What to Do When Your Business Faces a Cyber Attack?

Knowing what to do when you are under cyberattack is one of the most commercially critical pieces of knowledge any business owner can have, yet most small businesses have no plan in place when the moment arrives. The consequences of that unpreparedness are no longer theoretical. They are measured in weeks of lost revenue, damaged reputations and supply chains that grind to a halt.

Cyber Attacks Are Rising, and AI Is Making Things Worse

The threat landscape facing UK businesses has changed dramatically in the last two years. Cybercriminals have access to artificial intelligence tools that automate the creation of convincing phishing emails, identify vulnerabilities in systems at scale and launch attacks faster than any human team could manually co-ordinate. The National Cyber Security Centre has consistently warned that the volume and sophistication of attacks targeting UK organisations is increasing year on year.

The financial cost is staggering. Marks & Spencer's cyberattack in spring 2025 is estimated to have cost the retailer over £300 million in lost online sales alone, with weeks of disruption to its e-commerce operations. Co-op suffered a separate attack in the same period, with supply chain disruption affecting its food distribution network for several weeks. These are household names with large IT departments. For an SME, the proportional damage is often far worse.

The Five Most Common Forms of Cyber Attack

Understanding the type of attack you face is the first step towards containing it. The five most common forms targeting UK businesses are phishing, where criminals trick employees into handing over credentials or clicking malicious links; ransomware, where your files are encrypted and a payment demanded to restore access; malware infections, which embed malicious software in your systems often without any obvious signs; denial of service attacks, which flood your network until legitimate operations become impossible; and supply chain compromise, where an attacker gains access to your business through a trusted third-party supplier or software provider.

Each of these requires a slightly different response. However, the first steps when you suspect any of them are broadly the same.

Five Warning Signs You May Be Under Attack

Recognising the symptoms early can significantly limit the damage. The five most common warning signs are systems or applications running unexpectedly slowly without explanation; files that have been encrypted, moved or renamed without any action from your team; unusual login activity, particularly out-of-hours access or logins from unfamiliar locations; outgoing network traffic that spikes at unusual times; and colleagues receiving password reset emails or account alerts they did not request.

None of these individually confirms an attack is underway. Together, however, they are a serious signal that something is wrong and that immediate investigation is needed.

What to Do When You Are Under Cyberattack: 10 Key Steps

Step One: Do Not Panic! Act Methodically

The instinct to immediately turn everything off or disconnect all systems can make things worse. Some forms of malware are designed to accelerate encryption or data exfiltration the moment a system detects it is being shut down. Your first action should be to document what you are seeing and when, then follow the steps below.

Step Two: Isolate the Affected Systems

Disconnect the affected device or devices from your network (both wired and wireless connections). This limits the attack's ability to spread laterally across your infrastructure. Do not delete files or attempt to clean the system yourself at this stage.

Step Three: Alert Your IT Support Team Immediately

Contact your managed IT services provider straight away. If you are working with a managed services provider, they should have an incident response process ready to activate. If you do not have one, this is the moment that absence will cost you most.

Step Four: Preserve the Evidence

Before taking any remediation steps, capture screenshots, save logs and note the timeline of events. This evidence matters for insurance claims, regulatory reporting and any subsequent investigation.

Step Five: Change All Compromised Credentials

From an unaffected device, change passwords for any accounts that may have been accessed or compromised. Prioritise email accounts, financial systems and any platforms with customer data. Enable multi-factor authentication wherever it is not already in place.

Step Six: Notify the Relevant Authorities

Report the incident to Action Fraud (the UK's national fraud and cybercrime reporting centre) and, depending on the nature of the data affected, to the Information Commissioner's Office. Under UK GDPR, you have 72 hours to report a personal data breach. The UK Government's cyber security guidance for business sets out your legal obligations clearly.

