Cyber attacks range from malware and phishing to hacking and ransomware. Some types of attacks are more effective than others, but all present a significant - and increasingly unavoidable - business risk.

In order to reduce that risk, it helps to understand the different cyber threats you may face and the various ways criminals might try to cause harm to your business.

Common cyber security threats

The most likely threats to your business include:

• cyber fraud - including phishing, spear phishing, vishing and whaling
• malware attacks - including viruses, worms, trojans, spyware and rootkits
• ransomware
• drive-by downloads
• hacking - including distributed denial-of-service attacks (DDoS), keylogging, etc
• password decryption
• out-of-date, unpatched software

Criminals use multiple routes, including web links, email and files, to exploit weaknesses in your business systems, networks or processes.

Human error

Many breaches result from mistakes, not malicious hacks. For example, staff inadvertently sending information to the wrong person, losing paperwork or failing to redact personal data.

What is a cyber attack?

A cyber attack is a deliberate, malicious attempt by a third party to damage, disrupt or alter:

• computer networks
• computer information systems
• computer or network infrastructure
• personal computer devices

There are many reasons behind cyber attacks. Criminals want to steal money, financial data or sensitive information. They may also want to disrupt operations or damage trust in your business. These attacks often lead to crimes such as financial fraud, information or identity theft.

Examples of cyber attacks

Cyber attackers use many tactics to target IT systems. The most common methods are:

• remote access to IT systems or websites
• unauthorised entry to networks or systems, or third-party services (eg hosted services)
• system infiltration or damage through malware
• disruption or denial-of-service to block access to your network or systems

Attacks may be targeted (specific to your business) or un-targeted (mass campaigns directed at as many devices, services and users as possible).

Read the National Cyber Security Centre's (NCSC) guidance to find out how cyber attacks work.

Can you avoid cyber attack?

You can prevent many attacks by following the steps recommended in the UK government's Cyber Essentials scheme. You can also use the NCSC's free tools and resources, including:

• their Cyber Health Check to scan your public-facing IT for common vulnerabilities
• their Cyber Action Plan for personalised steps to improve security

Keep in mind that even strong defences cannot stop every attack. If one happens, learn how to report a cyber crime.

Every business has assets criminals want to exploit – this is just as true for small businesses as it is for large companies and organisations. Understanding the common motives behind attacks will help you better understand the risks, and enable you to prioritise your defences.

Why do cyber attacks happen?

Most often, cyber attacks happen because criminals want:

• your business financial details
• customers' payment information (eg credit card data)
• sensitive personal data
• email addresses and login credentials
• customer or client databases
• IT infrastructure and services (
• eg the ability to accept online payments)
• intellectual property (eg trade secrets or product designs)

Most attacks are deliberate and aim for financial gain. Others stem from:

• hacktivism - making a social or political point
• espionage - eg spying on competitors for unfair advantage
• intellectual challenge - eg 'white hat' hacking

Types of cyber attackers: insiders and outsiders

Threats can originate inside or outside your organisation.

Insiders

Anyone with physical or remote access to your business assets can create cyber risk. For example:

• trusted employees who misplace information by accident
• careless employees who ignore policies and procedures
• disgruntled employees or ex-employees who want to harm your business
• malicious insiders with legitimate access to key systems and data

Business partners, clients, suppliers and contractors can also pose insider threats to cyber security.

Outsiders

External cyber security threats come from a variety of sources, including:

• organised crime groups
• professional hackers - malicious or state-sponsored
• amateur hackers - sometimes known as 'script kiddies'

Understanding where the threats come from will help you focus cyber risk management and allow you to prioritise your defences and tailor staff training to common tactics. It can also help predict the type of damage and plan your responses more effectively.

Why is cyber security important?

Cyber crime disrupts operations, causes financial loss and damages reputation. It can also trigger:

• regulatory fines or negligence claims
• breaches of contracts
• loss of trust among customers and suppliers

Read more about the potential impact of cyber attack on your business.

To strengthen your defence, stay informed using the National Cyber Security Centre's (NCSC) cyber threat alerts and sign up for their free Early Warning Service to get notifications of threats to your network as soon as possible.

A cyber attack can disrupt your business and cause lasting harm. Impacts can be broadly divided into three categories: financial, reputational and legal.

Economic cost of cyber attack

Cyber attacks often lead to substantial financial loss arising from:

• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
• recovery costs associated with repairing systems, networks and devices

The UK Cyber Security Breaches Survey 2025 shows that 43% of businesses and 30% of charities experienced breaches in the past 12 months. Medium and large businesses, and high-income charities, faced higher rates of breaches. The average cost of the worst breach was £1,600 for businesses and £3,240 for charities. Excluding zero-cost cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

Reputational damage

Customers expect secure handling of their data. Cyber breaches damage your reputation and erode trust, leading to:

• loss of customers
• loss of sales and profits
• strained supplier, investor or partner relationships

Legal consequences of a cyber breach

Data protection and privacy laws require you to secure all personal data you hold. Failure to do so can result in fines and regulatory sanctions from the Information Commissioner's Office (ICO).

Minimise the impact of cyber attacks on businesses

Assess and manage cyber risks before they happen.

You can use the National Cyber Security Centre's (NCSC) free Check your cyber security service to find vulnerabilities in your public-facing IT. You can also get a tailored Cyber Action Plan by answering a few quick questions.

After an attack, follow your cyber security incident response plan to limit damage, report incidents, clean up your systems, and restore operations in the shortest time possible. Invest in regular staff training, education and awareness on cyber security to safeguard your business.

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance. 

Spotting a cyber security breach is not always straightforward. Attackers often hide their activity to avoid detection and can remain undetected for months. Early detection can limit the impact of the breach on your business or customers.

How to detect a security breach

Look for warning signs that could indicate that a cyber breach or intrusion is underway. For example:

• suspicious network activity, file transfers or login attempts
• sudden password or account changes
• suspicious or encrypted files in your system
• unexpected banking transactions
• inexplicable loss of network, email or social media access
• leaked customer data or company secrets - see data breach
• unusually slow connections or network issues
• browser or antivirus warnings about infections

For websites, check for code anomalies, login failures, traffic drops, unexpected design changes or performance issues - especially those affecting availability and accessibility of your site.

See how to detect spam, malware and virus attacks.

Criminals are always developing new methods to stay ahead of defences. Stay informed on the latest threats – monitor the National Cyber Security Centre's (NCSC) cyber threat alerts or join their Early Warning Service for network alerts.

Breach detection tools

Intrusion detection systems (software or hardware) can help you monitor your network for active threats, including:

• suspicious user behaviour
• vulnerability in the network
• threats in applications and programs

These tools monitor for known attack patterns or unusual activity, and alert security staff to take action. This helps contain the intrusion and limits the damage. Options range from free open-source solutions to commercial packages.

