From Breach to Back on Your Feet: A Cyber Incident Playbook

The first sign is usually small. A strange login alert. An invoice query from a client. A member of staff who says, “My files have odd names”. Within an hour you are on the phone to your IT provider, trying to work out what is real, what is still working and who you need to tell.

Most UK businesses have lived some version of that moment. The UK Government’s Cyber Security Breaches Survey 2025 reports that around 43% of UK businesses identified a cyber breach or attack in the last year, with higher figures for medium and large firms. 

The same survey shows a gap between awareness and readiness. Many organisations have some security tools, yet a much smaller share have a clear incident response plan. Separate research on UK SMEs found that roughly half of smaller businesses admit they would not know what to do if an attack landed on their doorstep. 

This playbook is for that moment. It does not try to turn you into a digital forensics expert. It gives owner managers, finance leads and office managers a simple path to follow in the first hours and days of an incident, plus a set of small habits that make recovery faster next time.

If you would like a deeper dive into training staff before anything goes wrong, our article on The Role of Cyber Security Training for Your Staff covers how to turn people into an early warning system rather than a weak spot.

1. Why every SME needs a clear, simple plan

Incidents used to feel like something that happened to banks and global brands. That is no longer true. Smaller firms feature heavily in breach statistics because they often sit in supply chains and hold useful data, yet run lean teams and legacy systems. One 2025 small business study notes that attackers now see SMEs as “soft targets with valuable access”, with many breaches starting from a simple phishing email or stolen credential.

The impact goes far beyond a few hours of downtime. A serious incident can freeze cash flow, delay payroll, trigger breach notifications and strain customer relationships. Regulators expect a level of care around evidence and communication. Insurers look closely at how you handled the event before deciding how to respond to a claim.

Without a plan, every decision must be made in panic. With a plan, you take the same decisions calmly, in a familiar order, with a clear record of what happened and when.

2. What a “good enough” incident playbook looks like

You do not need a glossy binder. A few pages that everyone knows how to find are enough. A useful playbook for a small business usually covers:

• Who can declare an incident and who must be told first.
• How to contact your IT provider out of hours. 
• Where key system and contact lists live if email is down. 
• Which systems are critical for trading and payroll. 
• When to talk to banks, insurers, regulators and law enforcement. 
• How to capture basic facts without slowing response. 

Think of it as a fire drill for your data and systems. You hope never to use it. You will be glad it exists if you do.

3. The first hour – contain and understand

When you suspect a breach, the first hour is about stopping the damage from getting worse while you work out what is going on.

Start by asking three questions:

1. What exactly has been seen or reported? 
2. Which systems or accounts are involved? 
3. Is the incident still live, or is this something historic you have just noticed? 

If there is clear evidence of active harm, such as files being encrypted, money leaving accounts, or attacker messages on screen, focus on containment. That might mean:

• Disconnecting affected machines from the network. 
• Temporarily blocking remote access, VPNs or certain logins. 
• Revoking suspicious sessions in your cloud admin portals. 

Do not rush to power everything off without advice from your IT partner. Sometimes logs on a live system are your best forensic evidence. Wherever possible, take screenshots and note times before making changes.

4. Assembling your small incident team

Even in a company of thirty people, “security” is rarely one person’s full-time job. A simple incident team might be:

• A senior decision-maker (often the MD or FD). 
• The main IT contact or external provider. 
• Someone who knows your customers and suppliers well. 
• Optionally, a back-up person for communications. 

Your playbook should list names, mobile numbers and back-ups. In a real event, get them into a quick call. Agree who leads, who takes notes and who talks to external parties. A short, focused huddle is better than a sprawling all-hands meeting where nobody is sure who is in charge.

5. Preserving evidence without freezing the business

A frequent worry is “If we touch anything, will we ruin the investigation?” In practice, you need a balance. Regulators and insurers care about evidence, but they also expect you to limit damage.

Aim for three habits:

• Write things down. Keep a simple log: times, actions, people involved, screenshots taken, systems affected. 
• Duplicate important data before wiping devices. If laptops must be rebuilt, ask your IT provider to retain an image where possible. 
• Avoid wiping cloud logs. Do not reset everything in admin portals until you are sure critical logs have been exported. 

You are not trying to solve the crime yourself. You are giving future investigators enough information to understand what happened and how to stop a repeat.

6. Talking to banks, insurers and regulators

Money moves fast, so payment-related incidents need early bank contact. If there is any chance that invoices, direct debits or payroll files have been tampered with, call your bank on a trusted number and explain what you know so far. Early notice can sometimes halt or trace fraudulent transfers.

Next, think about your insurance policy. Many cyber or business policies require you to notify them quickly and may give access to specialist incident response firms. Calling them sooner rather than later avoids arguments later about delays or missed conditions.

Regulatory reporting is more nuanced. If personal data might be involved, you may need to consider reporting to the ICO under data protection rules. Your legal adviser or insurer panel can help you decide if the threshold is met and how to frame the report. The important thing is that you can show you considered the question in good time, not that you never had an incident.

7. Communicating with staff, clients and suppliers

Silence breeds rumour. At the same time, speculation can cause more harm than good. Aim for short, honest, staged updates.

For staff:

• Confirm what has happened in simple terms. 
• Explain any temporary restrictions, such as systems being offline or password resets. 
• Ask them to route media or social enquiries to a single contact. 

For clients and suppliers:

• Start with those directly affected or at highest risk. 
• Focus on what you know, what you are still checking, and what you need them to do, if anything. 
• Avoid blaming language while facts are still emerging. 

Your tone matters. Calm, factual messages build trust even when the news is unwelcome.

8. The next 72 hours – dig, fix, verify

Once the immediate fire is under control, your focus shifts to understanding scope and closing gaps.

Typical actions include:

• Checking which accounts and devices were touched and how. 
• Reviewing email rules, forwarding settings and sign-in history. 
• Validating backups and testing restores on non-production systems. 
• Hardening obvious weak spots such as single-factor logins exposed to the internet. 

This is where prior investment in backup and recovery really pays off. Our article on Best Practices for Disaster Recovery to the Cloud looks at how to structure cloud backups and failover routines so you can restore with confidence rather than crossed fingers.

At this stage, avoid the urge to make huge architectural changes in the middle of recovery. Fix the essentials, get stable, then plan bigger improvements once the dust has settled.

9. Building steady resilience, not instant perfection

You cannot fix everything at once. The good news is you do not need to. Incremental improvements add up if you keep going.

Common early moves include:

• Enabling multi-factor authentication on remote access and email. 
• Reducing the number of people with admin rights. 
• Making sure backups are offline or immutable, not just “another folder on the same server”. 
• Documenting key suppliers and how to reach them in a hurry. 

Over time, you can align your playbook with external guidance such as the government’s Cyber Security Breaches work and small business response guides, which now stress recovery and continuity as much as prevention for UK firms of every size. The trend across surveys is clear: incidents are common, but businesses that plan, practise and invest in recovery cope far better than those who hope for the best. 

10. Bringing it all together

Cyber incidents will always be stressful. They do not have to be chaotic. A lean playbook, a small named team, sensible communications and steady practice can turn a scary unknown into a tough but manageable business event.

For a small company, that can be the difference between an ugly week and an existential crisis. You may never remove all risk, but you can decide that if trouble arrives, you will meet it with a plan, not a blank stare.

If you would like help turning these ideas into something concrete for your own organisation, from incident runbooks to disaster recovery testing and staff training, we are ready to assist.

Need a clear, practical incident plan before the next alert hits your inbox? Contact the Mustard IT team