Picture this, you come into your office on a morning like any other, but you can’t access your files, instead your business is presented with a ransom note from cyber criminals who have stolen and encrypted all of your business data.
For many UK small to medium-sized UK businesses (SMEs), this nightmare has become reality with varying levels of impact onto their ongoing business operations. In 2024 67% of Small to Medium Sized UK Businesses were targeted in some form of cyber attack out of the 8.58 million cyber attacks on which impacted all UK businesses, up from 7.78 million in 2023.
But... what really happens in the chaotic aftermath of an attack?
And, what if it happens to you and your business, what are the essential things that you should be doing?
What are the immediate impacts?
What are your legal duties?
What recovery steps can you take, to help you navigate a worst-case scenario?
And... most of all, what can you do to prevent it happening to begin with?
The Immediate Impact
When a cyber attack strikes, the disruption can be far-reaching across all areas of your business, impacting both internal teams and customers alike. Systems may go down, data may become inaccessible, and normal operations grind to a halt with teams sat around unable to work.
Earlier this year (2025), a major ransomware attack forced retail giant Marks & Spencer (M&S) to halt online orders for almost seven weeks, with full operations not returning until 15 weeks following the attack, causing clothing sales to plunge by about 20% as the company lost ground to competitors and also losing an estimated £300million in profits and £500 million in stock market value. Additionally, Co-Op, Peter Green Chilled, Harrods and even Quantas were impacted by cyber and ransomware attacks.
Also in 2025, KNP Logistics, a 158-year-old UK haulage firm that fell victim to a ransomware attack which put 700 people out of work. It is believed that due to a lone weak password, hackers were able to encrypt the company’s entire network and even destroyed its backups, before then demanding a £5 million ransom (which they could not pay). With no way to recover its data, KNP’s operations came to a standstill, every truck was sidelined and within weeks, the firm entered administration, and 700 employees lost their jobs. All of this, despite the business believing that they were following best IT & Cyber Security practices.
These are just a couple of examples which made news headlines showing how quickly an attack can swiftly paralyse a business, leading to huge financial losses, or even total collapse. But, the reality is that businesses across the UK are experiencing this themselves every day, with more than half a million new cyber threats uncovered worldwide every day.
Beyond the immediate technical chaos, there’s also confusion and panic among staff and customers. The National Cyber Security Centre (NCSC) notes that if your business does become the victim of a significant cyber attack, “the immediate aftermath will be challenging”, information may be patchy, and difficult risk-based decisions will be needed to attempt to protect your business’ ongoing operations.
In other words, a cyber attack is a crisis scenario bringing together not just IT issues, but also business continuity, communications, legal matters and much more. How a company responds in those first hours (and days) can make a big difference in limiting the damage caused.
What should you do first? Hint: Your Incident Response Plan is your friend.
First, don’t panic! It may seem like the natural urge following a cyber attack, and that is only natural. However, it’s crucial to stay calm and execute a clear incident response plan (if you have one).
Immediately following the discovery of an attack, it is important to Isolate affected systems to attempt to contain the breach and ensure your IT team (or external IT support) are aware of the attack so that digital forensics work can begin.
Start by taking compromised computers or servers offline to stop malware spreading, any devices that were not turned on or not connected to your network, leave them offline until they can be ruled out as being impacted.
Incident Response Plan
If you have a pre-prepared an incident response plan, now is the time to activate it to ensure that decisions can be made quickly and coordination is effective among all teams even amid chaos.
Communication
Communication is also an immediate priority. Business leaders should be ready to inform key stakeholders, including your board of directors & employees, but also customers, and possibly the media, with clear, accurate updates as appropriate.
The NCSC stresses that you must cover communications with the board, customers/users, media, and other stakeholders like regulators and insurance companies as part of your incident response.
It is important to remember that being transparent and timely helps maintain trust and prevents rumours from making the situation worse.
Are you legally obligated to notify anyone following a cyber attack?
UK data protection law (UK GDPR) requires that if personal data has been breached in a cyber attack, you must report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
This means as soon as you confirm a cyber incident has likely exposed or compromised any individuals’ personal information (for example, customer records or employee data), the clock starts ticking on that 72-hour window.
Delaying notification can lead to hefty fines against your business, so even while you’re scrambling to fix IT systems, restore backups or gain access to your data, you must make sure a breach report to the Information Commissioner’s Office is in motion (if your computer systems are down, ICO allows reporting by phone.).
Beyond this, if a data breach is likely to result in a high risk to individuals’ rights or freedoms (such as if hackers stole sensitive personal or financial details), you are obliged to inform those impacted individuals without undue delay so they can take protective action (such as disabling bank accounts).