How to contain and control cyber breach

No single tool can guarantee protection against cyber breach, making it important to develop a comprehensive cyber security incident response plan in advance. Planning helps you contain and recover from any potential breach.

Use these free NCSC resources to:

• guide your business response and recovery
• test and practice responses - 'Exercise in a Box' online tool 

If you detect an intrusion or an attempted attack on your business, you should report it to the relevant authorities.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

• prepare for a cyber breach or intrusion
• deal with it to contain damage
• recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

• assess the nature and scope of the incident
• check all affected systems
• look for hidden intrusions
• reroute network traffic or block further attacks, if needed
• isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

• IT or security staff - to investigate the breach
• HR representatives - if employees are involved in the breach
• PR experts - to control and minimise brand damage
• data protection experts - if personal data has been misused, leaked or stolen
• legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

• identify security gaps that caused the breach
• clean systems and remove ongoing threats (eg malware)
• restore systems to full operations
• deal with any internal or external involvement
• review failed security controls
• record findings
• update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

• regulators, if personal data is lost or stolen
• affected individuals (customers, clients or suppliers), if the risk is high
• sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Businesses should use the Report Fraud service as the main way to report fraud and cyber crime across Northern Ireland, England and Wales. You can report specific incidents to other agencies where required - for example, technical cyber threats to the National Cyber Security Centre (NCSC), urgent local issues to local law enforcement, or data protection breaches to the Information Commissioner's Office (ICO).

If your business is affected by fraud and cyber crime

From 4 December 2025, use the Report Fraud service instead of Action Fraud to report fraud and cyber crime.

Report online

Use the Report Fraud online reporting tool to report fraud or cyber crime as an individual or organisation at any time.

Report by phone

Call Report Fraud on Tel 0300 123 2040 to speak to specialist advisers, available 24/7.

If you are a business, charity or organisation under a cyber attack, you can use the 24/7 phone service for urgent help and advice on how to manage the attack.

Reporting fraud and cyber crime in Northern Ireland

In Northern Ireland, use Report Fraud unless police action is urgently needed, and you are requesting a 'call for service'. This may in cases of:

• ongoing crime or recent incident (in the last 24 hours)
• known local suspect
• vulnerable victim (for example, due to age)
• evidence at risk (like CCTV)
• preventing financial loss

If you are making a 'call for service' report, call 101. In an emergency, call 999. Do not use the Report Fraud service in these cases.

Reporting cyber security incidents to NCSC

For serious issues like ransomware or data breaches, you can also report to the NCSC. They offer technical support and advice, but this does not replace police or Report Fraud reports.

Reporting personal data breaches

If a data breach happens and it risks individuals’ rights and freedoms, you must notify the ICO within 72 hours. Reporting to other services like Report Fraud, PSNI or NCSC does not notify the ICO automatically. Find guidance on reporting personal data breaches.

Report suspicious emails, phone calls, text messages or websites

If you come across fraudulent emails, phone calls, messages, social media or websites, report these in the following ways.

Reporting suspicious emails

Forward suspicious emails to the NCSC at report@phishing.gov.uk. Reports help them take down harmful websites and protect others from scams.

Reporting suspicious text messages

Forward a suspicious text message to 7726. Your network provider will investigate the origin of the message and block or ban the sender, if it is found to be malicious. You can also take a screenshot or screen recording of the text message and send it to the NCSC at report@phishing.gov.uk.

If you think you have been scammed or hacked after clicking a link or responding to a text message, contact Report Fraud straight away and change your passwords.

Reporting suspicious phone calls

To report a suspicious phone call, send a text to 7726 with the word 'call' followed by the caller's number. Your provider will be able to block or ban the number if it is found to be malicious.

Reporting suspicious websites

The NCSC investigates and removes suspicious websites. If you come across a fake or suspicious site, report it to the NCSC.

Why should you report fraud and cyber crime

Reporting helps protect your business and fight wider crime. Agencies can give you containment advice, help you reduce losses, support prosecutions and strengthen national defences against fraud and cyber crime.

Cyber Essentials is a government-backed cyber security certification scheme. It helps businesses protect their IT systems using five basic technical controls to prevent common cyber attacks.

What is Cyber Essentials standard?

Cyber Essentials sets basic cyber security standards for all organisations. It covers:

• firewall protection to block unauthorised access
• secure configuration to reduce vulnerabilities
• user access control to manage permissions
• malware protection to prevent harmful software
• security updates to keep systems patched and safe

The National Cyber Security Centre (NCSC) and IASME (the scheme operator) review these standards every year.

Two levels of Cyber Essentials certification

Under the scheme, there are two levels of certification.

1. Cyber Essentials (self-assessment)

To certify, businesses complete a questionnaire on the five key controls. A qualified assessor reviews the responses to verify the information provided. Costs start at £320 plus VAT, depending on business size. Certification lasts 12 months and must be renewed annually.

Download free self-assessment questions and apply online.

2. Cyber Essentials Plus

The higher tier certification includes self-assessment plus a technical audit of your IT systems by a qualified security assessor. Costs depend on your network size and complexity. Certification also lasts 12 months and requires annual renewal.

Get a quote for Cyber Essentials Plus certification.

Cyber Essentials requirements for IT infrastructure

Cyber Essentials requirements update yearly to ensure that technical controls evolve against current risks. Certifications starting on or after:

• 28 April 2025 - use version 3.2 of the NCSC requirements for IT infrastructure
• 27 April 2026 - use version 3.3 of the NCSC requirements for IT infrastructure

Updates adjust how you meet each of the five controls. For example, version 3.3 adds more stringent rules on cloud services (under secure configuration), multi-factor authentication (under access control), and software security. Review the latest NCSC requirements each year before certifying.

How to get Cyber Essentials certified

To certify, check your setup with the free IASME readiness tool. Based on your answers, you will receive a tailored action plan to help you prepare for certification. You can also book a free 30-minute consultation with an NCSC-assured Cyber Advisor and access IASME's Cyber Essentials guidance for more information.

If you already hold a Cyber Essentials certification and need to renew it, review updated requirements early to avoid any compliance gaps and ensure your certification stays valid.

Benefits of Cyber Essentials certification

Certification gives automatic cyber liability insurance to UK businesses with under £20 million turnover (terms apply). It also helps your business:

• reduce cyber security risk
• build trust with customers, suppliers and investors
• win more contracts and attract new business

Cyber Essentials is also mandatory for some public sector suppliers handling personal data or providing certain technical products and services. Read the government procurement policy note to find out more.

Cyber attacks range from malware and phishing to hacking and ransomware. Some types of attacks are more effective than others, but all present a significant - and increasingly unavoidable - business risk.

