Cybersecurity
A cyber attack can feel catastrophic. One moment your systems are running normally; the next, your data is encrypted, your operations grind to a halt, and panic sets in. For SMBs—particularly professional services firms, legal practices, and financial advisers across London—a breach isn't just a technical crisis; it's a reputational threat and a potential compliance nightmare. Yet despite the severity, many small and medium-sized businesses lack a clear roadmap for how to recover from cyber attack scenarios. This guide provides a practical, step-by-step approach to help you regain control, minimise damage, and emerge stronger from an incident.
The moments immediately following a cyber attack are critical. Your priority is to contain the damage and preserve evidence. Do not panic, and do not attempt ad-hoc fixes that might destroy forensic data.
Disconnect compromised devices from your network without shutting them down. Pull the network cable or disable Wi-Fi; this prevents the attack from spreading whilst preserving the current state of the system for forensic analysis. If a device has been encrypted by ransomware, do not attempt to decrypt it yourself. Similarly, if you suspect data exfiltration, resist the urge to power down immediately—this may help incident investigators understand what happened.
For multi-location organisations, isolate systems at the affected site first, then quarantine similar systems across other locations as a precaution. This staged approach prevents panic whilst protecting your wider network.
Assemble your core response team immediately: IT lead, senior management, legal advisor, and your external IT support provider (if you have one). Assign clear roles: who communicates internally, who handles external notifications, who liaises with law enforcement, and who manages client communication. Confusion during the first hours can turn a containable incident into a full-blown crisis.
Document everything from this point forward. Timestamps, actions taken, systems affected, data accessed—all of this becomes essential for your incident report and potential regulatory submissions. Use a dedicated incident log (even a simple shared document will do initially) to maintain a chronological record.
Contact your cyber insurance provider, solicitor, and accountant immediately. For professional services firms and legal practices, notification may trigger specific compliance obligations under GDPR or your sector-specific regulations. Do not delay this step—insurance claims often have strict notification requirements, and your solicitor needs to advise you on privilege and potential disclosure obligations.
Once you've contained the immediate threat, a thorough investigation becomes essential. This phase answers critical questions: what happened, how did it happen, and what data was compromised?
If your in-house IT team lacks forensic expertise, engage external forensic specialists immediately. They will examine affected systems, identify the attack vector (phishing, unpatched vulnerability, weak credentials, etc.), and determine the scope of the breach. This investigation is not optional—it's the foundation for your recovery plan and your regulatory response.
Forensic specialists will also identify whether data was stolen before encryption (a common ransomware tactic) or merely locked. This distinction dramatically affects your next steps and your notification obligations.
Work with your investigators to catalogue affected systems and data. For professional services, this means identifying which client files, financial records, or sensitive correspondence was accessed or stolen. For financial advisers and legal firms, the sensitivity of this data means breaches often trigger mandatory disclosure under FCA, SRA, or GDPR regulations.
Avoid guesswork. A thorough assessment may take days, but it's far better than issuing incomplete incident notifications to clients or regulators.
Report serious attacks to Action Fraud (actionfraud.police.uk) or the National Crime Agency (NCA). Whilst law enforcement cannot guarantee recovery, they can advise you and may provide intelligence about the attackers. Additionally, law enforcement involvement sometimes influences insurance coverage decisions and demonstrates your organisation's good-faith response to regulators.
With a clear understanding of what happened, you can now rebuild safely.
If ransomware is involved, do not pay the ransom—UK authorities and insurance companies strongly advise against this. Instead, restore from backups created before the attack. This is why backup hygiene matters: your backups must be isolated from your live network, tested regularly, and maintained with version control. If your backups are also compromised, recovery becomes substantially harder and costlier.
Restoration is methodical and often slow. Verify that restored systems are clean before reconnecting them to your network. Many organisations restore a single critical system first, confirm its integrity, then progress to others.
Once systems are restored, patch the vulnerabilities that allowed the attack in the first place. This includes operating system patches, application updates, and firmware updates. Whilst your IT team handles technical patches, work with your leadership to address process vulnerabilities: improve password policies, enforce multi-factor authentication (MFA), and enhance access controls.
For SMBs without large IT departments, partnering with a managed security provider like VantagePoint Networks can embed these improvements systematically, rather than leaving them to ad-hoc effort.
Change all passwords for administrative and critical accounts. If the attacker had credentials, they may still have access even after restoration. Implement MFA across your organisation—this single measure prevents the vast majority of ransomware attacks. Review user access permissions: do all employees still need the access they have? Least-privilege access (users only have access to what they genuinely need) dramatically reduces the blast radius of future attacks.
Recovery isn't complete until your regulatory obligations are met and stakeholder trust is restored.
GDPR requires organisations to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach involving personal data. Separately, you must notify affected individuals unless the risk to them is low. Your solicitor should guide you on exact timing and wording. For regulated professions—solicitors, financial advisers, accountants—your regulator (SRA, FCA, ICAEW) may also require notification. Professional services firms must be particularly careful here: notification failures can trigger additional sanctions.
Prepare honest, clear communication for affected clients and employees. Explain what happened, what data was involved, what you're doing to prevent recurrence, and what affected parties should do to protect themselves. Transparency builds trust; silence or minimisation destroys it. For legal and financial practices, a well-handled breach communication can actually reinforce client confidence if it demonstrates professionalism and accountability.
Once recovery is complete, review your incident response plan. What worked? What didn't? Did communication channels function effectively? Did your team have the right tools and knowledge? Use this real-world experience to improve your preparedness for future incidents.
Recovery from a cyber attack is exhausting, expensive, and distracting—which is precisely why prevention matters so much. Yet if an attack does occur, a methodical, well-coordinated response minimises damage and positions your organisation to emerge stronger. Whether you're a London legal practice protecting client confidentiality or a financial advisory firm managing sensitive investments, treating incident response as a structured process (rather than a chaotic scramble) makes all the difference.
VantagePoint Networks is an independent senior IT and AI consultancy based in London. No account managers — every engagement is handled directly by the founder.
Book your free call →