Skip to main content

Smaller businesses can be uniquely affected by cyber-attacks; they are likely to be more vulnerable to attacks and less resilient to a serious incident. The financial and reputational costs following an attack can often be devastating, making recovery difficult or even impossible. 

Planning for an attack is crucial to ensuring that your organisation can quickly deal with a cyber-attack and work on recovery.

Below are some easy-to-implement tips to deal with a cyber-attack. 

1. Prepare for incidents

  • Make plans to handle incidents that are most common or most likely to occur. It is not practical to prepare for every type of possible incident.
  • Identify critical electronic information needed to keep your business running. What is it, and where is it stored?
  • Backups: make regular daily or weekly backups of essential information. Consider using the 3-2-1 rule: three copies, of which two are made on different storage media (and stored locally), and the third copy is stored off-site.
  • List key people (i.e., customers, suppliers, etc.) and organisations (e.g., banks, the CSC, Police, ICO, Internet Service Provider, etc.) with contact details so that they can be notified of an incident.
  • Record contact details of external people who can help you identify or assist with an incident.
  • Ensure there is shared responsibility so that there is cover when a staff member is unavailable.
  • Make sure key incident response documents are available and up-to-date.
  • Add risk to the agenda, as organisational risk should be part of normal business discussions.
  • Make an incident plan.
  • Minimise reputational damage in the event of an incident by building good relationships with partners and customers, regularly updating them on what is going on, and
  • Test your staff's ability to recognise incidents.

2. Identify what's happening

The first step in dealing effectively with an incident involves identifying it. How can you detect that an incident has occurred (or is still happening)

The signs of an attack

  • Computers running slowly
  • Users locked out or unable to access documents
  • Messages demanding a ransom
  • Strange emails coming out of your domain
  • Redirected internet searches
  • Requests for unauthorised payments
  • Unusual account activity

After an incident has been identified, initial actions might include the following:

  • Analysing anti-virus and audit logs to help identify the cause of the incident
  • Using anti-virus software to complete a full scan and researching any findings using trusted sources (such as police or security websites)

These 10 questions can help you identify what has occurred:

  1. What problem has been reported, and by whom?
  2. What services, programs, or hardware aren't working?
  3. Are there any signs that data has been lost?
  4. What information has been disclosed, deleted, or corrupted?
  5. Have your customers noticed any problems? Can they still use your services?
  6. Who designed the affected system? Who maintains it?
  7. When did the problem occur or first come to your attention?
  8. What areas of the organisation are affected?
  9. Is your external supply-chain affected? Is your supply-chain a cause of the incident?
  10. What is the potential business impact of the incident?

3. Resolve the incident

It's crucial to act immediately to mitigate the consequences of an incident.

If your IT is managed externally, contact your IT advisers. If you manage your own IT, activate your incident plan.

This may involve the following:

  • Replacing infected hardware
  • Restoring services through backups
  • Patching software
  • Cleaning infected machines
  • Changing passwords

4. Report the incident

  • You are legally obliged to report certain incidents to the Information Commissioner's Office (ICO). Check inforights.im to find out which incidents qualify.
  • Report to the Cyber Security Centre (CSC) and the Police using our cyber-concerns online reporting form found on our website or by calling 686060.
  • Keep your staff and customers informed of anything that might affect them (for example, if their personal data has been compromised by a breach).
  • Consider seeking legal advice if the incident has had a significant impact on your business or customers. If you have cyber insurance, they will be able to provide you with more advice.

5. Learn from the incident

Reviewing an incident after it has happened is important to learn from any mistakes and take actions to reduce the likelihood of it happening again.

  • Review the actions taken during the response. Make a list of things that went well and things that could be improved.
  • Review and update your incident plan to reflect the lessons learned.
  • Reassess your risk and make any necessary changes to your defences. For example, if third-party supplier security contributed to the incident’s cause, consider the future terms of your business contracts. Also consider whether the third-party supplier questionnaire should be more stringent or whether services and tasks can be performed in-house to reduce risk.

    This page was last reviewed 19/03/2024

Useful Links

Contact Us IOM Information Commissioner NCSC Incident Management