Depending on the situation, the sector your business works in, the type of data accessed, and even the individual personal data accessed, you may need to inform other authorities about the breach. If your business is in a regulated sector or provides essential services (for example, energy, water, transport, healthcare, or certain digital services), you might fall under the NIS (Network and Information Systems) regulations. These regulations require the operators of essential services to notify their sector regulator or the designated authorities of significant cyber incidents.
Additionally, there are new rules on the horizon that businesses should be aware of, the government’s upcoming Cyber Security and Resilience Bill will expand incident reporting requirements to cover more companies (including MSPs such as ourselves and threats, even potentially reducing incident report times to as low as 24 hours.
Across all of these considerations, it is important to remember that critical incidents will need to be reported to regulators as quickly as possible, with regular relevant updates, to help build a fuller picture of the threat landscape. Additionally, you should always ensure that your business is aware of any specific reporting duties in your industry (for example, financial firms may need to inform the Financial Conduct Authority, and so on) as part of your business incident response plan.
Even if not explicitly required by law, it is strongly recommended to report the attack to law enforcement. In the UK, the central point for this is Action Fraud, the national cybercrime and fraud reporting centre. Businesses can report online or via phone; importantly, Action Fraud operates a 24/7 hotline for organizations suffering a live cyber attack in progress. If you find yourself under active attack (such as a ransomware infection that is still spreading and you have already made contact with your IT support and cyber security provider), you can call them any time for additional guidance. Reporting to the police not only helps in potentially pursuing the criminals, but also creates an official record of the incident.
Finally, while not mandatory, you should consider reaching out to the National Cyber Security Centre (NCSC) for help, especially if the incident is major or you’re not sure how to handle it. The NCSC can help victims of major cyber attacks to minimise harm with their expertise. You can report significant incidents through the NCSC’s website, and they may assist with threat analysis or mitigation guidance. In serious cases affecting national interests or large sectors, NCSC might actively coordinate a response.
Engaging with these authorities, ICO, Law Enforcement, NCSC, as early as possible will put you on the right side of the law and get you valuable support when and where you need it most.
How can you recover from a Cyber Attack?
A good recovery starts with a good cyber security strategy that is regularly reviewed. With a regularly reviewed cyber security strategy you can ensure that you not only have the right tools in place to form the best protection for your business, but you can also regularly review your business continuity strategy for if the worst was to happen.
This is where all those “boring” backup and disaster recovery plans prove their worth. Paying for a backup plan may seem counter productive if you already have a comprehensive cyber security strategy, but the reality is that cyber criminals who specifically target a business will attempt to do whatever it takes to cause damage to your business, and also there are other more natural disasters that could impact your business, such as this business who experienced catastrophic flooding.
Backups are an essential part of any business continuity strategy, but their frequency must fall in line with your minimum recoverable time allowance and also be kept secure from potential threats.
In the case of KNP logistics, attackers also targeted their backups to be able to cause the maximum amount of damage to the business, ultimately meaning that they could not recover their data. If they had Immutable Backups in place, the attackers would not have been able to destroy their backups as they would not have been editable, and as such would have allowed them to restore their data without paying a random demand.
Note: A cyber attach could include cyber criminals also copying your data which can also be used as part of a ransom demand as has been seen this year in the Quantas Data Breach.
It is also important that backup integrity be regularly checked and monitored, and regular tests done on ensuring that the data can be restored to a cloud infrastructure environment if on side data restoration is not immediately recoverable. It’s no good having backups if they don’t work when needed.
In cases such as KNP where backups are destroyed, missing or compromised, companies face a tough dilemma: attempt to rebuild from scratch, consider paying the ransom (which is highly ill-advised) or even consider if the company ran recover from such an attack.
Why are ransom payments discouraged?
Ransom payments are highly discouraged by authorities, and even now being banned for public sector organisations, as there’s no guarantee you’ll get your data back, and it can fund further criminal activity.
Industry data suggests the average UK ransom demand is around £4 million. It is important to remember that in many cases some, even after a business pays a random payment, hackers often leak stolen data. Additionally, the decryption tool or code provided might not fully restore files or the cyber criminals may still have access to your system to be able to launch further attacks.
If your business is even considering a payment (and it is important to remember that we do not advise this), it’s critical to consult with law enforcement and cyber response experts.
What’s next?
It is also important that cyber insurance providers (if you have a policy) should notified as early as possible. Cyber Insurance providers can help guide the response that you take and may supply professional incident responders to work with your cyber security providers to provide response. It is also important that you regularly liaise with your cyber insurance provider to ensure they have accurate information about the investigation into any cyber incident your business has experienced.
