If the attack is happening right now
If your systems are actively being compromised — ransomware is encrypting files, someone is logged in who shouldn't be, or money is moving — this is a live incident and your first call should be to the police, not your IT provider.
Report Fraud emergency line: 0300 123 2040
Specialist advisors are available 24 hours a day, 7 days a week specifically for businesses under a live cyber attack.
Call immediately. Do not wait until business hours.
Source: reportfraud.police.uk — Contact Us, City of London Police
Once you have made that call, or if the attack appears to have already taken place rather than being live, work through the steps below.
Step by step: what to do immediately
These steps are in order of priority. Do not skip ahead — the sequence matters.
Isolate the affected device or system
Disconnect the compromised machine from your network — unplug the ethernet cable, turn off Wi-Fi, and if necessary, power it down. The goal is to stop the attacker from moving further through your systems. Do not delete anything. Deleted files destroy the evidence trail.
Change your passwords — from a different, clean device
Immediately change passwords for email, banking, cloud accounts, and any system the compromised device had access to. Use a different phone or laptop to do this — not the affected machine. Enable two-factor authentication anywhere it isn't already on.
Contact your bank if money or payment data is involved
If any banking credentials, payment systems, or financial accounts may have been exposed, call your bank's fraud line immediately. Banks have dedicated incident teams and can freeze accounts, reverse transactions, and flag your account for monitoring. Every minute counts when money is involved.
Document everything — before you touch anything else
Take photographs of screens showing error messages, ransomware notes, or unusual activity. Write down what you noticed, when you noticed it, and what you or your staff did in response. This record will be needed by the police, your insurer, and potentially the ICO.
Tell your staff — calmly and clearly
Your team needs to know what has happened so they do not inadvertently make things worse — opening emails, sharing files, or using connected systems. Keep it factual. You do not need to have all the answers yet.
Call your IT provider or a cyber incident specialist
Once you have isolated systems and secured accounts, bring in technical help. If you do not have an IT provider, the NCSC maintains a list of assured cyber incident response companies that can provide professional support. A GET-IT post-incident review can also help you understand what happened and close the gap — see below.
Who do I need to notify?
This is where many businesses fall short — either notifying the wrong people, or not notifying anyone at all. Depending on what was compromised, you may have legal obligations to report within a specific timeframe.
Information Commissioner's Office (ICO)
Under UK GDPR, if personal data belonging to employees, customers, or suppliers has been accessed, lost, or exposed — you are legally required to report this to the ICO within 72 hours of becoming aware. Missing this deadline can result in regulatory action, even if the breach itself was not your fault.
Report a breach to the ICO →Report Fraud (Police)
Cyber crime and fraud should be reported to Report Fraud — the UK's national reporting centre run by the City of London Police. You can report online any time of day or night, or call 0300 123 2040 during core hours. You will receive a crime reference number, which you will need for your insurer.
Report online at reportfraud.police.uk →Your Cyber Insurance Provider
If you have a cyber insurance policy, notify your insurer as early as possible. Most policies require prompt notification and many include access to an incident response team as part of your cover. Delaying notification can affect your ability to make a claim.
Don't have cyber insurance? Read more →Your Customers or Suppliers
If any client or supplier data has been compromised, they may need to be informed — particularly if they face any ongoing risk as a result. This is both a legal consideration under UK GDPR and a matter of maintaining trust. Take advice from your IT specialist or solicitor on the appropriate wording.
Scotland: If your business is based in Scotland, cyber crime should be reported via 101 or Police Scotland directly, rather than through the Report Fraud online service. The ICO notification obligation still applies regardless of location within the UK.
Source: reportfraud.police.uk — Reporting a Fraud
What comes next — once the immediate crisis is over
Containing an attack is only the first step. Once you have stabilised the situation and made the necessary notifications, the real work begins: understanding what actually happened, how far it spread, and how to make sure it cannot happen again in the same way.
This is where many businesses get it wrong. They restore from backup, change a few passwords, and consider it resolved. Weeks later, the attacker — who may have left a backdoor — is still present. Or the same vulnerability gets exploited a second time.
The NCSC advises that organisations should review what access the attacker had, identify how they got in, assess what data may have been accessed or exfiltrated, and take steps to prevent recurrence — not just restore operations. A return to normal without understanding the root cause is not a recovery. It is a postponement.
Source: NCSC — Mitigating Malware and Ransomware Attacks
A structured post-incident review covers: how the attacker gained access, what systems and data were exposed, whether any persistence mechanisms remain, and a prioritised remediation plan. It also gives you something concrete to show your insurer, the ICO, and any affected clients — demonstrating that you have taken the incident seriously and acted responsibly.
Some things people often get wrong
These are the most common mistakes businesses make in the hours and days after an incident:
- Wiping or restoring the affected device immediately — this destroys forensic evidence before anyone can investigate what happened.
- Paying a ransom without taking advice — payment does not guarantee decryption and may fund further attacks. The NCSC advises against paying ransoms as a general rule.
- Assuming the threat has gone once the visible symptoms stop — attackers frequently maintain access after the initial attack is contained.
- Not telling staff what happened — your team cannot help protect the business if they do not know what to look for.
- Missing the ICO 72-hour window — this is one of the most common compliance failures after an incident, and one of the most avoidable.
- Handling it entirely internally without any external review — a business that has just been attacked is rarely in the best position to objectively assess the damage.
Once the immediate crisis is under control
You will have questions. How did this happen? What did they access? What do I need to tell the ICO? Is anything still at risk? A GET-IT post-incident review gives you clear, honest answers — and a practical plan for what comes next.
No jargon. No upselling. Just a clear picture of where you stand and what needs to happen.
Book a Post-Incident Review Send Us a Message[ Remote. No site access required. Confidential. ]