Cyber security for business

Cyber security incident response plan


Incident response planning should be part of your business' cyber security regime, alongside risk management and cyber security breach detection. An incident response plan can help safeguard your business and protect it against the impact of cyber crime.

To plan your cyber security incident response, you need to consider ways in which you will handle cyber security and your readiness to:

  • prepare for an incident
  • deal with a cyber breach or intrusion
  • follow up after a cyber security incident

It's best to decide in advance how you will manage these different aspects of your response.

Steps in cyber incident response

The way each business will deal with a cyber breach may differ slightly depending on their circumstances, but typically the planned response should entail the following steps. 

STEP 1: Contain the breach

After you detect a breach, the priority is generally to contain it and mitigate the risk of further damage to your business or loss of data. To do this, you will have to:

  • assess the nature and scope of the incident
  • consider all systems that could have been affected
  • look for concealed intrusions
  • reroute network traffic or block a web attack, if applicable
  • isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to suspend your entire organisation's network or website, even if this causes further disruption to your business.

If the breach is limited to certain aspects of your business, determine which services, processes and operations can safely continue while you're dealing with the incident.

STEP 2: Form an incident response team

An incident response team will usually involve:

  • technical or security personnel - to investigate the breach
  • HR representatives - where employees are involved in the breach
  • PR experts - to control and minimise brand damage
  • data protection experts - if personal data has been misused, leaked or stolen

You may also want to engage a legal adviser and - if you have insurance in place - consult your insurance provider.

STEP 3: Conduct an investigation

Look into the circumstances of the breach, and assess how it has affected you. Plan remedial actions, including those needed to:

  • identify gaps in security that have led to the breach
  • clean up affected systems and remove ongoing threats (eg malware)
  • get systems up and running again
  • address internal or external involvement in the breach

Carry out an investigation to determine which security controls have failed. Keep a record of this information and use it to:

  • review and improve policies and procedures for your business
  • develop a comprehensive incident response plan for any future intrusions

STEP 4: Address legal and regulatory requirements

As part of managing the incident, you may need to inform certain organisations or individuals about the breach. Be clear about who you need to notify and why. You may need to inform:

  • the regulators if the breach results in the loss or theft of personal data
  • any individuals or groups whose personal data has been compromised, such as customers, clients and suppliers

Businesses in specific sectors, eg financial services or telecommunications, may also need to notify relevant regulatory bodies about the incident.

Important: Under the UK General Data Protection Regulation (UK GDPR), you must report serious breaches of personal data to the Information Commissioner's Office if the breach is likely to result in a risk to people's rights and freedoms.

STEP 5: Report the incident

Like any other crime, you should report cyber crime incidents to the law enforcement agency assigned to tackle them. You may need to contact different agencies depending on the type of incident and if it is still in progress. Find out how to report a cyber crime.

STEP 6: Manage reputational damage and customer relations

Not all security breaches become public, but those that do (eg customers' personal data leaks) have the potential to cause significant reputational harm to businesses. In such circumstances, communicating quickly, openly and honestly to those affected by the incident is often the best course of action.

If the damage to your brand and business is significant, you may want to consider hiring a crisis manager or a public relations consultant to help you work out feasible strategies.

To help you prepare for and plan your response to a cyber incident, see the National Cyber Security Centre's (NCSC) small business guide to response and recovery.

You can also use the NCSC's 'Exercise in a Box' online tool to help you test your resilience to cyber attacks and practise your response in a safe environment.