Step Seven: Communicate Internally

Brief your team on what has happened and what they should and should not do. Crucially, avoid broadcasting details externally until you understand the full scope of the attack. Premature public statements can create additional legal and reputational exposure.

Step Eight: Assess the Scope of the Damage

Work with your IT support team to establish exactly what was accessed, what was compromised and what remains secure. This assessment informs every subsequent decision, from regulatory notifications to customer communications.

Step Nine: Restore From Clean Backups

If ransomware is involved, restoring from a known clean, recent backup is almost always the safest and fastest route to recovery, provided those backups exist and have been properly maintained.

Businesses should be extremely cautious about paying a ransom. There is no guarantee that paying cyber criminals will result in your data being returned, systems being decrypted or stolen information being deleted. In some cases, organisations that pay may become targets for future attacks, while the payment itself helps fund further criminal activity. The UK’s National Cyber Security Centre offers the following advice for organisations considering payment in such ransomware incidents.

This is why having a robust backup and disaster recovery strategy in place before an incident occurs is so important. Businesses without reliable backups often find themselves with very few good options when ransomware strikes.

This is where businesses without a robust data backup strategy find themselves with very few good options.

Step Ten: Conduct a Post-Incident Review

Once systems are restored, analyse how the attack happened. Where was the vulnerability? What could have been detected earlier? The answer to that question should directly shape what you change next.

Why Your Response Plan Must Exist Before the Attack

Building Cyber Resilience Into Your Business

The ten steps above are only useful if your team knows them before the crisis hits. In practice, a business that discovers its response plan for the first time during an attack will execute it slowly, inconsistently and under enormous pressure. The NCSC guidance for small businesses is unambiguous on this point: preparation is what determines outcomes, not reaction speed alone.

A genuine cyber resilience plan covers incident response procedures, clearly assigned responsibilities, tested backup and recovery processes, staff training on phishing and social engineering, and regular vulnerability assessments. It should be reviewed at least annually and updated whenever your systems or team structure changes.

Building this from scratch takes time, expertise and ongoing commitment. For most SME owners, that is time and expertise they do not have sitting idle.

How a Managed IT Provider Removes the Burden

This is precisely where working with a managed IT services provider like Wyvern Business Systems delivers its clearest value. Rather than trying to construct and maintain a cyber resilience framework yourself, you inherit established processes, tested procedures and a team that has handled incidents before.

As Mark Stubbs, a director and long-standing WBS client, puts it: 'WBS provides us with peace of mind that our IT needs are only a phone call away. In fact with the new systems they have in place, they often know about our problems well before we do.'

That proactive posture of knowing about problems before you do is exactly what separates a well-managed IT environment from one that waits for something to break. Our network monitoring and support services are designed to detect unusual behaviour early, contain threats quickly and restore normal operations with minimal disruption to your team.

Frequently Asked Questions

Should I turn my computer off if I think I am being hacked?

Not immediately. Abruptly powering down can sometimes accelerate damage or destroy forensic evidence. Isolate the affected device from the network first, then contact your IT support team before taking further action.

Do I have to report a cyberattack to anyone?

If personal data has been affected, you are legally required under UK GDPR to report the breach to the ICO within 72 hours. You should also report the incident to Action Fraud. Your IT provider can help you assess whether regulatory reporting applies to your situation.

What is the difference between a cyber incident and a cyber attack?

A cyber attack is a deliberate attempt by an external or internal actor to compromise your systems. A cyber incident is a broader term covering any event that disrupts or threatens your digital operations, including accidental data exposure. Both require a structured response.

Talk to Wyvern Business Systems About Protecting Your Business

Knowing what to do when you are under cyberattack matters, but having the right infrastructure, the right processes and the right people in place before that moment is what truly protects your business. Wyvern Business Systems work with SMEs across Hereford and the wider UK to build cyber resilience that is practical, proportionate and ready to activate when you need it most.

Contact the Wyvern Business Systems team today to discuss how we can help you prepare for and respond to the threats your business faces.