In order to reduce that risk, it helps to understand the different cyber threats you may face and the various ways criminals might try to cause harm to your business.

Common cyber security threats

The most likely threats to your business include:

• cyber fraud - including phishing, spear phishing, vishing and whaling
• malware attacks - including viruses, worms, trojans, spyware and rootkits
• ransomware
• drive-by downloads
• hacking - including distributed denial-of-service attacks (DDoS), keylogging, etc
• password decryption
• out-of-date, unpatched software

Criminals use multiple routes, including web links, email and files, to exploit weaknesses in your business systems, networks or processes.

Human error

Many breaches result from mistakes, not malicious hacks. For example, staff inadvertently sending information to the wrong person, losing paperwork or failing to redact personal data.

What is a cyber attack?

A cyber attack is a deliberate, malicious attempt by a third party to damage, disrupt or alter:

• computer networks
• computer information systems
• computer or network infrastructure
• personal computer devices

There are many reasons behind cyber attacks. Criminals want to steal money, financial data or sensitive information. They may also want to disrupt operations or damage trust in your business. These attacks often lead to crimes such as financial fraud, information or identity theft.

Examples of cyber attacks

Cyber attackers use many tactics to target IT systems. The most common methods are:

• remote access to IT systems or websites
• unauthorised entry to networks or systems, or third-party services (eg hosted services)
• system infiltration or damage through malware
• disruption or denial-of-service to block access to your network or systems

Attacks may be targeted (specific to your business) or un-targeted (mass campaigns directed at as many devices, services and users as possible).

Read the National Cyber Security Centre's (NCSC) guidance to find out how cyber attacks work.

Can you avoid cyber attack?

You can prevent many attacks by following the steps recommended in the UK government's Cyber Essentials scheme. You can also use the NCSC's free tools and resources, including:

• their Cyber Health Check to scan your public-facing IT for common vulnerabilities
• their Cyber Action Plan for personalised steps to improve security

Keep in mind that even strong defences cannot stop every attack. If one happens, learn how to report a cyber crime.

Every business has assets criminals want to exploit – this is just as true for small businesses as it is for large companies and organisations. Understanding the common motives behind attacks will help you better understand the risks, and enable you to prioritise your defences.

Why do cyber attacks happen?

Most often, cyber attacks happen because criminals want:

• your business financial details
• customers' payment information (eg credit card data)
• sensitive personal data
• email addresses and login credentials
• customer or client databases
• IT infrastructure and services (
• eg the ability to accept online payments)
• intellectual property (eg trade secrets or product designs)

Most attacks are deliberate and aim for financial gain. Others stem from:

• hacktivism - making a social or political point
• espionage - eg spying on competitors for unfair advantage
• intellectual challenge - eg 'white hat' hacking

Types of cyber attackers: insiders and outsiders

Threats can originate inside or outside your organisation.

Insiders

Anyone with physical or remote access to your business assets can create cyber risk. For example:

• trusted employees who misplace information by accident
• careless employees who ignore policies and procedures
• disgruntled employees or ex-employees who want to harm your business
• malicious insiders with legitimate access to key systems and data

Business partners, clients, suppliers and contractors can also pose insider threats to cyber security.

Outsiders

External cyber security threats come from a variety of sources, including:

• organised crime groups
• professional hackers - malicious or state-sponsored
• amateur hackers - sometimes known as 'script kiddies'

Understanding where the threats come from will help you focus cyber risk management and allow you to prioritise your defences and tailor staff training to common tactics. It can also help predict the type of damage and plan your responses more effectively.

Why is cyber security important?

Cyber crime disrupts operations, causes financial loss and damages reputation. It can also trigger:

• regulatory fines or negligence claims
• breaches of contracts
• loss of trust among customers and suppliers

Read more about the potential impact of cyber attack on your business.

To strengthen your defence, stay informed using the National Cyber Security Centre's (NCSC) cyber threat alerts and sign up for their free Early Warning Service to get notifications of threats to your network as soon as possible.

A cyber attack can disrupt your business and cause lasting harm. Impacts can be broadly divided into three categories: financial, reputational and legal.

Economic cost of cyber attack

Cyber attacks often lead to substantial financial loss arising from:

• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
• recovery costs associated with repairing systems, networks and devices

The UK Cyber Security Breaches Survey 2025 shows that 43% of businesses and 30% of charities experienced breaches in the past 12 months. Medium and large businesses, and high-income charities, faced higher rates of breaches. The average cost of the worst breach was £1,600 for businesses and £3,240 for charities. Excluding zero-cost cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

Reputational damage

Customers expect secure handling of their data. Cyber breaches damage your reputation and erode trust, leading to:

• loss of customers
• loss of sales and profits
• strained supplier, investor or partner relationships

Legal consequences of a cyber breach

Data protection and privacy laws require you to secure all personal data you hold. Failure to do so can result in fines and regulatory sanctions from the Information Commissioner's Office (ICO).

Minimise the impact of cyber attacks on businesses

Assess and manage cyber risks before they happen.

You can use the National Cyber Security Centre's (NCSC) free Check your cyber security service to find vulnerabilities in your public-facing IT. You can also get a tailored Cyber Action Plan by answering a few quick questions.

After an attack, follow your cyber security incident response plan to limit damage, report incidents, clean up your systems, and restore operations in the shortest time possible. Invest in regular staff training, education and awareness on cyber security to safeguard your business.

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance. 

Spotting a cyber security breach is not always straightforward. Attackers often hide their activity to avoid detection and can remain undetected for months. Early detection can limit the impact of the breach on your business or customers.

How to detect a security breach

Look for warning signs that could indicate that a cyber breach or intrusion is underway. For example:

• suspicious network activity, file transfers or login attempts
• sudden password or account changes
• suspicious or encrypted files in your system
• unexpected banking transactions
• inexplicable loss of network, email or social media access
• leaked customer data or company secrets - see data breach
• unusually slow connections or network issues
• browser or antivirus warnings about infections

For websites, check for code anomalies, login failures, traffic drops, unexpected design changes or performance issues - especially those affecting availability and accessibility of your site.

See how to detect spam, malware and virus attacks.

Criminals are always developing new methods to stay ahead of defences. Stay informed on the latest threats – monitor the National Cyber Security Centre's (NCSC) cyber threat alerts or join their Early Warning Service for network alerts.

Breach detection tools

Intrusion detection systems (software or hardware) can help you monitor your network for active threats, including:

• suspicious user behaviour
• vulnerability in the network
• threats in applications and programs

These tools monitor for known attack patterns or unusual activity, and alert security staff to take action. This helps contain the intrusion and limits the damage. Options range from free open-source solutions to commercial packages.

How to contain and control cyber breach

No single tool can guarantee protection against cyber breach, making it important to develop a comprehensive cyber security incident response plan in advance. Planning helps you contain and recover from any potential breach.

