Incident response plan: Complete UK guide for 2025
The average UK data breach now costs £3.29 million, with organisations taking up to 181 days to even detect an attack. Yet only 25% of UK businesses have a formal incident response plan in place. If your organisation falls into the unprepared 75%, you're gambling with your company's future every single day.
An incident response plan is your organisation's playbook for when things go wrong. It's the difference between a controlled, professional response that minimises damage and a chaotic scramble that makes everything worse. In this comprehensive guide, we'll walk you through everything you need to know about creating an effective incident response plan for your UK business - from understanding the regulatory requirements to building your response team and testing your procedures.
What is an incident response plan?
An incident response plan (IRP) is a documented set of procedures that outlines how your organisation will detect, respond to, and recover from cybersecurity incidents. Think of it as your emergency action plan for digital threats - whether that's a ransomware attack, data breach, phishing compromise, or any other security incident that could disrupt your operations.
A good incident response plan covers the entire incident lifecycle: preparation, detection, containment, eradication, recovery, and lessons learned. It defines who does what, when they do it, and how they communicate throughout the process. Without one, you're essentially trying to fight a fire without knowing where the extinguishers are or who should call 999.
Why UK businesses need an incident response plan
The statistics paint a stark picture of the UK's cybersecurity landscape. According to the 2025 Cyber Security Breaches Survey, 59% of UK SMEs experienced a cyber attack in the past 12 months, with 73% reporting at least one incident over the past five years. Despite this, only a quarter of UK businesses have documented incident response procedures.
The financial reality
The 2025 IBM Cost of a Data Breach Report reveals some eye-opening figures for UK organisations:
- Average breach cost: £3.29 million across all sectors
- Financial services: £5.74 million average per breach
- With AI-powered detection: £3.11 million (17.7% lower than average)
- Without advanced detection: £3.78 million
Organisations with proper incident response plans and AI-powered security tools save an average of £670,000 per breach compared to those without. That's not pocket change - it could be the difference between surviving an attack and going under.
Response time matters
Speed is everything when responding to a cyber incident. The longer an attacker has access to your systems, the more damage they can do. Current UK benchmarks show:
- Mean time to identify (MTTI): 181 days globally, but organisations with AI tools achieve 148 days
- Mean time to contain (MTTC): 60 days globally, but 42 days with advanced security tools
- Total breach lifecycle: 241 days on average - that's eight months of potential exposure
Organisations that detect and contain breaches within 200 days save an average of £1.14 million compared to those with longer detection cycles. A well-rehearsed incident response plan is one of the most effective ways to reduce these timelines.
Regulatory requirements
UK organisations face increasingly strict regulatory requirements for incident response. Under GDPR Article 33, you must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a personal data breach. The notification must include the nature of the breach, categories and approximate numbers of data subjects affected, your DPO's contact details, likely consequences, and measures taken to address the breach. The ICO recommends a "report early, update later" approach - don't wait until you have complete information.
In 2025, the ICO issued fines of £3.07 million to Advanced Computer Software Group and £2.31 million to 23andMe for security failures following data breaches. These penalties demonstrate the regulator's willingness to take action when organisations fail to protect personal data adequately.
The UK Cyber Security and Resilience Bill, introduced to Parliament in November 2025, will tighten these requirements significantly:
- 24-hour initial notification: You'll need to report incidents within 24 hours (not 72) with basic details
- 72-hour full report: Comprehensive incident details within three days
- Broader scope: Applies to incidents "capable of" causing harm, not just those that have caused actual disruption
- Expanded coverage: Data centres, managed service providers, and critical suppliers now included
- Enhanced penalties: Up to £17 million or 4% of global turnover, plus £100,000 per day for ongoing violations
If your organisation operates in critical infrastructure or provides essential digital services, the 24-hour notification window means you need incident response procedures that can identify, assess, and report incidents within a single working day. That's not achievable without preparation.
Having a proper IRP in place is a key part of good technology governance and demonstrates your commitment to protecting your business assets.
