Most SME directors don't think about cyber breaches until they're in one.

That's not complacency, it's human nature. But it's also why cyber attacks on small and medium sized businesses across the UK are increasing. Hackers know that SMEs often have valuable data, limited security budgets, and no clear plan for what to do when something goes wrong.

If your business operates in the West Midlands and you've never mapped out a cyber breach response, this guide is for you. Below is a practical, honest timeline of what happens after a cyber attack, and what you should do at each stage.

The first hour – contain the damage

The first hour of a cyber incident is the most critical. How you respond now directly determines how difficult recovery will be later.

Do not attempt to fix it quietly. The instinct to avoid disruption is understandable, but acting without a plan at this stage can accelerate the damage significantly.

Your immediate priorities are:

• Isolate affected devices: disconnect them from the network by unplugging ethernet cables or disabling the network adapter. Do not simply switch them off, as this can destroy forensic evidence needed later.
• Contact your IT provider or MSP: if you have a managed IT support provider in the West Midlands, call them immediately. A good MSP will have a cyber incident response process in place and can begin damage assessment while you focus on the business.
• Do not use affected systems: avoid logging into compromised accounts or attempting to delete files until a professional has assessed the situation.

If you don't have an IT support provider, this is the moment most businesses wish they did.

Hours 2-24 – assess, report and communicate

Once the immediate threat is contained, your focus shifts to legal obligations and internal communication.

Reporting to the ICO: Under UK GDPR, if personal data has been compromised, you are legally required to report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. This applies to the vast majority of cyber incidents affecting UK businesses.

Your report should include:

• The nature of the breach
• The number of individuals and devices affected
• The data categories involved
• The measures taken so far in response

Failure to report within 72 hours can result in significant fines on top of the damage already caused by the breach itself.

Internal communication: Notify senior leadership immediately. Identify which clients, suppliers or partners may have had their data affected, and communicate with them directly. Transparency at this stage is essential. Businesses that communicate clearly and quickly after a breach consistently suffer less long term reputational damage than those that don't.

Days 2–7 — understand what was taken and how they got in

This is the forensic stage, and it's where having a managed cyber security provider in the West Midlands becomes critical for most SMEs.

A thorough cyber security investigation will establish:

• The attack vector (how the breach occurred)
• Which systems and data were compromised
• Whether the threat has been fully removed from your network
• Whether any backdoors or persistent threats remain

This stage often involves a full network security audit and vulnerability assessment. Without it, businesses risk rebuilding on compromised foundations and facing a second incident within months.

Supply chain risk is also worth examining here. If a third-party supplier had access to your systems, their security posture needs to be reviewed as part of your investigation.

Week 2 onwards — recovery and rebuilding

With a clear picture of what went wrong, recovery can begin. But rebuilding your systems is only half the work. The other half is ensuring the same vulnerabilities can't be exploited again.

Key areas to address:

• Multi Factor Authentication (MFA): implement across all accounts and systems if not already in place
• Patching: ensure all devices and software are fully up to date
• Access controls: review who has access to sensitive data and remove any unnecessary permissions
• Staff training: human error remains the leading cause of cyber breaches in UK businesses. A single phishing awareness session can significantly reduce your risk exposure
• Supplier security review: ensure third parties with access to your systems meet a minimum security standard

When factoring in downtime, reputational damage, client loss, and regulatory fines, the cost of recovery almost always exceeds the cost of prevention. For UK SMEs, the average cost of a cyber incident runs into tens of thousands of pounds. A proactive cyber security strategy is not an overhead, it is a business investment.

The lesson most SMEs take too late — have a plan before you need it

A cyber incident response plan does not need to be complex. But having clear, documented steps to follow in an emergency can be the difference between a contained incident and a business threatening crisis.

At a minimum, your plan should cover who to contact, how to isolate affected systems, your legal reporting obligations, and how to communicate with clients and stakeholders. Ideally, it should be built and tested with the support of a managed IT partner before you ever need it.

How Vibrant Networks can help

At Vibrant Networks, we work with SMEs across the West Midlands to build proactive cyber security strategies, so that if an incident does occur, you're never starting from zero.



We offer a free IT and cyber security review for businesses across the West Midlands and beyond. No obligation, no jargon, just an honest assessment of where you stand and what you can do to reduce your risk.

Call 01922 612387 to arrange your free review, or explore our IT support case studies to see how we've helped businesses like yours.