Use these free NCSC resources to:

• guide your business response and recovery
• test and practice responses - 'Exercise in a Box' online tool 

If you detect an intrusion or an attempted attack on your business, you should report it to the relevant authorities.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

• prepare for a cyber breach or intrusion
• deal with it to contain damage
• recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

• assess the nature and scope of the incident
• check all affected systems
• look for hidden intrusions
• reroute network traffic or block further attacks, if needed
• isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

• IT or security staff - to investigate the breach
• HR representatives - if employees are involved in the breach
• PR experts - to control and minimise brand damage
• data protection experts - if personal data has been misused, leaked or stolen
• legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

• identify security gaps that caused the breach
• clean systems and remove ongoing threats (eg malware)
• restore systems to full operations
• deal with any internal or external involvement
• review failed security controls
• record findings
• update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

• regulators, if personal data is lost or stolen
• affected individuals (customers, clients or suppliers), if the risk is high
• sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Businesses should use the Report Fraud service as the main way to report fraud and cyber crime across Northern Ireland, England and Wales. You can report specific incidents to other agencies where required - for example, technical cyber threats to the National Cyber Security Centre (NCSC), urgent local issues to local law enforcement, or data protection breaches to the Information Commissioner's Office (ICO).

If your business is affected by fraud and cyber crime

From 4 December 2025, use the Report Fraud service instead of Action Fraud to report fraud and cyber crime.

Report online

Use the Report Fraud online reporting tool to report fraud or cyber crime as an individual or organisation at any time.

Report by phone

Call Report Fraud on Tel 0300 123 2040 to speak to specialist advisers, available 24/7.

If you are a business, charity or organisation under a cyber attack, you can use the 24/7 phone service for urgent help and advice on how to manage the attack.

Reporting fraud and cyber crime in Northern Ireland

In Northern Ireland, use Report Fraud unless police action is urgently needed, and you are requesting a 'call for service'. This may in cases of:

• ongoing crime or recent incident (in the last 24 hours)
• known local suspect
• vulnerable victim (for example, due to age)
• evidence at risk (like CCTV)
• preventing financial loss

If you are making a 'call for service' report, call 101. In an emergency, call 999. Do not use the Report Fraud service in these cases.

Reporting cyber security incidents to NCSC

For serious issues like ransomware or data breaches, you can also report to the NCSC. They offer technical support and advice, but this does not replace police or Report Fraud reports.

Reporting personal data breaches

If a data breach happens and it risks individuals’ rights and freedoms, you must notify the ICO within 72 hours. Reporting to other services like Report Fraud, PSNI or NCSC does not notify the ICO automatically. Find guidance on reporting personal data breaches.

Report suspicious emails, phone calls, text messages or websites

If you come across fraudulent emails, phone calls, messages, social media or websites, report these in the following ways.

Reporting suspicious emails

Forward suspicious emails to the NCSC at report@phishing.gov.uk. Reports help them take down harmful websites and protect others from scams.

Reporting suspicious text messages

Forward a suspicious text message to 7726. Your network provider will investigate the origin of the message and block or ban the sender, if it is found to be malicious. You can also take a screenshot or screen recording of the text message and send it to the NCSC at report@phishing.gov.uk.

If you think you have been scammed or hacked after clicking a link or responding to a text message, contact Report Fraud straight away and change your passwords.

Reporting suspicious phone calls

To report a suspicious phone call, send a text to 7726 with the word 'call' followed by the caller's number. Your provider will be able to block or ban the number if it is found to be malicious.

Reporting suspicious websites

The NCSC investigates and removes suspicious websites. If you come across a fake or suspicious site, report it to the NCSC.

Why should you report fraud and cyber crime

Reporting helps protect your business and fight wider crime. Agencies can give you containment advice, help you reduce losses, support prosecutions and strengthen national defences against fraud and cyber crime.

Cyber Essentials is a government-backed cyber security certification scheme. It helps businesses protect their IT systems using five basic technical controls to prevent common cyber attacks.

What is Cyber Essentials standard?

Cyber Essentials sets basic cyber security standards for all organisations. It covers:

• firewall protection to block unauthorised access
• secure configuration to reduce vulnerabilities
• user access control to manage permissions
• malware protection to prevent harmful software
• security updates to keep systems patched and safe

The National Cyber Security Centre (NCSC) and IASME (the scheme operator) review these standards every year.

Two levels of Cyber Essentials certification

Under the scheme, there are two levels of certification.

1. Cyber Essentials (self-assessment)

To certify, businesses complete a questionnaire on the five key controls. A qualified assessor reviews the responses to verify the information provided. Costs start at £320 plus VAT, depending on business size. Certification lasts 12 months and must be renewed annually.

Download free self-assessment questions and apply online.

2. Cyber Essentials Plus

The higher tier certification includes self-assessment plus a technical audit of your IT systems by a qualified security assessor. Costs depend on your network size and complexity. Certification also lasts 12 months and requires annual renewal.

Get a quote for Cyber Essentials Plus certification.

Cyber Essentials requirements for IT infrastructure

Cyber Essentials requirements update yearly to ensure that technical controls evolve against current risks. Certifications starting on or after:

• 28 April 2025 - use version 3.2 of the NCSC requirements for IT infrastructure
• 27 April 2026 - use version 3.3 of the NCSC requirements for IT infrastructure

Updates adjust how you meet each of the five controls. For example, version 3.3 adds more stringent rules on cloud services (under secure configuration), multi-factor authentication (under access control), and software security. Review the latest NCSC requirements each year before certifying.

How to get Cyber Essentials certified

To certify, check your setup with the free IASME readiness tool. Based on your answers, you will receive a tailored action plan to help you prepare for certification. You can also book a free 30-minute consultation with an NCSC-assured Cyber Advisor and access IASME's Cyber Essentials guidance for more information.

If you already hold a Cyber Essentials certification and need to renew it, review updated requirements early to avoid any compliance gaps and ensure your certification stays valid.

Benefits of Cyber Essentials certification

Certification gives automatic cyber liability insurance to UK businesses with under £20 million turnover (terms apply). It also helps your business:

• reduce cyber security risk
• build trust with customers, suppliers and investors
• win more contracts and attract new business

Cyber Essentials is also mandatory for some public sector suppliers handling personal data or providing certain technical products and services. Read the government procurement policy note to find out more.

Cyber attacks range from malware and phishing to hacking and ransomware. Some types of attacks are more effective than others, but all present a significant - and increasingly unavoidable - business risk.

In order to reduce that risk, it helps to understand the different cyber threats you may face and the various ways criminals might try to cause harm to your business.

