Minimising the Impact When a Breach Occurs

It’s essential to have an understanding of the actions you will take if an incident occurs.   This begins with ensuring incidents can be effectively identified and reported in the first place, so staff should feel encouraged to report things that look suspicious.  

However, identification is only the first step; once an incident is reported, what happens next?  How do you respond and recover?  Only 30% of respondents to the Department for Science, Innovation and Technology’s (DSIT’s) Cyber Security Breaches Survey 2025 have a formal incident response playbook (a defined set of instructions outlining what to do in an incident), suggesting that many organisations lack an appropriately detailed understanding of how they would respond if an incident occurred.  Creating and implementing formal, detailed response plans is the most effective method of ensuring your organisation has that understanding.  For more information on creating effective incident response plans, read our blog on How to Develop a Robust Business Continuity Plan.

‍

To minimise the impact of a breach or disruption if one occurs, it’s essential to regularly test your business continuity plans (BCPs) and other incident response plans through structured exercises.  Our blog on Business Continuity Exercising provides detailed guidance on what BC exercising is, the different types available and how to conduct them effectively.  However, in short, an exercise is an activity where you practise using your BCPs, often in the form of tabletop simulations (where your team works through a realistic scenario and simulates their response) or documentation walkthroughs (where teams review their plans together to ensure alignment), although there are a number of other exercise types available.  The outputs of these exercises will allow you to determine the effectiveness of your plans and identify any areas for improvement, without the high stakes of a genuine incident.  

When deciding which elements you need to prioritise for exercising, one key consideration should be your risk assessment.  Risks are incidents that haven’t happened yet, so if your risk assessment has identified highly likely and/or impactful risks, those scenarios should be exercised first and revisited most frequently to ensure preparedness is strongest where it matters most.

If a cyber attack incident does occur, the quickest and most effective way of stopping the attack may be to ‘pull the plug’, i.e., cut off your organisational environment’s access to the internet.  However, while cutting off your environment may halt the attack, it will also halt any genuine access by your staff, customers, etc., potentially leading to devastating consequences for your organisation.  If faced with this choice, you will need to weigh up the cost and impact of the incident itself against the impact of your customers losing access; once the impact of the incident outweighs that of customers not having access, pulling the plug may be the most appropriate option.  These are decisions and considerations you need to make in advance, which is why detailed response plans and processes need to be in place.

During an incident, you will need to keep key stakeholders (e.g., clients, staff, media, and regulators) informed.  In an information vacuum, people speculate and rumours develop, so providing communications and updates allows you to maintain control of the narrative around the incident.  Such communications need to be appropriate and tailored to their intended audience, providing only the information they need and not sharing unnecessary technical or sensitive details.  Again, these communications processes can (and should) be planned in advance, giving you the opportunity to determine when specialist support, such as from PR firms and legal advisors, may be required.

One of the most harmful impacts of an incident is reputational damage and loss of trust, which can partially stem from services being unavailable during an incident.  To counter this, you should put yourself in a position to continue operations and maintain service availability (to the greatest extent possible), even while an incident is occurring in the background.  To do so, build redundancy and resiliency into your systems, so that critical services can continue running even if part of your environment is compromised.

‍

Cyber security is no longer just about preventing attacks, but also being ready to respond when they occur.  By combining strong preventative controls with well defined, regularly exercised response and recovery plans, organisations can significantly reduce the operational, financial and reputational impact of a breach.  Ultimately, resilience puts your organisation in the strongest possible position to withstand incidents and maintain the trust of your stakeholders.