What to Do After a Cyber Breach: UK Business Guide
If your business has experienced a cyber breach, act quickly. Contain the threat, preserve evidence, assess what data was affected, notify the ICO within 72 hours if personal data was involved, and engage professional incident response support.
Direct Answer
After a cyber breach: (1) contain the threat by isolating affected systems, (2) preserve evidence for investigation, (3) assess what data and systems were affected, (4) report to the ICO within 72 hours if personal data was compromised, (5) notify affected individuals if there is a high risk to their rights, (6) engage professional incident response support, (7) report to Action Fraud if a crime was committed. Speed matters — the first 24 hours are critical for limiting damage and meeting your legal obligations.
Step-by-Step: After a Cyber Breach
Follow these steps in order after discovering a breach.
1. Contain the Threat
Isolate affected systems from the network immediately. Do not shut them down — this may destroy evidence. Disconnect from the internet if necessary.
2. Preserve Evidence
Do not delete, modify, or rebuild affected systems. Logs, malware samples, and system states are critical for investigation and may be needed for legal proceedings.
3. Assess the Impact
Determine what data was accessed, stolen, or encrypted. Identify which systems were affected and whether the threat is still active.
4. Notify the ICO
If personal data was compromised, you must report to the ICO within 72 hours. Use the ICO's self-assessment tool to determine whether your breach meets the reporting threshold.
5. Notify Affected Parties
If the breach poses a high risk to individuals' rights and freedoms, you must notify them directly and without undue delay.
6. Get Professional Help
Engage an incident response provider to investigate the breach, eradicate the threat, and guide recovery. AMVIA provides emergency IR support to UK businesses.
Breach Response: DIY vs Professional IR
Comparing outcomes when handling a breach internally versus engaging professional support.
| Feature | DIY ResponseInternal staff only | Professional IR£5K–£30KRecommended |
|---|---|---|
| Threat fully eradicated | Uncertain | Verified |
| Evidence preserved for legal | Often lost | |
| Root cause identified | Rarely | |
| ICO-compliant documentation | Unlikely | |
| Recovery time | Weeks | Days |
| Prevents recurrence | Uncertain |
Frequently Asked Questions
You must report a personal data breach to the ICO within 72 hours of becoming aware of it, if it poses a risk to individuals' rights and freedoms. Failure to report can result in fines of up to £17.5 million or 4% of annual turnover. The ICO provides a self-assessment tool on its website to help you determine whether your breach meets the reporting threshold.
The NCSC and UK law enforcement strongly advise against paying ransoms. Payment does not guarantee data recovery and may fund further criminal activity. The average cost of the most disruptive breach for UK businesses is £3,550 (DSIT 2025), but ransomware recovery costs can escalate far beyond that. Focus on restoring from clean backups and engaging professional incident response support.
Preserve firewall logs, email server logs, endpoint detection alerts, system images, and any malware samples. Do not rebuild or wipe affected machines until forensic imaging is complete. This evidence is critical for root cause analysis, potential legal proceedings, and your ICO report. A professional incident response team will guide you through evidence collection procedures.
Conduct a thorough post-incident review to identify the root cause and close the gap. Common remediation steps include enforcing MFA, tightening Conditional Access policies, improving email filtering, and implementing endpoint detection. With 85% of breaches originating from phishing (DSIT 2025), targeted staff awareness training is also essential to reduce the likelihood of recurrence.
Need Emergency Breach Support?
Call our incident response team immediately. Available 24/7 for UK businesses.
Protect your business → Get Cybersecurity Assessment