Common cyber security threats

The most likely threats to your business include:

• cyber fraud - including phishing, spear phishing, vishing and whaling
• malware attacks - including viruses, worms, trojans, spyware and rootkits
• ransomware
• drive-by downloads
• hacking - including distributed denial-of-service attacks (DDoS), keylogging, etc
• password decryption
• out-of-date, unpatched software

Criminals use multiple routes, including web links, email and files, to exploit weaknesses in your business systems, networks or processes.

Human error

Many breaches result from mistakes, not malicious hacks. For example, staff inadvertently sending information to the wrong person, losing paperwork or failing to redact personal data.

What is a cyber attack?

A cyber attack is a deliberate, malicious attempt by a third party to damage, disrupt or alter:

• computer networks
• computer information systems
• computer or network infrastructure
• personal computer devices

There are many reasons behind cyber attacks. Criminals want to steal money, financial data or sensitive information. They may also want to disrupt operations or damage trust in your business. These attacks often lead to crimes such as financial fraud, information or identity theft.

Examples of cyber attacks

Cyber attackers use many tactics to target IT systems. The most common methods are:

• remote access to IT systems or websites
• unauthorised entry to networks or systems, or third-party services (eg hosted services)
• system infiltration or damage through malware
• disruption or denial-of-service to block access to your network or systems

Attacks may be targeted (specific to your business) or un-targeted (mass campaigns directed at as many devices, services and users as possible).

Read the National Cyber Security Centre's (NCSC) guidance to find out how cyber attacks work.

Can you avoid cyber attack?

You can prevent many attacks by following the steps recommended in the UK government's Cyber Essentials scheme. You can also use the NCSC's free tools and resources, including:

• their Cyber Health Check to scan your public-facing IT for common vulnerabilities
• their Cyber Action Plan for personalised steps to improve security

Keep in mind that even strong defences cannot stop every attack. If one happens, learn how to report a cyber crime.

Every business has assets criminals want to exploit – this is just as true for small businesses as it is for large companies and organisations. Understanding the common motives behind attacks will help you better understand the risks, and enable you to prioritise your defences.

Why do cyber attacks happen?

Most often, cyber attacks happen because criminals want:

• your business financial details
• customers' payment information (eg credit card data)
• sensitive personal data
• email addresses and login credentials
• customer or client databases
• IT infrastructure and services (
• eg the ability to accept online payments)
• intellectual property (eg trade secrets or product designs)

Most attacks are deliberate and aim for financial gain. Others stem from:

• hacktivism - making a social or political point
• espionage - eg spying on competitors for unfair advantage
• intellectual challenge - eg 'white hat' hacking

Types of cyber attackers: insiders and outsiders

Threats can originate inside or outside your organisation.

Insiders

Anyone with physical or remote access to your business assets can create cyber risk. For example:

• trusted employees who misplace information by accident
• careless employees who ignore policies and procedures
• disgruntled employees or ex-employees who want to harm your business
• malicious insiders with legitimate access to key systems and data

Business partners, clients, suppliers and contractors can also pose insider threats to cyber security.

Outsiders

External cyber security threats come from a variety of sources, including:

• organised crime groups
• professional hackers - malicious or state-sponsored
• amateur hackers - sometimes known as 'script kiddies'

Understanding where the threats come from will help you focus cyber risk management and allow you to prioritise your defences and tailor staff training to common tactics. It can also help predict the type of damage and plan your responses more effectively.

Why is cyber security important?

Cyber crime disrupts operations, causes financial loss and damages reputation. It can also trigger:

• regulatory fines or negligence claims
• breaches of contracts
• loss of trust among customers and suppliers

Read more about the potential impact of cyber attack on your business.

To strengthen your defence, stay informed using the National Cyber Security Centre's (NCSC) cyber threat alerts and sign up for their free Early Warning Service to get notifications of threats to your network as soon as possible.

A cyber attack can disrupt your business and cause lasting harm. Impacts can be broadly divided into three categories: financial, reputational and legal.

Economic cost of cyber attack

Cyber attacks often lead to substantial financial loss arising from:

• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
• recovery costs associated with repairing systems, networks and devices

The UK Cyber Security Breaches Survey 2025 shows that 43% of businesses and 30% of charities experienced breaches in the past 12 months. Medium and large businesses, and high-income charities, faced higher rates of breaches. The average cost of the worst breach was £1,600 for businesses and £3,240 for charities. Excluding zero-cost cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

Reputational damage

Customers expect secure handling of their data. Cyber breaches damage your reputation and erode trust, leading to:

• loss of customers
• loss of sales and profits
• strained supplier, investor or partner relationships

Legal consequences of a cyber breach

Data protection and privacy laws require you to secure all personal data you hold. Failure to do so can result in fines and regulatory sanctions from the Information Commissioner's Office (ICO).

Minimise the impact of cyber attacks on businesses

Assess and manage cyber risks before they happen.

You can use the National Cyber Security Centre's (NCSC) free Check your cyber security service to find vulnerabilities in your public-facing IT. You can also get a tailored Cyber Action Plan by answering a few quick questions.

After an attack, follow your cyber security incident response plan to limit damage, report incidents, clean up your systems, and restore operations in the shortest time possible. Invest in regular staff training, education and awareness on cyber security to safeguard your business.

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance. 

Spotting a cyber security breach is not always straightforward. Attackers often hide their activity to avoid detection and can remain undetected for months. Early detection can limit the impact of the breach on your business or customers.

How to detect a security breach

Look for warning signs that could indicate that a cyber breach or intrusion is underway. For example:

• suspicious network activity, file transfers or login attempts
• sudden password or account changes
• suspicious or encrypted files in your system
• unexpected banking transactions
• inexplicable loss of network, email or social media access
• leaked customer data or company secrets - see data breach
• unusually slow connections or network issues
• browser or antivirus warnings about infections

For websites, check for code anomalies, login failures, traffic drops, unexpected design changes or performance issues - especially those affecting availability and accessibility of your site.

See how to detect spam, malware and virus attacks.

Criminals are always developing new methods to stay ahead of defences. Stay informed on the latest threats – monitor the National Cyber Security Centre's (NCSC) cyber threat alerts or join their Early Warning Service for network alerts.

Breach detection tools

Intrusion detection systems (software or hardware) can help you monitor your network for active threats, including:

• suspicious user behaviour
• vulnerability in the network
• threats in applications and programs

These tools monitor for known attack patterns or unusual activity, and alert security staff to take action. This helps contain the intrusion and limits the damage. Options range from free open-source solutions to commercial packages.

How to contain and control cyber breach

No single tool can guarantee protection against cyber breach, making it important to develop a comprehensive cyber security incident response plan in advance. Planning helps you contain and recover from any potential breach.

