Incident Response Plan

1. Contain. Disconnect the device from the network (unplug Ethernet, turn off Wi-Fi). Do not power it off — memory evidence matters.
2. Don't tidy up. Don't delete files, don't reboot, don't “just have a quick look.”
3. Call. See the contact list below.

1. IT supplier (out-of-hours): [name, phone]
2. Cyber insurer claims line: [number], policy [policy number]
3. Incident response provider: [number from insurance panel]
4. Senior decision-maker: [name, mobile]
5. Bank fraud line (if money may have moved): [number]

• Document what you see: time, screens (photographs are fine), who noticed it, what was running.
• Identify scope: which devices, which users, what data.
• Start the ICO 72-hour clock if personal data may have been accessed or lost: 0303 123 1113.
• Report to Action Fraud for fraud or attempted fraud: 0300 123 2040.
• For phishing emails: forward to report@phishing.gov.uk.

• Don't pay any ransom without legal advice. It may be illegal under sanctions.
• Don't restore from backup onto a still-infected network.
• Don't email anyone outside the response team using the compromised email account.
• Don't post about it publicly until comms are agreed.

• Lawyer: [name, number]
• HR lead: [name, number]
• PR / comms: [name, number]

• Incident commander: [name] (decides scope of response, calls in suppliers)
• Technical lead: [name] (works with IT supplier / IR provider)
• Comms lead: [name] (handles internal, customer, and supplier messages)
• Note-taker: [name] (keeps a timestamped log of decisions — matters for insurance and the post-mortem)

Within two weeks of recovery, run a written post-mortem covering: timeline, what worked, what didn't, lessons, actions, owners. Update this plan based on the lessons.

Reviewed annually, or after any significant incident.