The First Hour of a Cyber Incident: What UK Businesses Must Do

April 8, 2026
Posted by: Gradeon
Category: Cyber Security

The first hour of a cyber incident is the most critical period in your entire response. The decisions made in those 60 minutes determine how far the attacker gets, how much data is exposed, and how long your recovery takes.

Most UK businesses focus on prevention but have no clear plan for what to do when something actually happens. This guide gives IT managers, security leads, and business directors a practical, step-by-step framework for the first 60 minutes of any cyber incident, based on NCSC guidance and UK incident response best practice.

Before Anything Else: Confirm It Is Actually an Incident

Not every alert is an incident. Not every outage is an attack.

Your first task is to assess whether what you are seeing is a genuine security incident or a technical fault. A server going offline, a user being locked out of their account, or unusual network slowness can all have innocent explanations.

Ask three questions immediately:

Is there evidence of unauthorised access, data exfiltration, or system encryption?
Is the issue isolated to one device or spreading across multiple systems?
Has anyone received a ransom note, suspicious communication, or seen unfamiliar files or processes?

If the answer to any of these is yes, treat it as a confirmed incident and proceed immediately.

Minutes 0 to 10: Contain First, Investigate Second

The instinct is to understand what happened. The priority is to stop it spreading.

Disconnect affected devices from the network. Unplug the network cable. Disable Wi-Fi on affected machines. Do not shut the device down unless instructed by your incident response provider, as live memory can contain forensic evidence that powers off would destroy.

Isolate affected network segments. If the incident appears to be spreading, disable affected network switches or VLAN segments. This is disruptive, but it limits lateral movement across your environment.

Revoke compromised credentials immediately. If you believe an account has been compromised, disable it at the directory level. Do not just change the password on the device, as the attacker may already have the credentials cached elsewhere.

Do not attempt to clean or restore anything yet. Recovery comes later. Premature cleanup destroys forensic evidence, can spread the issue further, and may void cyber insurance claims if done before your insurer is notified.

Minutes 10 to 20: Alert the Right People

A cyber incident is not just a technical problem. As the NCSC notes in its guidance for CEOs, a serious cyber incident is simultaneously a business continuity issue, a communications challenge, and potentially a legal and regulatory matter.

The following people need to be alerted within the first 20 minutes:

Your IT lead or managed security provider. They need to know immediately so technical containment can begin in parallel with your management response.

Your CEO or most senior decision-maker available. This person needs to authorise actions, make risk-based decisions, and be available for external communications if required.

Your cyber insurer. Most UK cyber insurance policies require prompt notification. Failing to notify early can affect your ability to claim. Your insurer may also have pre-approved incident response firms you can activate immediately at policy rates.

Your legal counsel or data protection lead. If personal data may be involved, the 72-hour ICO notification clock has already started from the moment you became aware of the incident.

Do not notify customers, suppliers, or the press at this stage. External communications require legal review and must be factual and consistent.

Minutes 20 to 40: Assess the Scope

With containment underway and the right people alerted, you now need a clear picture of what you are dealing with.

Map what is affected. Which systems, servers, and user accounts are showing signs of compromise? Which are clean? Document this list precisely with timestamps.

Determine what data may be at risk. Has the affected environment processed or stored personal data, payment card data, commercially sensitive information, or intellectual property? The type of data involved determines your regulatory obligations.

Check your backups. Are your backups intact, recent, and stored in a location that was not connected to the affected environment? The answer to this question defines your recovery timeline more than anything else.

Identify the likely entry point. Was it a phishing email? An exposed remote desktop connection? A compromised third-party account? You do not need a full answer in the first hour, but an early hypothesis helps you contain the right vectors.

Minutes 40 to 60: Engage External Support and Document Everything

Activate your incident response provider. If you have a retained cyber incident response firm or your insurer provides one, activate them now. A CREST-certified incident response firm brings specialist forensic capability that your internal team almost certainly does not have.

Begin a written incident log. Record every action taken, every system affected, every person notified, and every decision made with a timestamp. This log is essential for insurance claims, ICO notifications, regulatory investigations, and post-incident review. Use paper if your systems are compromised.

Report to the NCSC if the incident is significant. The NCSC manages cyber incident reporting at report.ncsc.gov.uk. Significant incidents, meaning those that disrupt essential services, affect large numbers of individuals, or involve state-level actors, should be reported. The NCSC does not publish reports publicly without your agreement.

Report to Action Fraud. All cyber crimes should be reported to Action Fraud at actionfraud.police.uk. This creates a crime reference number which is required for insurance claims.

What the First Hour Looks Like Without a Plan

Businesses that respond well to cyber incidents share one characteristic: they have rehearsed this scenario before it happened.

Without a plan, the first hour is typically spent in confusion about who is responsible, who to call, whether to shut systems down, whether to tell customers, and whether to pay a ransom. Every minute spent on those questions is a minute the attacker is still active in your environment.

Understanding the link between business continuity planning and incident response is where most UK organisations find the gap in their preparation. Incident response tells you what to do technically. Business continuity tells you how to keep operating while you do it. Most businesses have neither documented nor rehearsed either.

The hidden risk UK businesses face without a cyber business continuity strategy is not just the immediate disruption of an attack. It is the extended recovery period, the lost contracts, the regulatory scrutiny, and the permanent reputational damage that follows an attack that was not contained quickly.

After the First Hour: What Comes Next

The first hour ends with containment in place, the right people informed, external support engaged, and documentation started.

From that point, the response transitions into investigation, recovery planning, regulatory notification, and communications management. Having a tested cyber incident response plan that meets UK regulations means each of those phases has a documented owner, a defined process, and a rehearsed timeline before the incident happens rather than during it.

Frequently Asked Questions

What counts as a cyber incident in the UK?

Any event compromising the confidentiality, integrity, or availability of your systems or data. This includes unauthorised access, ransomware, data exfiltration, denial of service, and insider misuse. Not every security alert is an incident, but any of the above should trigger your response plan.

Do I have to report a cyber incident to the ICO?

Only if personal data has been breached. If it has, you must notify the ICO within 72 hours of becoming aware under UK GDPR. The 72-hour clock starts when you first become aware, not when your investigation is complete.

Should I shut down affected systems immediately?

Not always. Powering off devices destroys forensic evidence in volatile memory. Isolate affected systems from the network first. Only power down if your incident response provider specifically advises it, or if the system poses an active risk to other parts of your environment.

How do I know if my backups are safe during an incident?

Check whether your backup environment was connected to affected systems at the time of the incident. Cloud backups that sync automatically may have been corrupted. Offline or isolated backups are safer. Do not restore from any backup until your incident response provider has confirmed it is clean.

What should I say to staff during a cyber incident?

Keep communication factual and calm. Tell staff what systems are affected, what they should and should not do, and who to contact if they notice anything unusual. Do not speculate about cause or impact. The NCSC recommends transparent communications internally as a priority.

What is the biggest mistake UK businesses make in the first hour of a cyber incident?

Attempting to investigate and recover simultaneously, without containment in place. The second most common mistake is delaying notification of the cyber insurer, which limits the insurer’s ability to direct and fund the response effectively.

Sources: NCSC Guidance: Responding to a Cyber Incident, A Guide for CEOs. NCSC Guidance: Mitigating Malware and Ransomware Attacks. UK Government Cyber Security Breaches Survey 2025.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.