Use these free NCSC resources to:

• guide your business response and recovery
• test and practice responses - 'Exercise in a Box' online tool 

If you detect an intrusion or an attempted attack on your business, you should report it to the relevant authorities.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

• prepare for a cyber breach or intrusion
• deal with it to contain damage
• recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

• assess the nature and scope of the incident
• check all affected systems
• look for hidden intrusions
• reroute network traffic or block further attacks, if needed
• isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

• IT or security staff - to investigate the breach
• HR representatives - if employees are involved in the breach
• PR experts - to control and minimise brand damage
• data protection experts - if personal data has been misused, leaked or stolen
• legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

• identify security gaps that caused the breach
• clean systems and remove ongoing threats (eg malware)
• restore systems to full operations
• deal with any internal or external involvement
• review failed security controls
• record findings
• update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

• regulators, if personal data is lost or stolen
• affected individuals (customers, clients or suppliers), if the risk is high
• sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Businesses should use the Report Fraud service as the main way to report fraud and cyber crime across Northern Ireland, England and Wales. You can report specific incidents to other agencies where required - for example, technical cyber threats to the National Cyber Security Centre (NCSC), urgent local issues to local law enforcement, or data protection breaches to the Information Commissioner's Office (ICO).

If your business is affected by fraud and cyber crime

From 4 December 2025, use the Report Fraud service instead of Action Fraud to report fraud and cyber crime.

Report online

Use the Report Fraud online reporting tool to report fraud or cyber crime as an individual or organisation at any time.

Report by phone

Call Report Fraud on Tel 0300 123 2040 to speak to specialist advisers, available 24/7.

If you are a business, charity or organisation under a cyber attack, you can use the 24/7 phone service for urgent help and advice on how to manage the attack.

Reporting fraud and cyber crime in Northern Ireland

In Northern Ireland, use Report Fraud unless police action is urgently needed, and you are requesting a 'call for service'. This may in cases of:

• ongoing crime or recent incident (in the last 24 hours)
• known local suspect
• vulnerable victim (for example, due to age)
• evidence at risk (like CCTV)
• preventing financial loss

If you are making a 'call for service' report, call 101. In an emergency, call 999. Do not use the Report Fraud service in these cases.

Reporting cyber security incidents to NCSC

For serious issues like ransomware or data breaches, you can also report to the NCSC. They offer technical support and advice, but this does not replace police or Report Fraud reports.

Reporting personal data breaches

If a data breach happens and it risks individuals’ rights and freedoms, you must notify the ICO within 72 hours. Reporting to other services like Report Fraud, PSNI or NCSC does not notify the ICO automatically. Find guidance on reporting personal data breaches.

Report suspicious emails, phone calls, text messages or websites

If you come across fraudulent emails, phone calls, messages, social media or websites, report these in the following ways.

Reporting suspicious emails

Forward suspicious emails to the NCSC at report@phishing.gov.uk. Reports help them take down harmful websites and protect others from scams.

Reporting suspicious text messages

Forward a suspicious text message to 7726. Your network provider will investigate the origin of the message and block or ban the sender, if it is found to be malicious. You can also take a screenshot or screen recording of the text message and send it to the NCSC at report@phishing.gov.uk.

If you think you have been scammed or hacked after clicking a link or responding to a text message, contact Report Fraud straight away and change your passwords.

Reporting suspicious phone calls

To report a suspicious phone call, send a text to 7726 with the word 'call' followed by the caller's number. Your provider will be able to block or ban the number if it is found to be malicious.

Reporting suspicious websites

The NCSC investigates and removes suspicious websites. If you come across a fake or suspicious site, report it to the NCSC.

Why should you report fraud and cyber crime

Reporting helps protect your business and fight wider crime. Agencies can give you containment advice, help you reduce losses, support prosecutions and strengthen national defences against fraud and cyber crime.

Cyber Essentials is a government-backed cyber security certification scheme. It helps businesses protect their IT systems using five basic technical controls to prevent common cyber attacks.

What is Cyber Essentials standard?

Cyber Essentials sets basic cyber security standards for all organisations. It covers:

• firewall protection to block unauthorised access
• secure configuration to reduce vulnerabilities
• user access control to manage permissions
• malware protection to prevent harmful software
• security updates to keep systems patched and safe

The National Cyber Security Centre (NCSC) and IASME (the scheme operator) review these standards every year.

Two levels of Cyber Essentials certification

Under the scheme, there are two levels of certification.

1. Cyber Essentials (self-assessment)

To certify, businesses complete a questionnaire on the five key controls. A qualified assessor reviews the responses to verify the information provided. Costs start at £320 plus VAT, depending on business size. Certification lasts 12 months and must be renewed annually.

Download free self-assessment questions and apply online.

2. Cyber Essentials Plus

The higher tier certification includes self-assessment plus a technical audit of your IT systems by a qualified security assessor. Costs depend on your network size and complexity. Certification also lasts 12 months and requires annual renewal.

Get a quote for Cyber Essentials Plus certification.

Cyber Essentials requirements for IT infrastructure

Cyber Essentials requirements update yearly to ensure that technical controls evolve against current risks. Certifications starting on or after:

• 28 April 2025 - use version 3.2 of the NCSC requirements for IT infrastructure
• 27 April 2026 - use version 3.3 of the NCSC requirements for IT infrastructure

Updates adjust how you meet each of the five controls. For example, version 3.3 adds more stringent rules on cloud services (under secure configuration), multi-factor authentication (under access control), and software security. Review the latest NCSC requirements each year before certifying.

How to get Cyber Essentials certified

To certify, check your setup with the free IASME readiness tool. Based on your answers, you will receive a tailored action plan to help you prepare for certification. You can also book a free 30-minute consultation with an NCSC-assured Cyber Advisor and access IASME's Cyber Essentials guidance for more information.

If you already hold a Cyber Essentials certification and need to renew it, review updated requirements early to avoid any compliance gaps and ensure your certification stays valid.

Benefits of Cyber Essentials certification

Certification gives automatic cyber liability insurance to UK businesses with under £20 million turnover (terms apply). It also helps your business:

• reduce cyber security risk
• build trust with customers, suppliers and investors
• win more contracts and attract new business

Cyber Essentials is also mandatory for some public sector suppliers handling personal data or providing certain technical products and services. Read the government procurement policy note to find out more.

Cyber attacks range from malware and phishing to hacking and ransomware. Some types of attacks are more effective than others, but all present a significant - and increasingly unavoidable - business risk.

In order to reduce that risk, it helps to understand the different cyber threats you may face and the various ways criminals might try to cause harm to your business.