Learning from UK cyber attacks: real-world case studies
The best way to understand why incident response planning matters is to look at what happens when things go wrong. 2024 and 2025 have seen some of the most significant cyber attacks against UK organisations in history. Here's what we can learn from them.
Marks & Spencer: social engineering strikes retail
In April 2025, Marks & Spencer fell victim to the Scattered Spider hacking group, who deployed DragonForce ransomware across the retailer's systems. The attack method was devastatingly simple: attackers called M&S's third-party IT help desk (operated by Tata Consultancy Services), impersonated internal staff, and convinced help desk personnel to reset passwords and MFA settings.
The impact was catastrophic. M&S was forced to shut down online ordering for 46 days, revert to pen-and-paper stock management, and suspend contactless payments across 1,400 stores. The attack cost approximately £324 million in lost sales, with total financial impact reaching £300-400 million. Customer data including names, addresses, and order history was stolen.
Key lesson: Technical security controls are meaningless if attackers can simply phone your help desk and talk their way in. Identity verification procedures for password resets are as important as your firewalls.
NHS Synnovis: when healthcare stops
In June 2024, the Qilin ransomware group attacked Synnovis, a pathology service provider for NHS trusts across South-East London. The attackers demanded $50 million and leaked 400GB of patient data when Synnovis refused to pay.
The operational consequences were devastating: over 11,000 appointments cancelled, 18 organ transplants postponed, and more than 100 cancer treatments delayed. Blood testing dropped to just 10% of normal capacity, forcing hospitals to use O-type blood for all patients because blood-matching systems were offline. London experienced a blood shortage as a direct result.
Full service restoration took six months. The leaked data included highly sensitive information: NHS numbers, HIV status, STI test results, and cancer diagnoses.
Key lesson: Third-party service providers are part of your attack surface. Healthcare organisations must ensure critical suppliers have robust security measures and incident response capabilities.
British Library: legacy systems create lasting damage
The October 2023 attack on the British Library by the Rhysida ransomware group exposed the dangers of legacy infrastructure. The attackers gained access through a remote access server that had been installed in 2020 for pandemic-era remote working - critically, this server lacked multi-factor authentication despite internal warnings about the vulnerability.
The Library refused to pay the 20 bitcoin ransom (approximately £596,000), and 600GB of data was leaked onto the dark web. Recovery has been extraordinarily slow due to the complexity of legacy systems. More than two years later, in late 2025, full restoration is still ongoing. The recovery effort has cost £6-7 million from reserves.
Key lesson: Technical debt and legacy infrastructure don't just slow you down - they can make recovery from attacks take years instead of months. The British Library is now migrating to cloud-native infrastructure to prevent similar incidents.
Co-operative Group: how fast response limits damage
The Co-op was targeted by the same Scattered Spider group that hit M&S, using identical social engineering tactics. However, the Co-op's response demonstrates how preparation and decisive action can limit damage.
When the Co-op detected suspicious activity on 30 April 2025, they made the difficult decision to proactively shut down critical IT systems. This prevented the DragonForce ransomware from encrypting their infrastructure - unlike M&S, they avoided weeks of operational paralysis.
The attack still cost £80 million in lost profit and affected 6.5 million member records. But the proactive shutdown meant the Co-op was back to near-normal operations within weeks rather than months.
Key lesson: Having the authority and willingness to shut down systems proactively - before encryption occurs - can dramatically reduce overall damage. This requires pre-planned decision frameworks and executive buy-in.
Does your organisation have an incident response plan? Our IT Operations team can help you develop a tailored plan that meets regulatory requirements and insurer expectations. Get in touch for a free consultation.
Building your incident response team
You can have the most comprehensive incident response plan in the world, but it's worthless if nobody knows who's doing what when an incident strikes. Clear role definitions eliminate the confusion and duplicated effort that often hamper response during high-pressure situations.