Being Prepared for the Future
With the right preparations, and the right tools and support in place, recovering from a cyber attack is not only possible, it is almost guaranteed. Remember, cyber security shouldn’t be seen as just an IT problem; it’s a core business risk that all of your business senior leadership team need to manage proactively, and that your entire employee base should take active responsibility to maintain trained how to spot potential threats and stay secure.
Here are some key considerations that every business should have to stay secure against cyber threats:
Strong Basic Security:
Most cyber attacks aren’t ultra-sophisticated, your team are actually probably the most vulnerable part of your cyber security strategy. For example; make sure your team uses strong, unique passwords, paired with multi-factor authentication on all important accounts to avoid the fate of “one weak credential” granting cyber criminals access to your company or its data.
Additionally, as we have seen with the recent Windows 10 End of Life, it is important to keep software and systems updated with the latest security patches so known vulnerabilities and zero day threats can’t be easily abused by hackers.
Backups:
As we have already covered, it is essential to maintain multiple regular backups of critical data and monitor & test them frequently. Earlier this year the South Korean government experienced a fire in a data centre which stored 858Tb of data, accumulating 8 years worth of data. However, they did not have a backup, believing that there was too much data to backup. The reality, no amount of data is too much to back up, only how much money you spend to ensure that you have those multiple geographically separated backups.
Incident Response Plans:
Develop an incident response plan that outlines who does what if a cyber incident occurs. This plan should include technical steps (like isolating systems, preserving evidence), key contact info (IT & cyber security teams, legal counsel, PR, external experts, insurance, etc.), and communication templates for notifying stakeholders.
Run drills or tabletop exercises so that staff and leadership are familiar with their roles, as the saying goes “practice makes perfect”, just make sure you are not practicing often in real world attacks. As a leader, don’t be afraid to allow a robust response during an incident; empower your IT and security teams to take necessary actions quickly.
And, most importantly, ensure you a have multiple paper copie of your incident response plan. If you suffer a ransomware attack which encrypts all of your business data, how can you access your incident response plan if it only exists in digital form?
Know Your Reporting Obligations:
Again, this should be a critical part of your Incident Response Plan, but it is important that key stakeholders within your business understand your legal duties (breach reporting, customer notifications and so on) ahead of time. Having templates or draft notification forms ready can save precious hours during an incident. Familiarise yourself with ICO reporting procedures, especially as they can change over time, and any sector-specific reporting requirements that apply to your business. In September of 2025 LNER experienced a data breach via one of its third party suppliers, as part of this they also had to ensure that they notified the National Cyber Security Centre, British Transport Police and the Department for Transport within 1 business day of discovering the attack.
Cyber Insurance and Support:
As we have seen Cyber Security incidents can have a significant impact on your business. In 2025, Jaguar Land Rover (JLR) suffered a cyber attack which took down their production at all of their manufacturing facilities for more than a month. In addition to this, because Jaguar Land Rover were mid negotiation on a cyber insurance policy, they were not covered at the time of attack. Ultimately, this led to JLR not being able to pay (or order from) their suppliers of key materials and parts throughout this period, resulting in the UK government backing a £1.5 billion loan to support JRL in being able to pay their suppliers.
This is a perfect example of why it is crucial that businesses have cyber insurance in place. Even though Jaguar Land Rover had cyber security solutions and processes in place, they were still directly targeted and suffered major downtime as a result. Beyond this, the financial implications trickled down the supply chain to a point where parts makers were asked by banks to put up their own homes as loan security.
Not only is it important that you take cyber insurance, but also read the fine print so you know what’s covered and what conditions (such as reporting to police) you must meet. As we have mentioned, the UK government is ramping up efforts to improve business cyber resilience, and the upcoming Cyber Security and Resilience Bill will strengthen requirements for critical service providers and their supply chains, and it will put more onus on companies to report incidents and shore up their cyber defences.
Are you prepared in the event of a cyber attack?
Whilst we have covered who you need to contact, and how you can recover from an attack. It is important to remember that with a thorough, well thought out, well executed and regularly reviewed cyber security strategy (and tools) you should hopefully never need to dust off your incident response plan. However, as the saying goes “by failing to prepare, you are preparing to fail” (Benjamin Franklin) and ensuring you take all of the above aspects into consideration is essential to the survival and success of your business.
At TwentyFour IT Services we work with businesses throughout the UK (and in 19 countries) to deliver best-in-class service and support, ensuring that their businesses are protected from the latest cyber security threats, whilst also ensuring that they are prepared in the event that disaster strikes.
When is the last time you assessed your business cyber security?
We are offering businesses a completely free cyber security health check to see if they are following the essential aspects of a comprehensive cyber security strategy. To take your cyber security health check, fill out the form on this page, head to our contact page, or book a meeting with us to find out more.
Remember, stay safe, stay cyber secure.