Common cyber security threats

The most likely threats to your business include:

• cyber fraud - including phishing, spear phishing, vishing and whaling
• malware attacks - including viruses, worms, trojans, spyware and rootkits
• ransomware
• drive-by downloads
• hacking - including distributed denial-of-service attacks (DDoS), keylogging, etc
• password decryption
• out-of-date, unpatched software

Criminals use multiple routes, including web links, email and files, to exploit weaknesses in your business systems, networks or processes.

Human error

Many breaches result from mistakes, not malicious hacks. For example, staff inadvertently sending information to the wrong person, losing paperwork or failing to redact personal data.

What is a cyber attack?

A cyber attack is a deliberate, malicious attempt by a third party to damage, disrupt or alter:

• computer networks
• computer information systems
• computer or network infrastructure
• personal computer devices

There are many reasons behind cyber attacks. Criminals want to steal money, financial data or sensitive information. They may also want to disrupt operations or damage trust in your business. These attacks often lead to crimes such as financial fraud, information or identity theft.

Examples of cyber attacks

Cyber attackers use many tactics to target IT systems. The most common methods are:

• remote access to IT systems or websites
• unauthorised entry to networks or systems, or third-party services (eg hosted services)
• system infiltration or damage through malware
• disruption or denial-of-service to block access to your network or systems

Attacks may be targeted (specific to your business) or un-targeted (mass campaigns directed at as many devices, services and users as possible).

Read the National Cyber Security Centre's (NCSC) guidance to find out how cyber attacks work.

Can you avoid cyber attack?

You can prevent many attacks by following the steps recommended in the UK government's Cyber Essentials scheme. You can also use the NCSC's free tools and resources, including:

• their Cyber Health Check to scan your public-facing IT for common vulnerabilities
• their Cyber Action Plan for personalised steps to improve security

Keep in mind that even strong defences cannot stop every attack. If one happens, learn how to report a cyber crime.

Every business has assets criminals want to exploit – this is just as true for small businesses as it is for large companies and organisations. Understanding the common motives behind attacks will help you better understand the risks, and enable you to prioritise your defences.

Why do cyber attacks happen?

Most often, cyber attacks happen because criminals want:

• your business financial details
• customers' payment information (eg credit card data)
• sensitive personal data
• email addresses and login credentials
• customer or client databases
• IT infrastructure and services (
• eg the ability to accept online payments)
• intellectual property (eg trade secrets or product designs)

Most attacks are deliberate and aim for financial gain. Others stem from:

• hacktivism - making a social or political point
• espionage - eg spying on competitors for unfair advantage
• intellectual challenge - eg 'white hat' hacking

Types of cyber attackers: insiders and outsiders

Threats can originate inside or outside your organisation.

Insiders

Anyone with physical or remote access to your business assets can create cyber risk. For example:

• trusted employees who misplace information by accident
• careless employees who ignore policies and procedures
• disgruntled employees or ex-employees who want to harm your business
• malicious insiders with legitimate access to key systems and data

Business partners, clients, suppliers and contractors can also pose insider threats to cyber security.

Outsiders

External cyber security threats come from a variety of sources, including:

• organised crime groups
• professional hackers - malicious or state-sponsored
• amateur hackers - sometimes known as 'script kiddies'

Understanding where the threats come from will help you focus cyber risk management and allow you to prioritise your defences and tailor staff training to common tactics. It can also help predict the type of damage and plan your responses more effectively.

Why is cyber security important?

Cyber crime disrupts operations, causes financial loss and damages reputation. It can also trigger:

• regulatory fines or negligence claims
• breaches of contracts
• loss of trust among customers and suppliers

Read more about the potential impact of cyber attack on your business.

To strengthen your defence, stay informed using the National Cyber Security Centre's (NCSC) cyber threat alerts and sign up for their free Early Warning Service to get notifications of threats to your network as soon as possible.

A cyber attack can disrupt your business and cause lasting harm. Impacts can be broadly divided into three categories: financial, reputational and legal.

Economic cost of cyber attack

Cyber attacks often lead to substantial financial loss arising from:

• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
• recovery costs associated with repairing systems, networks and devices

The UK Cyber Security Breaches Survey 2025 shows that 43% of businesses and 30% of charities experienced breaches in the past 12 months. Medium and large businesses, and high-income charities, faced higher rates of breaches. The average cost of the worst breach was £1,600 for businesses and £3,240 for charities. Excluding zero-cost cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

Reputational damage

Customers expect secure handling of their data. Cyber breaches damage your reputation and erode trust, leading to:

• loss of customers
• loss of sales and profits
• strained supplier, investor or partner relationships

Legal consequences of a cyber breach

Data protection and privacy laws require you to secure all personal data you hold. Failure to do so can result in fines and regulatory sanctions from the Information Commissioner's Office (ICO).

Minimise the impact of cyber attacks on businesses

Assess and manage cyber risks before they happen.

You can use the National Cyber Security Centre's (NCSC) free Check your cyber security service to find vulnerabilities in your public-facing IT. You can also get a tailored Cyber Action Plan by answering a few quick questions.

After an attack, follow your cyber security incident response plan to limit damage, report incidents, clean up your systems, and restore operations in the shortest time possible. Invest in regular staff training, education and awareness on cyber security to safeguard your business.

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance. 

Spotting a cyber security breach is not always straightforward. Attackers often hide their activity to avoid detection and can remain undetected for months. Early detection can limit the impact of the breach on your business or customers.

How to detect a security breach

Look for warning signs that could indicate that a cyber breach or intrusion is underway. For example:

• suspicious network activity, file transfers or login attempts
• sudden password or account changes
• suspicious or encrypted files in your system
• unexpected banking transactions
• inexplicable loss of network, email or social media access
• leaked customer data or company secrets - see data breach
• unusually slow connections or network issues
• browser or antivirus warnings about infections

For websites, check for code anomalies, login failures, traffic drops, unexpected design changes or performance issues - especially those affecting availability and accessibility of your site.

See how to detect spam, malware and virus attacks.

Criminals are always developing new methods to stay ahead of defences. Stay informed on the latest threats – monitor the National Cyber Security Centre's (NCSC) cyber threat alerts or join their Early Warning Service for network alerts.

Breach detection tools

Intrusion detection systems (software or hardware) can help you monitor your network for active threats, including:

• suspicious user behaviour
• vulnerability in the network
• threats in applications and programs

These tools monitor for known attack patterns or unusual activity, and alert security staff to take action. This helps contain the intrusion and limits the damage. Options range from free open-source solutions to commercial packages.

How to contain and control cyber breach

No single tool can guarantee protection against cyber breach, making it important to develop a comprehensive cyber security incident response plan in advance. Planning helps you contain and recover from any potential breach.

