Hours 0–4: contain
Your first priority is to stop the situation getting worse without destroying evidence.
- Isolate affected devices from the network — don't necessarily power them off.
- Reset credentials for affected accounts and enable MFA if it isn't already on.
- Preserve logs and take notes of what you see and when.
- Bring in the right people early: leadership, IT/security support, and if needed, legal.
Want a plain-English view of where your business stands?
Book a free cyber health checkHours 4–24: assess
Work out what happened and what was affected. What data or systems were involved? Is personal data in scope? Is the attacker still active?
Resist the urge to wipe everything immediately — understanding the scope first helps you recover cleanly and avoid reinfection.
Within 72 hours: report where required
If personal data is affected, UK GDPR may require you to report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware, where the breach meets the reporting threshold. Check current ICO guidance for your situation.
You may also have contractual duties to notify clients or partners, and obligations to affected individuals in higher-risk cases.
When in doubt about reporting obligations, take advice early. It's easier to decide not to report than to explain a late one.
Days 1–3: communicate and recover
Communicate honestly and consistently with staff, and with customers where appropriate. Restore from clean backups, confirm the attacker's access is closed, and keep documenting throughout.
Once the immediate incident is under control, hold a short review to capture what happened and what to improve.
Turn this into an action plan
Book a free cyber health check and get a plain-English view of where your business stands.
Book a free cyber health check