How to create a cyber attack recovery plan


A cyber attack can result in lost revenue, disrupted operations and reputational damage.

Government research showed that almost half of businesses suffered a cyber security breach in 2019, while the average cost of dealing with an attack was £3,230.

To ensure they know how to respond if a cyber security breach occurs, it is important that businesses put a plan in place.

This guide outlines best practices for cyber security disaster planning and recovery.

Identify essential information, processes and systems

The first step in cyber disaster planning is identifying which information, processes and systems are critical to your business.

These are the things your business couldn't operate without. It could be documents, emails, contacts, photographs, passwords, calendars and your website.

Consider what would happen if your business lost access to critical information and systems. This will help you decide where you need to prioritise protection.

Think about what you will do if an attack occurs and critical information and systems are affected.

Put a plan in place for how you will resolve it.

Decide what actions you will take such as:

  • Running anti-virus software
  • Restoring data backups
  • Changing passwords
  • Fixing or replacing infected hardware and software

Document the people you'll need to contact in the event of an attack such as your:

  • IT support supplier
  • Web hosting provider
  • Cloud services provider

Be prepared with backups

Your business will recover from a cyber attack much quicker if you get into the habit of backing up information. It is recommended that you run daily or weekly backups of your critical information.

You can back up yourself using a USB stick or separate computer drive or use a cloud storage service. This means a service provider stores your data on their infrastructure and it is separate from your location. That means that in the event of a disaster at your premises, your business can keep running.

You are also advised to switch on automatic backups on devices and systems that you use. Here are instructions for automatic backups on:

Be clear about how you access your backups, so if a cyber attack occurs you know how to find your information. It's a good idea to practice accessing your backed up data and secure passwords.

Enable two-factor authentication

Using two-factor authentication (2FA) can reduce the possibility of a cyber security attack happening. It provides an extra check to verify that the person logging into services like social media and online banking really is who they say they are.

If 2FA is set up, the service will ask for a “second factor” that only the genuine account holder will know. This is often a code sent via text message or authentication app that has to be used to log in. It means that even if a cyber criminal gets hold of your passwords, they won't be able to access your accounts.

It is recommended that you switch on 2FA for important accounts such as social media, email and document sharing apps. Here are instructions for activating 2FA for some popular services:


“The implementation of multifactor authentication will add an extra layer of protection. We enforce it whenever we can, as well as a strong password policy. The key here is that we’ve been able to automate the process by using a password manager. Reducing friction is important for successful adoption.”

Stephen Jones, CTO at Business Data Group

Involve your team

It’s important that your employees are involved in your cyber attack recovery plan and understand their role.

Employees need to know what they have to do should a disaster strike and the plan goes into effect. Document the roles and responsibilities of key people in the event of an incident.

It is advisable to keep a written copy of the cyber recovery plan in a secure place where everyone can access it.

Train relevant staff in areas such as how to restore data backups, change passwords and fix or replace infected hardware and software.

It is advisable to ensure all employees are aware of cyber security best practices such as strong passwords and two-factor authentication. The National Cyber Security Centre (NCSC) has a free online training course.

Identify what happened

When a cyber incident occurs, the first step to recovery is identifying what has happened.

There are various types of cyber crime that can lead to an attack on your business. They include phishing, malware and distributed denial of service attacks. Find out more about the different types of cyber fraud here.

Most attacks occur due to criminals accessing your systems using fraudulent software or websites. That could have happened, for example, because you or an employee clicked on a link in a scam email.

When an incident occurs, the NCSC recommends that you ask yourself the following key questions:

  1. What problem has been reported and by who?
  2. What services, programs and/or hardware aren’t working?
  3. Are there any signs that data has been lost? For example, have you received ransom requests or has your data been posted on the internet?
  4. What information (if any) has been disclosed to unauthorised parties, deleted or corrupted?
  5. Have your customers noticed any problems? Can they use your services?
  6. Who designed the affected system and who maintains it?
  7. When did the problem occur or first come to your attention?
  8. What is the scope of the problem, what areas of the organisation are affected?
  9. Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your supply chain?
  10. What is the potential business impact of the incident?

Deal with the incident

Once you've identified the incident, you need to take steps to resolve it.

If you outsource your IT to another company, contact them and provide the information that they need.

If you maintain your own technology systems, take the steps you put in place when planning your response to a cyber attack. As noted above, this could be:

  • Running anti-virus software
  • Restoring data backups
  • Changing passwords
  • Fixing or replacing infected hardware and software

Remember that when restoring a backup, you must be confident that it is free from any malicious software or files.

Report the incident

It is recommended that you report a cyber security attack to the authorities. For some incidents, it is a legal requirement.

You can report a live cyber security attack to Action Fraud by calling 0300 123 2040. The line is open 24 hours a day, 7 days a week for businesses in England, Wales and Northern Ireland.

Action Fraud defines a live attack as an ongoing incident that is still affecting your systems and ability to work. It also means there is an opportunity for the police to stop the attack or secure evidence for an investigation.

Advisers will ask questions, provide guidance and pass your details to the National Fraud Intelligence Bureau (NFIB).

The NFIB will then review your report, conduct enquiries, identify links to known criminals and send details to the relevant police agency. This could be your local police force or the National Cyber Crime Unit (NCCU).

If you're in Scotland, you can report attacks to Police Scotland by calling 101.

If your business is a victim of a significant cyber attack, it is recommended that you start by reporting it to the National Cyber Security Centre.

Some personal data breaches need to be reported by law to the Information Commissioner's Office. Find more information here.

There may be other regulatory bodies you need to report an incident to.

Report the incident to other stakeholders

It is important that you inform employees about a cyber security attack, particularly staff who have a role in disaster recovery.

Employees also need to be told how they should be accessing computer systems after an attack and what to tell customers or clients.

Customers must be informed if the cyber security breach has affected them, such as personal or financial information being compromised.

You might need to consult with your marketing or public relations team to decide if a public statement needs to be issued. You might also need to decide how to deal with any negative comments on social media and elsewhere.

John Williams.png

“Under GDPR rules, it’s vital to be able to report if you’ve suffered a breach. But only a small number have a proper recovery plan in place. If you don’t have a plan in place, you won’t know what you’re meant to report.”

John Williams, MD of Northstar

Review and learn

Once you've resolved the cyber security incident, you should reflect on what happened and why.

Consider why your security was breached and what processes were insufficient for preventing the criminals accessing your systems. Work out what you need to do to ensure it doesn't happen again such as moving to a new cloud services provider.

Decide what went well during your response and what could be improved. If you outsource your IT, consider whether the response of the company was good enough.

Make any necessary changes to your cyber attack response plan. You may also need to provide extra training to employees such as how to use stronger passwords or avoiding falling victim to scam emails.