After the hack: what small business leaders should do next
How to respond, recover, and rebuild after a cyber-attack
Ian Wylie Journalist, broadcaster, educator
Reading Time 5 minutes
When the first staff at BriteLedger, a small London accountancy firm, began arriving at the office one Tuesday morning, it did not take long for panic to ripple across the team. The bookkeeping software wouldn’t open. Shared folders were inaccessible. Several employees stared at red error messages and an ominous ransom note glowed on the main server screen. Overnight, the business had been hacked.
It started, they learned later, with a single click. A graduate intern, eager to clear her inbox before a client call, opened what looked like a routine document from a supplier. Instead, the attachment launched malware, silently working its way across the network. By the time the team noticed anything unusual, customer data was encrypted and many core systems were down.
The emotional toll was as significant as the operational chaos. Staff members were shaken, replaying the previous day to work out who ’caused’ the breach. Managers worried about client anger and regulatory fallout. A few longstanding customers called to ask why emails weren’t being returned. BriteLedger had weathered tough times before, but nothing felt as disorienting as this.
As the company directors gathered in the conference room, paper notebooks replacing laptops for the first time in years, they faced a frightening but essential question: What now?
BriteLedger is a fictional business based on a real-life example, but its dilemma is one that thousands of small businesses face each year: from phishing attacks, where criminals trick employees into revealing passwords or financial information, to password-based attacks such as credential stuffing or brute forcing, where weak or reused passwords are exploited to gain unauthorised access.
Almost six in 10 SMEs say they have experienced a cyber-attack in the last 12 months, according to a recent survey by insurer Hiscox. And while every cyber incident unfolds differently, the steps leaders should take next are reassuringly consistent.
The crucial first 24 hours
In an ideal world, your response should be to follow the incident plan you prepared earlier, says Steven Furnell, professor of cyber security at the University of Nottingham. But for businesses without a ready-made plan, he advises turning immediately to the National Cyber Security Centre’s Small Business Guide on Response and Recovery, especially Steps 2 and 3, which focus on identifying what is happening, understanding what systems are affected, and preventing the situation from worsening.
If your business has cyber insurance, Simon Heath, Director of IT services business The Final Step, advises contacting the insurer immediately for its technical, legal, and PR advice. ‘They should also help set parameters around communications and prioritise possibly conflicting next steps to take,’ he suggests.
Heath also emphasises confirming the incident’s extent, gathering internal staff and external IT support, checking your business continuity and disaster recovery plans, documenting every action taken, and isolating affected systems and users.
Common mistakes Heath sees small companies make? Incidents incorrectly reported, prioritised, or investigated and poorly documented remediation efforts. ‘And often they seek to redress the problem without investigating root causes,’ he notes. ‘That’s important for learning and taking additional steps.’
The weeks after: rebuilding trust
Once the immediate danger has passed, the challenge shifts to repairing trust. ‘Communication is key,’ says Furnell, pointing to Step 4 of the NCSC guidance, which emphasises transparent reporting to stakeholders.
He reminds SME leaders that reporting personal data breaches to the Information Commissioner’s Office within 72 hours is a legal requirement, and the ICO provides its own guidance on managing such breaches. Businesses that communicate clearly, whether with customers, partners or staff, are better positioned to restore relationships damaged by the breach.
Getting help when you don’t have experts in-house
‘Many SMEs feel isolated in terms of dealing with cyber security,’ says Furnell, who encourages small firms to start with accessible NCSC resources such as the Small Business Guide on Cyber Security and the Cyber Action Toolkit, which help build foundational knowledge.
He also describes a pilot programme he is involved in, the Cyber Security Communities of Support, which bring SMEs and experts together to discuss security concerns ‘in a less formal manner’. Though not designed for emergency response, these communities can provide an invaluable peer-support network.
Building long-term resilience
‘Cyber security needs attention proactively rather than just in response to incidents occurring,’ warns Furnell, who points to Step 1 of the NCSC guidance (preparing in advance) and Step 5 (learning from incidents). Reflecting on what happened – and why – helps prevent recurrence and strengthens organisational resilience. A cyber-attack doesn’t have to mark the beginning of decline.
With calm decision-making, clear communication, expert-informed actions, and a commitment to learning, a small business can not only recover but return stronger and more secure than before.
Ian Wylie Journalist, broadcaster, educator
Latest articles
Find Out More
Inspire your team to start thinking differently about the future of your business
Help to Grow: Management Essentials is a free online course that provides the essential concepts required for business growth.