Essential roles
For most UK SMEs, you won't need a massive team, but you do need clear ownership of these core functions:
- Incident Commander: The single point of authority who coordinates all response activities, makes critical decisions, and maintains command of the process. This person needs the authority to make calls that affect multiple departments.
- Technical Lead: Owns the technical response - diagnosing problems, directing containment actions, and overseeing recovery. For smaller organisations, this might be your IT manager or an external managed service provider.
- Communications Lead: Handles all stakeholder communication, freeing technical staff to focus on resolution. This includes internal updates, customer notifications, and regulatory reporting.
- Scribe: Documents everything that happens during the incident. This is essential for post-incident review, regulatory compliance, and potential legal proceedings. Often overlooked but invaluable.
Depending on your organisation's size and the incident type, you may also need legal counsel (for compliance and evidence preservation), HR (for insider threats or employee communications), and subject matter experts for specific systems.
The RACI matrix
A RACI matrix clarifies exactly who does what for every task in your incident response process:
- Responsible: Who actually does the work
- Accountable: Single person who must answer for the outcome (only ever one person)
- Consulted: Who provides input before decisions are made
- Informed: Who needs to be kept updated
The critical word there is "single" - every task needs exactly one accountable person. If everyone thinks someone else is handling something, it doesn't get done. That's how M&S ended up with 46 days of operational disruption.
The incident response lifecycle
Before diving into specific components, it helps to understand the standard frameworks that organisations worldwide use to structure their incident response. The two most widely adopted are NIST and SANS, and while they use slightly different terminology, they follow the same fundamental logic.
The SANS PICERL model
The SANS Institute's six-step model (PICERL) has become the de facto industry standard. The acronym stands for:
- Preparation: Policies, procedures, tools, training, and team structures
- Identification: Detecting security events and distinguishing real incidents from false alarms
- Containment: Limiting the scope and impact of an ongoing incident
- Eradication: Removing the root cause - patching vulnerabilities, removing malware, revoking compromised credentials
- Recovery: Restoring systems to normal operations with verification that threats are eliminated
- Lessons Learned: Post-incident review and continuous improvement
The NIST Cybersecurity Framework 2.0
NIST released updated guidance in April 2025 (SP 800-61r3) that integrates incident response into their broader Cybersecurity Framework. Rather than treating incident response as a separate cycle, it's now part of six interconnected functions: Govern, Identify, Protect, Detect, Respond, and Recover.
The key insight from the updated NIST approach is that effective incident response doesn't start when you detect an attack - it starts with preparation. The Govern, Identify, and Protect functions establish the foundation that makes effective detection and response possible.
Key components of an effective incident response plan
Using these frameworks as our guide, let's break down what your incident response plan should actually contain.
1. Detection and identification
Implement monitoring tools
It's really important to have continuous monitoring of your systems and networks so that any unusual or malicious activity can be detected. Examples of monitoring tools include:
- Intrusion detection systems (IDS): These tools monitor network traffic for suspicious patterns. Some examples of tools that do this are Cisco Secure and Check Point Intrusion Prevention System.
- Security information and event management (SIEM): SIEM platforms like ManageEngine analyse security data in real-time, identifying threats based on preset rules. For example, a SIEM system will alert the security team when it detects several failed login attempts from the same IP address, because it could suggest there has been a possible brute-force attack.
- Endpoint detection and response (EDR): EDR solutions (e.g., CrowdStrike or Microsoft Defender) monitor endpoint devices (e.g., computers, mobile devices) for any unusual behaviour.
Our IT Operations team can help you implement and manage these monitoring tools to ensure your systems are properly protected.
Define Indicators of Compromise (IoCs)
IoCs are any signs that indicate an ongoing or past security breach. Identifying these ahead of time will help you detect any incidents faster. Examples of IoCs include:
- Unusual outbound network traffic: This is when large volumes of data leave the network, potentially indicating data exfiltration.
- Unusual user behaviour: When a user is suddenly accessing files they don't normally use or logging in at unusual hours.
- File modifications: Unexplained changes to system files, or the presence of unusual files (e.g., malware).
