Why You Need a Plan Before You Need a Plan
The UK Government's Cyber Security Breaches Survey 2024 found that only 21% of businesses have a formal incident response plan. Yet 50% report experiencing a breach or attack. This means the majority of UK businesses are handling incidents on the fly — making critical decisions about containment, notification, and recovery under pressure without a tested playbook. The ICO requires notification of personal data breaches within 72 hours. The NCSC expects reporting of significant incidents. NIS2 mandates 24-hour early warnings for regulated entities. Without a pre-established plan, meeting these deadlines while managing a live incident is extremely difficult.
Step 1: Preparation
Preparation is everything that happens before an incident. Define your incident response team: who is the incident commander, who handles technical containment, who manages legal and regulatory notification, and who handles communications. Ensure at least two people can fill each role in case of unavailability. Document your key assets and data flows — you cannot assess the impact of a breach if you do not know what data you hold and where it moves. Pre-establish relationships with external resources: your managed security provider, legal counsel with cyber experience, a forensics firm, and your cyber insurance broker.
- Define incident response team with named individuals and backups
- Document key assets, data flows, and classification
- Pre-engage legal counsel, forensics, and insurance
- Establish out-of-band communication channels (not email)
- Maintain an offline copy of the IR plan
Step 2: Detection and Analysis
Detection speed determines impact. IBM's 2024 Cost of a Data Breach report found that breaches identified within 200 days cost $3.93 million less on average than those taking longer. Your monitoring stack — Coro for endpoint detection, Hadrian for attack surface monitoring, BlackFog for exfiltration detection — should feed into a defined triage process. When an alert fires, the first question is: is this a genuine incident? The second is: what is the scope and severity? Classify incidents using a standard scale (P1 through P4) with predefined criteria for each level and corresponding response timelines.
Step 3: Containment, Eradication, Recovery
Containment must balance speed with evidence preservation. Isolate affected systems from the network but do not power them off — you may destroy volatile memory forensic evidence. For ransomware with exfiltration (the 93% majority), containment means blocking all outbound data flows immediately — this is where BlackFog's ADX provides automated containment at the endpoint level. Eradication means removing the threat actor's access entirely: resetting all compromised credentials, patching the exploited vulnerability, and verifying that no persistence mechanisms remain. Recovery should follow a documented sequence with verification gates before reconnecting systems.
Step 4: UK Notification Requirements
If personal data is involved, you must assess whether ICO notification is required within 72 hours of becoming aware of the breach. Not all breaches require notification — only those that pose a risk to individuals' rights and freedoms. If the risk is high, you must also notify affected individuals without undue delay. Report significant cyber incidents to the NCSC through their online reporting tool. If you are in a NIS-regulated sector, notify your competent authority within the mandated timeline. Your legal counsel should advise on whether law enforcement (Action Fraud, NCA) notification is appropriate. Document every decision and its rationale — the ICO will ask to see your assessment process.
- ICO: assess within 72 hours, notify if risk to individuals
- High risk to individuals: direct notification required
- NCSC: report significant incidents via online tool
- NIS-regulated sectors: notify competent authority
- Action Fraud / NCA: consider law enforcement notification
- Document all decisions and rationale for regulatory scrutiny
Frequently Asked Questions
When do I need to notify the ICO?
You must notify the ICO within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. If there is no risk to individuals, notification is not required, but you should document your assessment and reasoning.
What is the penalty for not reporting a breach on time?
Late notification is treated as an aggravating factor by the ICO and can increase fines. Under UK GDPR, maximum fines are 17.5 million pounds or 4% of global annual turnover. The ICO has specifically cited late notification as a factor in several enforcement actions.
Do I need a dedicated incident response team?
You need named individuals who are responsible for incident response, but they do not need to be dedicated full-time. For SMBs, these roles are typically held by existing staff with incident response as an additional responsibility, supported by a managed security provider for technical containment and forensics.
How often should I test my incident response plan?
At minimum, conduct a tabletop exercise annually. Best practice is to test quarterly with different scenarios. The NCSC provides free Exercise in a Box resources specifically designed for UK organisations to test their incident response plans.