The FBI once famously said: “There are only two types of companies: those that have been hacked and those that will be hacked.”

The Cyber Security Breaches Survey published by the government earlier this year reported that cyber security was a “high priority” for virtually all businesses.

However, that same survey revealed that just 19% of businesses have a formal incident response plan in place setting out the steps that ought to be taken in the immediate aftermath of a cyber attack.

Every business should have an incident response guide which sets out:

  • the names and contact details of the people who will work together to resolve the incident; and
  • the initial steps that should be taken upon discovering a cyber security incident.

The incident response team

One of the main priorities of an incident response plan is to create an incident response team which will deploy in the event of an attack. The plan should be kept up to date and include emergency contact details for the core incident response team.

The incident response team should include:

  • An Incident Response Manager

This person is likely to be a senior manager within your organisation who will spearhead the incident response team.

  • A Deputy Incident Response Manager

This person will be responsible for documenting the findings of an investigation into a cyber security incident and is likely to be a manager within your organisation.

This person will be responsible for (i) discovering and undertaking an initial assessment of a cyber security incident; (ii) containing and eradicating a cyber security incident; and (iii) assisting any external digital forensics experts instructed in respect of a cyber security incident. This person is likely to be a senior and experienced member of your IT team.

This person will be responsible for managing the legal or regulatory issues arising following a cyber security incident. This person is likely to be a member of your in-house legal team or a member of senior management who is typically tasked with instructing external lawyers.

  • PR and Communications contact

This person will be responsible for communicating with clients, third parties and the media following a cyber security incident. This person is likely to be a member of your PR and Communications team or the person who is typically tasked with instructing external PR/Communications agencies.

Please provide the following information for the person who will manage all communications with employees in the event of a cyber security incident. This person will be a member of your Human Resources team.

Initial steps

An effective incident response plan will map out the initial steps that are required to be taken upon the discovery of a cyber threat.

These steps typically include:

If you think you have suffered a data breach or cyber incident, it is important that you immediately assess the impact it will have on your business.

Specialist legal and technical advice should be sought immediately in the event that a significant threat is encountered, particularly in view of the fact that, in those circumstances, it is likely that the Information Commissioner’s Office will be required to be notified within 72 hours of the incident being discovered.

  • Mobilise your internal incident response team

Once the incident has been reported to the appropriate external advisers, the internal incident response team should be mobilised.

Your Incident Response Manager should be trained to ensure that the investigation into the incident progresses in accordance with best practice. They will also manage the flow of information to external advisers.

  • The internal investigation: initial stages

Your Incident Response Manager should ensure that:

  • all affected computers are taken offline. They should not be turned off or examined until such time as the appropriate digital forensics team arrives; and
  • everything known about the breach is carefully documented, including who discovered it, who reported it, to whom it was reported, the type of breach that occurred, what systems are affected, what information is at risk and the effect it has on the business.

It is important that the internal investigation into the incident does not unwittingly create documents which could prove to be incriminating in any regulatory investigation which follows a data breach or cyber incident.

  • Contact the appropriate agencies

It is possible that any data breach or cyber incident suffered will need to be reported to a number of different regulatory bodies, including the Information Commissioner’s Office.

Depending on the nature and extent of the breach, it may also be appropriate to report the matter to the relevant law enforcement agencies.


Investment in establishing an effective incident response plan brings with it many benefits including improved resilience, a greater chance of achieving business continuity and a reduction in the financial impact of a cyber attack.

The old adage of failing to prepare is preparing to fail is particularly true as far as cyber attacks are concerned. A business could not possibly take the appropriate steps to contain and manage the plethora of issues which flow from a cyber attack in the panic and confusion that follow its discovery.

It is therefore important that the plan is produced and tested in a safe and sedate environment prior to an attack occurring.