2. Response
Incident classification
Incidents need to be categorised based on their severity and impact to ensure an efficient response. Incidents can be classified in the following ways:
- Low-severity: For example, minor phishing attempts or unsuccessful login attempts.
- Medium-severity: A malware infection on a single system or unauthorised access to a user account.
- High-severity: A ransomware attack, data breach, or a Distributed Denial of Service (DDoS) attack affecting critical systems.
Containment strategies
Once an incident is identified, you will need to contain it before it spreads, so your plan needs to contain a section on this. Containment strategies may vary depending on the type of incident:
- Short-term containment: For example, disconnecting affected systems from the network or revoking access to compromised user accounts.
- Long-term containment: This could be applying patches to vulnerabilities or moving infected systems to a quarantined environment for further analysis.
3. Recovery
Restoration procedures
After the incident has been contained, you will need to then look at restoring your affected systems and services. This may involve:
- Reinstalling any compromised software: Ensure that the software is restored to a clean state, free of any malware or vulnerabilities.
- Applying any security patches: Address any vulnerabilities exploited during the incident. Keeping your systems updated, like updating to Windows 11, is essential for security.
- Restoring data from backups: Recover lost or corrupted data by restoring from backups. As we discussed in our security checklist, proper data backup is essential.
Validation and Testing
After restoration, all systems should be tested thoroughly to ensure the incident has been fully eliminated. This may involve:
- Vulnerability scans: Conducting scans to ensure no backdoors or lingering threats remain.
- User testing: Ensuring that users can access their systems and applications securely.
4. Communication
Internal Communication
A structured internal communication protocol will ensure that the right people are informed and coordinated during an incident. This involves:
- Notifying IT staff: Alerting them of the incident to begin containment and recovery efforts.
- Informing executives: Keeping senior management updated about the situation and its potential business impact.
External Communication
It's also extremely important to communicate with external stakeholders like customers, partners, and regulatory bodies. This should include:
- Pre-prepared statements: Having these means that you can quickly inform customers if their data may have been affected.
- Regulatory reporting: Many industries are required to notify regulators within a certain time frame of a security incident (e.g., GDPR mandates notification within 72 hours of a breach).
5. Post-incident review
Incident analysis
After the incident is resolved, you should conduct a follow-up analysis to determine:
- The root cause: Identify how the incident occurred (e.g., phishing attack, unpatched vulnerability).
- The overall impact: Assess the financial, operational, and reputational damage. Understanding the cost of IT downtime is important for this analysis.
Lessons learnt
Use the incident as an opportunity to improve your security posture. This could include:
- Updating the incident response plan: Address any weaknesses in the IRP identified during the incident.
- Enhanced training: Incorporate any lessons learned into employee training programs. Digital defence practices for your employees make a real difference.
6. Testing your incident response plan
Here's a sobering statistic: only 30% of organisations regularly test their incident response plans. The other 70% have plans that look good on paper but have never been validated under pressure. Don't be in that 70%.
Tabletop exercises
Tabletop exercises are guided discussions where your team walks through a hypothetical incident scenario. They're low-risk, cost-effective, and highly valuable for identifying gaps. The NCSC's "Exercise in a Box" provides free, ready-to-use scenarios designed specifically for UK businesses.
A good tabletop exercise has three phases:
- Planning: Define your objective, select participants, and design a realistic scenario that matches your actual threat profile
- Engaging: Walk through the scenario with all participants making decisions based on their real roles - IT controls damage, legal assesses compliance, comms prepares statements
- Learning: Debrief honestly, document gaps, and assign follow-up actions with owners and deadlines
Research shows that frequent "micro-dose" drills work better than annual elaborate exercises. Running a 90-minute tabletop once a quarter keeps your team's muscle memory fresh and ensures your procedures stay current.
Measuring your response capability
You can't improve what you don't measure. Track these key metrics to understand your incident response capability:
- MTTD (Mean Time to Detect): How long between a threat appearing and your team detecting it. Target: under 5 minutes for well-monitored environments.
