What to Do After a Cyber Breach: UK Business Guide
If your business has experienced a cyber breach, act quickly. Contain the threat, preserve evidence, assess what data was affected, notify the ICO within 72 hours if personal data was involved, and engage professional incident response support.
Direct Answer
After a cyber breach: (1) contain the threat by isolating affected systems, (2) preserve evidence for investigation, (3) assess what data and systems were affected, (4) report to the ICO within 72 hours if personal data was compromised, (5) notify affected individuals if there is a high risk to their rights, (6) engage professional incident response support, (7) report to Action Fraud if a crime was committed. Speed matters — the first 24 hours are critical for limiting damage and meeting your legal obligations.
Step-by-Step: After a Cyber Breach
Follow these steps in order after discovering a breach.
1. Contain the Threat
Isolate affected systems from the network immediately. Do not shut them down — this may destroy evidence. Disconnect from the internet if necessary.
2. Preserve Evidence
Do not delete, modify, or rebuild affected systems. Logs, malware samples, and system states are critical for investigation and may be needed for legal proceedings.
3. Assess the Impact
Determine what data was accessed, stolen, or encrypted. Identify which systems were affected and whether the threat is still active.
4. Notify the ICO
If personal data was compromised, you must report to the ICO within 72 hours. Use the ICO's self-assessment tool to determine whether your breach meets the reporting threshold.
5. Notify Affected Parties
If the breach poses a high risk to individuals' rights and freedoms, you must notify them directly and without undue delay.
6. Get Professional Help
Engage an incident response provider to investigate the breach, eradicate the threat, and guide recovery. AMVIA provides emergency IR support to UK businesses.
Breach Response: DIY vs Professional IR
Comparing outcomes when handling a breach internally versus engaging professional support.
| Feature | DIY ResponseInternal staff only | Professional IR£5K–£30KRecommended |
|---|---|---|
| Threat fully eradicated | Uncertain | Verified |
| Evidence preserved for legal | Often lost | |
| Root cause identified | Rarely | |
| ICO-compliant documentation | Unlikely | |
| Recovery time | Weeks | Days |
| Prevents recurrence | Uncertain |
Frequently Asked Questions
Phishing is the most common attack type, identified by 85% of businesses that experienced a breach (DSIT 2025). Phishing accounts for 93% of cyber crimes against businesses. AI-powered phishing has driven a 204% increase in phishing emails delivering malware in 2025.
Ransomware is malicious software that encrypts your data and demands payment for its return. Approximately 19,000 UK businesses were hit by ransomware in 2025. The median UK ransom demand has doubled to $5.37 million, and average recovery costs reach $2.58 million excluding the ransom itself.
The top threats are phishing (85% of breaches), ransomware (doubled year-on-year), business email compromise (increased 33% in 2025), and supply chain attacks (35.5% of all breaches now originate from third parties). AI-powered attacks are accelerating all of these threat categories.
UK businesses typically allocate 13.2% of their total IT budget to cybersecurity. More than half of UK small businesses increased their cybersecurity spending in 2024. 85% of UK firms plan to boost their cyber budget for 2026. The cost of prevention is significantly less than the average breach cost of £3,550.
Yes. 50% of small businesses (10-49 employees) reported a cybersecurity breach in 2025. UK small businesses face around 65,000 hack attempts daily, with approximately 4,500 successful breaches. More than a quarter of SMBs say a single cyber attack could put them out of business entirely.
Need Emergency Breach Support?
Call our incident response team immediately. Available 24/7 for UK businesses.