TL;DR:
- Isolate affected devices from the network immediately — don’t turn them off, just disconnect them
- Change critical passwords from a clean device on mobile data, not your company Wi-Fi
- Call your cyber insurer within hours — most policies require notification within 24–72 hours or coverage is voided
Something is wrong. Maybe a supplier emailed about an invoice you never sent. Maybe your accounting software password stopped working. Maybe a screen appeared demanding Bitcoin.
The first 24 hours after discovering a breach determine how much damage gets done, whether your insurance pays out, and how much legal exposure you carry. Panic makes every outcome worse. Follow these steps in order.
Step 1 — First 15 minutes: document before you touch anything
Your first instinct will be to act. Resist it for fifteen minutes.
Take photos with your phone. Photograph every screen showing signs of the attack. If there’s a ransom note, capture any wallet addresses or email addresses visible. If your accounting software shows transactions you didn’t make, screenshot them.
Write down the time. When did you first notice? What were you doing? This timeline matters for insurance claims, any legal proceedings, and reporting to Action Fraud.
Do not turn off the computer if this is ransomware. Shutting down a ransomed machine can destroy forensic evidence. Leave it powered on but disconnect it from the internet.
Step 2 — First hour: isolate the affected systems
Cyberattacks spread. Isolation stops them.
Unplug the ethernet cable from the affected computer. Turn off Wi-Fi on the affected device, or turn off your router entirely if you can. Keep the device powered on, just disconnected from the network. Disconnect any other devices on the same network that may be affected. And disconnect any network-attached storage (NAS) devices — ransomware specifically targets these because they hold backup files.
Step 3 — First hour: change critical passwords from a clean device
Use your personal phone on mobile data — not company Wi-Fi, not any device that was on the company network.
Change passwords immediately for: your primary business email, online banking and payment accounts, accounting software (Xero, QuickBooks, Sage, FreshBooks), payroll systems, and your domain registrar.
While you’re in your email settings, check for forwarding rules you don’t recognise. Attackers commonly set these up to keep reading your email after you’ve changed your password. Delete any rules you didn’t create.
Enable two-factor authentication on any account that allows it, starting with email and banking.
Step 4 — First hour: call for technical help
You need a professional — not YouTube tutorials or your nephew who’s good with computers.
If you have an IT support company or managed service provider, call them now. If you don’t, search “cyber incident response” or “managed service provider” plus your area and call one. Tell them: what you saw, when you noticed it, which devices are affected, and what steps you’ve already taken. Do not allow anyone to connect remotely until you’ve verified who they are.
Step 5 — First two hours: call your cyber insurance provider
If you have cyber liability insurance, call your provider now. Don’t wait until the situation is resolved.
Most UK cyber insurance policies include a breach response hotline connecting you to lawyers, forensic investigators, and — for serious incidents — PR support. They arrange forensic investigation at no extra cost, provide legal counsel for breach notification requirements, and manage the claims process.
Not calling promptly can void your coverage — most policies require notification within 24–72 hours.
Step 6 — First four hours: check your backups
Your recovery depends on your backups. From a clean device, check whether you can access files in your cloud backup (Google Drive, Dropbox, OneDrive), whether your external drive backups are physically disconnected from the affected network, and what date your last backup was from.
If your backups are intact, your recovery path is clear. If they’re not, the conversation about whether ransom payment is viable becomes much harder.
Step 7 — Within 24 hours: report to the authorities
Action Fraud (actionfraud.police.uk) — the UK’s national fraud and cybercrime reporting centre. Report ransomware, business email compromise, or fraud here. Creates a record that supports your insurance claim and helps law enforcement track patterns.
The ICO (ico.org.uk) — under UK GDPR, if personal data has been breached, you must notify the ICO within 72 hours of becoming aware. Failing to report within the window is itself an enforcement risk. Your insurer or legal counsel can advise on whether your specific incident triggers this obligation.
The NCSC (ncsc.gov.uk/report-an-incident) — particularly relevant if your business is in critical sectors or if the incident is significant.
Step 8 — Within 24–72 hours: notify affected customers if required
Under UK GDPR, if personal information was exposed and the breach is likely to result in risk to individuals, you must notify them directly in addition to the ICO. Your insurer or legal counsel will advise on your specific situation.
When you notify customers: be honest and specific about what happened, what data was affected, and what concrete steps you’re taking. Vague, passive-voice notifications (“data was accessed”) damage trust more than straightforward ones.
Should you pay the ransom?
The NCSC’s guidance is: don’t pay. It funds criminal operations, marks you as a paying target, and doesn’t guarantee file recovery. Some ransomware groups take payment and send broken decryption keys anyway.
Before making any decision, consult your insurer and a lawyer. Check nomoreransom.org — free decryption tools exist for many ransomware variants, and you may not need to pay at all.
Bottom line
The single biggest factor in how well you recover is the quality of your backups. Everything else — the steps above, your insurer, technical help — works better when you have clean, recent, tested backups to restore from. If you take one thing from this article: test your backups this week.