"We’ve Been Breached!" – What UK SMBs Must Do in the First 24 Hours (and Why Most Get It Wrong)

Written By Noel Bradford
A cyber breach can cripple your small business. This no-nonsense guide explains what to do in the first 24 hours—before the damage spirals.

IIf your small business in the UK has been hacked or attacked online, this is a big problem. It’s not just an IT issue that your tech person can fix with a quick reboot. A breach can lead to serious legal consequences, hurt your business’s reputation, cost you a lot of money, and even force you to close your doors if it’s not handled properly.

Before we go any further:

This is NOT legal advice. You must speak to a qualified solicitor who understands cyber law and your responsibilities.

This guide walks you through what to do step-by-step, especially in the first 24 hours, which are absolutely critical.

Step 1: Accept That You've Been Breached

The first step is often the hardest – admitting there’s a problem. If your systems are behaving strangely, customer records are missing, or someone tells you your data has been leaked, don’t wait around hoping it’ll go away. Time is everything. The quicker you respond, the more you can limit the damage.

A lot of harm comes from delay. If you ignore the signs or convince yourself it's nothing, the attackers might still be inside your system, watching and waiting. Act fast.

Step 2: Bring in an Incident Manager (and No, It Shouldn’t Be Your IT Person)

You need someone who knows exactly what to do in these situations. That person is called an Incident Manager. They are trained to take control during a cyber crisis. This must be someone from outside your organisation who isn’t tied to your current IT provider.

Why? Because you need someone neutral who can make tough decisions and hold everyone accountable, including your existing IT team if necessary. They will coordinate everything: technical response, legal duties, communication, and more. They are your crisis commander.

Hour 1: Contain the Damage

Once a breach is suspected, you must stop it from spreading. That means disconnecting any affected computers or devices from the internet at a minimum and from your internal network if they can be identified. This is like stopping a fire from jumping to other rooms.

Do not reboot or power down anything. This is a common mistake and can be very damaging from a forensic point of view. When a system is shut down or restarted, important clues about the breach can be lost. Forensic experts rely on memory data (RAM), temporary files, logs, and active connections to understand how the attack happened. Rebooting can wipe or change this evidence before anyone has had a chance to collect it.

You also must not delete or reset anything. It might seem like you’re cleaning up, but in reality, you could be destroying the very information investigators need to figure out what happened and whether data was stolen.

Hour 2: Contact Your Cyber Insurance Provider

If you have cyber insurance, now is the time to use it. Most policies require you to inform them immediately. If you delay, you might void your coverage.

Insurance companies usually have a team of experts on call. They might provide legal support, technical investigation, and help with public statements. These resources can be a huge help, especially if you’re overwhelmed.

Hour 3: Notify the ICO if Personal Data is Involved

The Information Commissioner’s Office (ICO) is the UK regulator that looks after people’s personal data. If you believe any personal data (like customer names, emails, or payment info) has been accessed or leaked, you may be legally required to report the breach.

You must do this within 72 hours of becoming aware of the issue.

Even if you’re not sure, it’s better to start the process and update them later. Not reporting when you should have can lead to heavy fines.

Hour 4: Talk to Your Staff the Right Way

Your team will notice something is wrong, especially if systems are down. But how you talk to them matters. You need to avoid panic, blame, or confusion.

Give them clear, calm instructions. Tell them not to log into systems or use work devices unless told otherwise. Most importantly, keep them updated regularly. Confusion creates mistakes, and mistakes during a breach can make things worse.

Hour 6: Communicate with Your Customers (If Affected)

If your customers' data has been exposed or they can’t access your services, you must tell them. Honesty is essential.

Even if you don’t have all the answers yet, letting people know you’re aware of the issue and working on it builds trust. Hiding the problem often backfires, especially if the story breaks in the media or on social media first.

Hour 12: Start the Investigation

This is when the real digging begins. Your Incident Manager should bring in forensic experts who understand how to track what happened.

Their job is to answer key questions:

  • How did the attackers get in?

  • What systems did they access?

  • What data was taken or damaged?

  • Are the attackers still inside?

Don’t try to fix or rebuild anything yet. The more you touch, the harder it is for experts to understand the full picture. It’s like a crime scene – you don’t want to move anything until the investigators arrive.

Hour 18: Begin Recovery (Only When Safe)

Once the investigation says it’s safe to start recovery, then and only then should you begin restoring systems. That includes:

  • Rebuilding infected systems properly

  • Resetting every password across the business

  • Adding better protection, like two-step logins

  • Setting up alerts in case the attackers try again

If the breach happened because of poor habits (like weak passwords or old software), now is the time to change those for good.

Hour 24: Inform Business Leaders and Start Reporting

By the end of day one, your directors or managers need a clear picture. Even if the breach isn’t fully over, they need to know what’s happened, what you’ve done, and what still needs doing.

You should also start putting together a written report. This will help when dealing with your insurer, the ICO, and any customers or suppliers who ask for details later.

After the Breach: Learn From What Went Wrong

Most breaches don’t happen because of super-smart hackers. They happen because of simple mistakes:

  • Computers weren’t updated

  • No one was checking for suspicious activity

  • Backups didn’t exist or weren’t tested

  • People were reusing weak passwords

If your IT support allowed these issues, it’s time to ask why. An honest post-incident review should lay out the truth. Don’t just patch things up. Make changes that reduce your risk in the future.

This could include getting certified under Cyber Essentials, a UK government-backed standard that shows you’re following basic cyber hygiene.

Final Thoughts: Breaches Aren't One-Day Problems

Getting attacked online isn’t something you bounce back from overnight. It can take weeks or even months to fully recover. Some businesses never do.

But if you respond quickly, stay calm, and get the right help, you can protect your business and rebuild.

  • Don’t delay taking action

  • Don’t rely only on your IT provider

  • Don’t ignore legal responsibilities

Plan ahead, and next time – if there is a next time – you’ll be ready.

And once more for clarity:

This is not legal advice. You must speak to a qualified solicitor if your business is breached.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

What to Expect from Your Incident Manager (And Why You Shouldn’t Try to Wing a Cyber Crisis Without One)
Next

How Long Has a Hacker Been Living Rent-Free in Your Business? IBM's Dwell Time Report Explained for UK SMBs