- MTTA (Mean Time to Acknowledge): How long until someone starts working on an alert. Target: under 15 minutes for critical incidents.
- MTTC (Mean Time to Contain): How long to stop an incident from spreading. Target: under 30 minutes for critical incidents.
- MTTR (Mean Time to Recover): How long to restore normal operations. Target: under 4 hours for critical incidents.
Industry benchmarks show that 44% of businesses need 30+ minutes just to detect critical issues, and 60% need 30+ minutes to resolve them. Organisations with proper monitoring achieve detection in under 5 minutes - that's the difference between catching an attacker at the door versus finding them in your vault.
Employee awareness
Your staff are both your first line of defence and your biggest vulnerability. They need to know how to:
- Recognise threats: Identify phishing attempts, social engineering, and suspicious behaviour. With AI-generated attacks becoming more sophisticated, this is harder than ever.
- Report quickly: Follow clear protocols for reporting suspected incidents. A security-conscious culture where staff feel comfortable reporting near-misses catches problems early.
Common incident response mistakes to avoid
Based on real UK incidents and industry research, here are the most common IRP mistakes that turn manageable incidents into disasters:
- Outdated contact lists: When your incident commander's phone number is wrong at 2am, you've already lost critical time. Review and update contact information quarterly.
- Untested plans: A plan that's never been tested is just a document. The M&S incident showed that even major retailers can have gaps they didn't know about.
- No escalation authority: If staff need to wake up the CEO to approve shutting down a system, attackers have free rein while you wait. Pre-authorise containment actions.
- Ignoring third parties: M&S was breached through their third-party help desk provider. Your suppliers are part of your attack surface - include them in your planning.
- Poor evidence handling: Turning off a compromised computer destroys volatile evidence. Train staff on basic evidence preservation before forensics arrive.
- No backup verification: The British Library discovered their backup and recovery procedures weren't fit for purpose only after they needed them. Test your backups regularly.
Free resources to get you started
With 59% of UK SMEs experiencing cyber attacks annually and average breach costs hitting £3.29 million, the question isn't whether you need an incident response plan - it's whether you can afford not to have one. The good news? You don't need to start from scratch or spend a fortune.
NCSC Exercise in a Box
The National Cyber Security Centre's "Exercise in a Box" is completely free and requires no cybersecurity expertise to use. It offers over 15 pre-built exercise scenarios covering ransomware, phishing, data breaches, and more, in three formats: quick micro-exercises, tabletop discussions, and hands-on simulations. You can pause, resume, and work through them at your own pace. Register at ncsc.gov.uk and start testing your procedures today.
Cyber insurance requirements
If you have cyber insurance (and you probably should), be aware that insurers increasingly require specific security controls before they'll pay out on claims:
- Multi-factor authentication: Now virtually universal requirement
- Endpoint detection: 65% of insurers expect EDR solutions
- Offline backups: Critical for ransomware recovery
- Security awareness training: 81% expect regular staff training
- Documented incident response plan: Standard requirement across insurers
Having these controls in place isn't just good practice - it's often necessary for your insurance to actually work when you need it.
When to get professional help
Not every organisation has the resources for a full-time security team, and that's fine. Managed security service providers (MSSPs) can provide 24/7 monitoring, incident response support, and the technical controls cyber insurers require - often more cost-effectively than building internal capability. For UK SMEs, this is often the most practical path to mature incident response.
Remember, a simple plan that's been tested and rehearsed will serve you far better than a comprehensive plan that exists only in theory. The organisations that weather cyber attacks best aren't necessarily the ones with the biggest security budgets - they're the ones that prepared, practised, and knew exactly what to do when things went wrong.
For more on protecting your business from cyber threats, check out our guides on current cyber security threats facing UK businesses, cybersecurity essentials for UK SMEs, and future-proofing your cybersecurity strategy.
Need help developing or updating your incident response plan? Give our IT Operations team a shout - we can help you assess your current readiness and build a tailored IRP that fits your business.
