This plan exists so that when an incident happens, people don't freeze, panic, or destroy evidence. It works whether the network is up or down — print copies and leave them somewhere not reliant on IT.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
If you suspect a cyber incident
- Contain. Disconnect from the network. Do not power off.
- Don't tidy up. Don't delete files, don't reboot.
- Call. See the contact list below.
Who to call, in order
- IT supplier (out-of-hours): [name, phone]
- Cyber insurer claims line: [number], policy [policy number]
- Incident response provider: [number]
- Senior decision-maker: [name, mobile]
- Bank fraud line (if money moved): [number]
Within the first 4 hours
- Document what you see: time, screens, who noticed.
- Identify scope: which devices, which users, what data.
- Start the ICO 72-hour clock if personal data may have been accessed: 0303 123 1113.
- Report to Action Fraud: 0300 123 2040.
- Forward phishing emails to report@phishing.gov.uk.
What not to do
- Don't pay any ransom without legal advice. Payment to a sanctioned entity is a strict-liability criminal offence under UK law — it doesn't matter whether you knew the recipient was sanctioned.
- Don't restore from backup onto a still-infected network.
- Don't email anyone outside the response team using the compromised email account.
- Don't post about it publicly until comms are agreed.
Other key contacts
- Lawyer: [name, number]
- HR lead: [name, number]
- PR / comms: [name, number]
Roles
- Incident commander: [name]
- Technical lead: [name]
- Comms lead: [name]
- Note-taker: [name]
After the incident
Within two weeks of recovery, run a written post-mortem covering: timeline, what worked, what didn't, lessons, actions, owners.
Review
Reviewed annually, or after any significant incident.
Tips for adoption
- Print and laminate. Put one copy in reception, one in the car, one at home.
- Run a 90-minute tabletop exercise once a year.
- Test the phone numbers annually.