Getting back to business after a cyber-attack

Getting back to business after a cyber-attack

National Cyber Security Centre (NCSC) SME Engagement Team

National Cyber Security Centre (NCSC) SME Engagement Team
6th November 2019

Find out how to prepare your response and plan your recovery so your small business can cope and deal with a cyber attack. Sponsored article by NCSC. 

SMEs are pivotal to the UK’s economy; they account for 99.9% of the UK’s private sector businesses. Feedback from SMEs and representative bodies had emphasised to us the need for consistent, easy to find and follow advice that is inexpensive to implement. Companies that are at the very start of the pathway and are looking to implement basic cyber security controls should start off with our Small Business Guide and the Small Business Guide: Actions List as they provide quick and easy steps that could save time, money and even your business’ reputation.

Alongside essential cyber security controls, small businesses need to be prepared for how to cope and deal with a cyber breach or attack. As a UK business there is around a 1 in 3 chance that you will experience a cyber breach. When something happens, such as a cyber incident, it can be difficult to know how to react. We understand you will want to resolve the problem and get back to business as soon as possible. The best way you can help limit the impact a cyber breach has on your business, is to be prepared.

This is why we have launched the Small Business Guide: Response & Recovery. A simple, easy to use guide to help small businesses prepare their response and plan their recovery to a cyber incident. It is a 5-step guide which takes users through the process from preparing for incidents through to learning lessons from them.

Unforeseen events, both malicious and accidental, can occur in many ways. So it is impractical to develop detailed step-by-step instructions to manage every type of incident, as the list could be endless. Instead you should prepare your business for the most common threats you face by developing plans to handle those incidents most likely to occur.

The top tips you will find included in the guide will answer the burning questions we frequently get asked by SMEs, including:  

What should I do to ensure I am prepared to deal with a cyber incident?

Identify critical electronic information such as contact details, emails, calendars, and essential documents. Find out where this information is stored. Identify the key systems and processes necessary to keep your organisation running. Record how they are accessed. Studies have found the best way to test your staff’s understanding of what’s required during an incident is through exercising. Consider using our new Exercise in a Box product to test your organisations resilience and preparedness.

How do I identify when a cyber incident is happening?

While we would always recommend not panicking, the following events may indicate a cyber incident:

  • users locked out/unable to access documents
  • messages demanding a ransom
  • strange emails coming out of your domain
  • redirected internet searches
  • requests for unauthorised payments
  • unusual account activity

Also included are 10 top questions to ask yourself that can help you identify what occurred. For example – has data been lost, have your customers noticed any problems, and when did the problem occur or first come to your attention?

How do I get back to business as usual?

If your IT is managed externally, contact the right people to help, identified in your plan. If you manage your own IT, activate your incident plan. This may involve:

  • replacing infected hardware
  • restoring services through backups
  • patching software
  • cleaning infected machines
  • changing passwords

Who do I need to report it to?

Report to law enforcement via Action Fraud or Police Scotland’s 101 call centre. The more who report, the more likely it is that criminals will be arrested, charged and convicted. See the guide for a full list of who you should report to.

What steps should I take to stop it happening again? 

After the incident, it’s important to review what has happened, learn from any mistakes, and take action to reduce the likelihood of it happening again. Review actions taken during response. Make a list of things that went well and things that could be improved. Update your incident plan to reflect this.

There are many more NCSC resources that can help you improve your cyber resilience.

If you want to improve your cyber security further, then you can seek certification under the Cyber Essentials scheme, which has the benefit of demonstrating to your clients (or prospective clients) that you take the protection of their data seriously. And if you’re a larger business, or face a greater risk from cybercrime, then the 10 Steps to Cyber Security guide can further help your approach to cyber security.

Download the Small Business Guide: Response & Recovery guidance as a single PDF here. The guide helps small-to-medium sized organisations prepare their response (and plan their recovery from) a cyber incident. The 5 steps covered are easy to understand and cost little to implement.

To find out more about cyber security, visit and the UK Domain’s security section.

NCSC infographic