Most of the cybersecurity conversation aimed at small businesses is about prevention — get a password manager, enable MFA, run Cyber Essentials, train your staff to spot phishing. All of that matters. But there’s a question that doesn’t get nearly enough airtime: what do you actually do when something goes wrong?

Because here’s the reality: 43% of UK businesses experienced a cyber breach or attack in the most recent Cyber Security Breaches Survey. If you’re a small business owner reading this, there’s a meaningful chance you’ll face some kind of incident at some point. And most SMEs are genuinely unprepared for what happens next.

That’s why an expansion to the NCSC’s Cyber Incident Response (CIR) scheme — which now includes a Level 2 category specifically aimed at smaller and medium-sized organisations — is worth understanding.

What is the NCSC Cyber Incident Response scheme?

The CIR scheme is a list of vetted, government-assessed cybersecurity firms that are certified to help organisations recover from cyber incidents. Before it existed, if you got hit by ransomware, your options were basically: hope your IT support company could handle it, search Google for “incident response UK” and hope the firm you found was competent, or call one of the big consultancies and receive an invoice that would make you wince.

The scheme changes that by providing a curated list of firms that the NCSC has assessed against defined standards. You can trust that a CIR-certified firm has the skills to actually help, rather than just billing hours while your business bleeds.

What’s changed with the Level 2 expansion?

The original CIR scheme (now called Level 1) was designed for large and complex incidents — national infrastructure, major financial institutions, the kind of attacks that end up on the front page of the BBC. The response firms at that level are large, specialist consultancies with the capacity to handle incidents at serious scale.

Level 2 is different. It’s aimed at incidents affecting smaller and medium-sized organisations — SMEs, local authorities, charities, smaller NHS trusts. The criteria for certification at Level 2 are appropriately scaled: firms need to demonstrate competence in common incident types (ransomware, data breaches, business email compromise) but they don’t need to have the same depth of capability as a Level 1 firm. That means more firms qualify, which means better geographic coverage and, critically, more accessible pricing.

You can find the current list of Level 2 certified providers on the NCSC website. At the time of writing there are around 40 firms on the list, covering most of the UK.

Why this matters for small businesses

The time after a cyber incident — particularly ransomware — is chaotic. You’re dealing with systems that don’t work, staff who can’t do their jobs, potentially customers who are asking questions you can’t answer, and a decision about whether to pay a ransom that could fund criminal organisations and may or may not actually get your data back.

Having a plan for who to call before that happens makes an enormous difference. Knowing that there’s a certified, vetted list of firms you can reach for — rather than scrambling on Google while your business is on fire — is genuinely valuable.

The NCSC has also published a Small Business Guide to Response and Recovery, which is free and worth spending an hour with now, not after an incident. It covers the practical steps: isolating affected systems, preserving evidence, notifying the ICO if personal data is involved (you have 72 hours to report a breach that’s likely to result in a risk to individuals), and communicating with customers and staff.

What you should actually do right now

Let’s be practical. Here are three things worth doing this week:

First, find out whether you have cyber insurance. Many business insurance policies include some form of cyber coverage, but a lot of SME owners don’t know what they’re covered for. Check your policy specifically for incident response assistance, business interruption cover, and legal support for ICO notifications. If you don’t have it, it’s worth getting a quote — premiums have come down significantly as the market has matured.

Second, pick a response firm from the NCSC Level 2 list and save their number somewhere accessible. You don’t need to pay a retainer — just know who you’d call. Some firms offer a free initial consultation for qualifying incidents. Having that number to hand before an incident is the difference between responding calmly and responding in a panic.

Third, make sure someone in your business knows the 72-hour ICO notification window. If you process personal data — and almost every UK business does, even if it’s just customer email addresses — a ransomware attack that encrypts that data is probably a notifiable breach. Failing to notify in time carries its own regulatory risk on top of the incident itself.

The bigger point about incident response planning

There’s a tendency to think about cybersecurity preparedness in terms of things you can buy — software, hardware, certifications. Incident response planning is different. It’s mostly about decisions you make in advance: who do you call, what do you isolate first, where are your backups, who has the authority to shut down systems?

None of that costs much. It mostly costs an afternoon of thinking carefully about what would happen if things went wrong. The NCSC’s response and recovery guide is a genuinely useful starting point for that conversation — and the fact that there’s now a certified network of firms who can help you execute that plan, scaled appropriately for smaller organisations, is a meaningful step forward.

The best time to think about incident response is before you need it. You already know that, which is why you’re reading this.