How to respond to a cyber security breach

Cyber security breach

The IoD’s Information and Advisory Service (IAS) recommends a way to take control and limit the damage to your business if an attack hits home

According to the government’s latest annual Cyber Security Breaches Survey, 43 per cent of British SMEs fell victim to a cyber attack in 2017. Most of the respondents would have had in place at least some of the standard protections – from anti-virus software to awareness training – yet only 13 per cent had a procedure ready for when these failed to prevent a security breach.

The government’s National Cyber Security Centre (NCSC) estimates the average direct cost of a breach to a small firm to be £1,400, but the longer-term cost of the reputational harm caused could far exceed that, especially if the response is botched. It’s therefore crucial to know what to do if you find that your firm’s IT defences have been penetrated. The following procedure should keep the damage to a minimum.

Lock down your systems

As soon as you become aware of a breach, you will need to secure the network. You’ll probably have to take your systems offline temporarily, which will restrict the hacker’s access to your data but disrupt your own operations too.

Activate your response team

Not all breaches will warrant a full investigation, so your IT experts will first need to assess the damage. The NCSC recommends that you have a trained response team – including representatives from IT, HR and the board (and, if necessary, a legal adviser) – ready to convene if the incident is found to be serious enough. You could instead outsource this function to an external certified cyber security incident response provider. Visit for a list of vendors accredited by the Council of Registered Ethical Security Testers.

Report the incident

If the security of any personal data held by your firm has been compromised and individuals’ rights are likely to be at risk as a result, the General Data Protection Regulation obliges you to notify the Information Commissioner’s Office (ICO) within 72 hours of the discovery. Cases of online fraud or extortion should be reported to Action Fraud or the police.

What other information you communicate and to whom will depend on any number of factors, but communicate you must. Be prepared for a stream of enquiries from concerned stakeholders, including clients, suppliers, regulators and even law enforcement agencies. It’s important to stay on top of these and respond as quickly and candidly as possible, because prevarication will only make matters worse. Last year the ICO fined Uber £385,000 under the Data Protection Act 1998 for a 2016 breach and cover-up. The firm admitted that it had paid US hackers $100,000 to destroy stolen data on more than 50 million users and keep quiet about it.

Review, learn and refine

Before you return to business as usual, you’ll need to conduct a thorough audit of your cyber security strategy. The NCSC’s 10 Steps to Cyber Security guide is a good starting point for SMEs, as is the government-backed Cyber Essentials certification scheme, which will help to reassure customers and other interested parties that your organisation is serious about cyber security.

How the IAS can help you

The Business Information Service (BIS) is accessible by email ( or phone: 020 7451 3100

The Directors’ Advisory Service (DAS) can give guidance by appointment, either face to face at 116 Pall Mall or over the phone: 020 7451 3188

The legal helpline can answer quick queries about a vast range of issues: 0870 241 3478*

The tax helpline can give callers advice on both commercial and personal tax matters: 01455 639110†

IoD members are entitled to 25 enquiries a year to the BIS; four sessions with a DAS adviser; and 25 calls to both the legal and tax helplines. For further details, visit or email

* Quote your membership number
† Quote your membership number and reference number 33337


Become a member of the IoD

The IoD has a range of memberships for directors, founders and co-founders, providing all the resources and facilities needed to enhance your business. To find out more about membership offerings and to join today, visit


*Featured image: Ally Sheedy and Matthew Broderick as teenage hackers in the 1983 film WarGames, Entertainment Pictures/Alamy

About author

Hannah Gresty

Hannah Gresty

Until she left the magazine in August 2019, Hannah Gresty was the assistant editor of Director. She previously worked on a local news website and at a fashion PR company before joining the Director team as editorial assistant in 2016.

No comments

Time limit is exhausted. Please reload the CAPTCHA.