The first hour of a suspected cyber attack is about controlled containment, not panic. Moving too slowly can allow damage to spread, but unplanned actions can destroy evidence, warn an attacker or take down systems that were not affected.
This guide gives business owners and office managers a practical starting point. It is not a substitute for incident-specific technical, legal or regulatory advice. Your organisation should adapt it into a cyber attack response plan with named contacts and decision-makers.
Recognise the signs
A cyber incident may begin with an obvious ransom note, but many start with less dramatic symptoms:
- unexpected multi-factor authentication prompts;
- emails in Sent Items that the user did not send;
- new inbox forwarding rules;
- files changing name or becoming unreadable;
- security tools being disabled;
- unusual administrator accounts or sign-ins;
- customers reporting suspicious messages;
- a device becoming slow while network activity rises.
Treat credible warning signs seriously, but do not announce a confirmed breach until the facts support it.
Minutes 0–10: report and start a record
Contact your IT support or incident-response provider using a trusted number, not contact details contained in a suspicious email. State what was observed, when it began, which users or devices are involved and whether business operations are affected.
Start an incident log. Record times, symptoms, calls and decisions. Use a method that will remain available if company email or shared files go offline.
Notify the internal incident lead. Keep the initial group small enough to make decisions, but include management where material business impact is possible.
Minutes 10–20: contain affected devices carefully
If a computer is actively encrypting files or behaving as though it is controlled remotely, disconnect it from wired and wireless networks. Do not continue browsing, signing in or copying files from it.
Unless your incident responder instructs otherwise, avoid switching the device off immediately. A running system may hold evidence that disappears on shutdown. Safety and active damage take priority, so the correct action depends on the situation.
Do not disconnect every system by default. Broad isolation may be necessary in a serious incident, but it should be a conscious decision informed by technical evidence.
Minutes 20–30: protect accounts
For a suspected account compromise, revoke active sessions and reset credentials from a known-clean device. Check multi-factor authentication methods, forwarding rules, delegated access and recent sign-ins.
Prioritise privileged accounts and any identity used across several services. Do not send new passwords through channels that may be compromised.
If the affected user is a Microsoft 365 administrator, assume the attacker may have changed more than the visible mailbox. Review tenant-wide activity with appropriate expertise.
Minutes 30–40: determine the likely scope
Ask what is known, what is suspected and what has been ruled out. Identify affected users, devices, services, locations and data. Check security alerts, authentication logs and endpoint status without making unnecessary changes.
Look for common links. Did several users open the same attachment? Are sign-ins coming from unfamiliar locations? Did file encryption begin from one workstation or a server?
Avoid relying on a single clean scan. Some incidents involve stolen credentials or cloud configuration and may leave little malware on the device.
Minutes 40–50: preserve evidence
Keep copies of suspicious emails, ransom notes, screenshots, alert details and relevant logs. Record exactly which accounts were reset and devices isolated.
Do not delete attacker-created accounts, wipe devices or rebuild systems until the incident lead has considered evidence needs. Those actions may be appropriate later, but timing matters.
If cyber insurance may apply, contact the insurer using the agreed process. Some policies require approved responders or early notification.
Minutes 50–60: agree the next operational decision
At the end of the first hour, management and technical responders should agree the immediate plan. It may include wider containment, forensic investigation, restoring priority services, communicating with staff and engaging legal or specialist support.
Decide which systems are safe to use. Give employees one clear instruction and tell them how updates will be issued. If company email may be compromised, use a pre-agreed alternative channel.
What not to do
- Do not pay a ransom or negotiate without specialist, legal and insurer advice.
- Do not accuse an employee or supplier before the facts are known.
- Do not post incident details publicly.
- Do not restore large volumes of data before containment.
- Do not use compromised systems to change every password.
- Do not promise customers that no data was affected before investigation.
Consider reporting and notification duties
Incidents involving personal data may create duties under UK data-protection law. Other contractual, sector or insurance reporting requirements may also apply. Obtain appropriate advice quickly and record the reasoning behind notification decisions.
The National Cyber Security Centre and Action Fraud provide official UK reporting routes and guidance. Your response plan should contain current links and contact details rather than relying on memory during an incident.
Recover in a controlled order
Recovery should follow business priorities and technical dependencies. Validate backups, confirm that the cause has been contained and rebuild from trusted sources. Restoring an infected server or compromised account too early can restart the incident.
Change credentials and security settings in a coordinated way. Monitor restored systems closely and keep the incident log running until the response is formally closed.
Learn after the immediate danger
Hold a review while events are fresh. Identify the initial access route, controls that worked, delays, missing information and recurring weaknesses. Turn each lesson into an owned action with a realistic deadline.
Improvements may include tighter administrator access, better logging, tested backups, staff training, faster patching and a clearer supplier escalation process.
Prepare before an incident
A basic cyber attack response plan should name decision-makers, deputies, technical contacts, insurer details, legal support, communication channels and evidence-handling steps. Run a tabletop exercise at least when major systems or responsibilities change.
Prevention still matters. The five technical controls supported by Cyber Essentials can reduce exposure to common attacks, while managed Business IT Support helps maintain devices, access and monitoring.
Skynet ICT supports organisations remotely across the UK and onsite through our IT Support in Kent, Essex and South East London coverage. If you suspect an active incident, use your established emergency contact route. For help improving readiness before an incident, contact Skynet ICT.
