter access controls and conduct regular security audits.

Summary:  Remember, being prepared is key. Regularly update your cyber security practices, invest in employee training and have a robust incident response plan in place to be better equipped to face any cyber threat.

 Important Note: This article is a guide and intended for informational purposes only which is by no means exhaustive and further reading is recommended. Additionally, this article does not constitute legal cyber security advice. Always consult with qualified professionals for specific guidance.



Additional Resources:


IASME Business Continuity Plan Template:

Information Commissioner's Office (ICO):

 Action Fraud:

 Cyber Security Breaches: Reporting Requirements:

How to contact ICO:

ICO How to respond to a personal data breach:


NCSC Small Business Guide: Response and Recovery:



7 views0 comments


bottom of page