Use these free NCSC resources to:

• guide your business response and recovery
• test and practice responses - 'Exercise in a Box' online tool 

If you detect an intrusion or an attempted attack on your business, you should report it to the relevant authorities.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

• prepare for a cyber breach or intrusion
• deal with it to contain damage
• recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

• assess the nature and scope of the incident
• check all affected systems
• look for hidden intrusions
• reroute network traffic or block further attacks, if needed
• isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

• IT or security staff - to investigate the breach
• HR representatives - if employees are involved in the breach
• PR experts - to control and minimise brand damage
• data protection experts - if personal data has been misused, leaked or stolen
• legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

• identify security gaps that caused the breach
• clean systems and remove ongoing threats (eg malware)
• restore systems to full operations
• deal with any internal or external involvement
• review failed security controls
• record findings
• update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

• regulators, if personal data is lost or stolen
• affected individuals (customers, clients or suppliers), if the risk is high
• sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Businesses should use the Report Fraud service as the main way to report fraud and cyber crime across Northern Ireland, England and Wales. You can report specific incidents to other agencies where required - for example, technical cyber threats to the National Cyber Security Centre (NCSC), urgent local issues to local law enforcement, or data protection breaches to the Information Commissioner's Office (ICO).

If your business is affected by fraud and cyber crime

From 4 December 2025, use the Report Fraud service instead of Action Fraud to report fraud and cyber crime.

Report online

Use the Report Fraud online reporting tool to report fraud or cyber crime as an individual or organisation at any time.

Report by phone

Call Report Fraud on Tel 0300 123 2040 to speak to specialist advisers, available 24/7.

If you are a business, charity or organisation under a cyber attack, you can use the 24/7 phone service for urgent help and advice on how to manage the attack.

Reporting fraud and cyber crime in Northern Ireland

In Northern Ireland, use Report Fraud unless police action is urgently needed, and you are requesting a 'call for service'. This may in cases of:

• ongoing crime or recent incident (in the last 24 hours)
• known local suspect
• vulnerable victim (for example, due to age)
• evidence at risk (like CCTV)
• preventing financial loss

If you are making a 'call for service' report, call 101. In an emergency, call 999. Do not use the Report Fraud service in these cases.

Reporting cyber security incidents to NCSC

For serious issues like ransomware or data breaches, you can also report to the NCSC. They offer technical support and advice, but this does not replace police or Report Fraud reports.

Reporting personal data breaches

If a data breach happens and it risks individuals’ rights and freedoms, you must notify the ICO within 72 hours. Reporting to other services like Report Fraud, PSNI or NCSC does not notify the ICO automatically. Find guidance on reporting personal data breaches.

Report suspicious emails, phone calls, text messages or websites

If you come across fraudulent emails, phone calls, messages, social media or websites, report these in the following ways.

Reporting suspicious emails

Forward suspicious emails to the NCSC at report@phishing.gov.uk. Reports help them take down harmful websites and protect others from scams.

Reporting suspicious text messages

Forward a suspicious text message to 7726. Your network provider will investigate the origin of the message and block or ban the sender, if it is found to be malicious. You can also take a screenshot or screen recording of the text message and send it to the NCSC at report@phishing.gov.uk.

If you think you have been scammed or hacked after clicking a link or responding to a text message, contact Report Fraud straight away and change your passwords.

Reporting suspicious phone calls

To report a suspicious phone call, send a text to 7726 with the word 'call' followed by the caller's number. Your provider will be able to block or ban the number if it is found to be malicious.

Reporting suspicious websites

The NCSC investigates and removes suspicious websites. If you come across a fake or suspicious site, report it to the NCSC.

Why should you report fraud and cyber crime

Reporting helps protect your business and fight wider crime. Agencies can give you containment advice, help you reduce losses, support prosecutions and strengthen national defences against fraud and cyber crime.

Cyber Essentials is a government-backed cyber security certification scheme. It helps businesses protect their IT systems using five basic technical controls to prevent common cyber attacks.

What is Cyber Essentials standard?

Cyber Essentials sets basic cyber security standards for all organisations. It covers:

• firewall protection to block unauthorised access
• secure configuration to reduce vulnerabilities
• user access control to manage permissions
• malware protection to prevent harmful software
• security updates to keep systems patched and safe

The National Cyber Security Centre (NCSC) and IASME (the scheme operator) review these standards every year.

Two levels of Cyber Essentials certification

Under the scheme, there are two levels of certification.

1. Cyber Essentials (self-assessment)

To certify, businesses complete a questionnaire on the five key controls. A qualified assessor reviews the responses to verify the information provided. Costs start at £320 plus VAT, depending on business size. Certification lasts 12 months and must be renewed annually.

Download free self-assessment questions and apply online.

2. Cyber Essentials Plus

The higher tier certification includes self-assessment plus a technical audit of your IT systems by a qualified security assessor. Costs depend on your network size and complexity. Certification also lasts 12 months and requires annual renewal.

Get a quote for Cyber Essentials Plus certification.

Cyber Essentials requirements for IT infrastructure

Cyber Essentials requirements update yearly to ensure that technical controls evolve against current risks. Certifications starting on or after:

• 28 April 2025 - use version 3.2 of the NCSC requirements for IT infrastructure
• 27 April 2026 - use version 3.3 of the NCSC requirements for IT infrastructure

Updates adjust how you meet each of the five controls. For example, version 3.3 adds more stringent rules on cloud services (under secure configuration), multi-factor authentication (under access control), and software security. Review the latest NCSC requirements each year before certifying.

How to get Cyber Essentials certified

To certify, check your setup with the free IASME readiness tool. Based on your answers, you will receive a tailored action plan to help you prepare for certification. You can also book a free 30-minute consultation with an NCSC-assured Cyber Advisor and access IASME's Cyber Essentials guidance for more information.

If you already hold a Cyber Essentials certification and need to renew it, review updated requirements early to avoid any compliance gaps and ensure your certification stays valid.

Benefits of Cyber Essentials certification

Certification gives automatic cyber liability insurance to UK businesses with under £20 million turnover (terms apply). It also helps your business:

• reduce cyber security risk
• build trust with customers, suppliers and investors
• win more contracts and attract new business

Cyber Essentials is also mandatory for some public sector suppliers handling personal data or providing certain technical products and services. Read the government procurement policy note to find out more.

Cyber attacks range from malware and phishing to hacking and ransomware. Some types of attacks are more effective than others, but all present a significant - and increasingly unavoidable - business risk.

In order to reduce that risk, it helps to understand the different cyber threats you may face and the various ways criminals might try to cause harm to your business.

Common cyber security threats

The most likely threats to your business include:

• cyber fraud - including phishing, spear phishing, vishing and whaling
• malware attacks - including viruses, worms, trojans, spyware and rootkits
• ransomware
• drive-by downloads
• hacking - including distributed denial-of-service attacks (DDoS), keylogging, etc
• password decryption
• out-of-date, unpatched software

Criminals use multiple routes, including web links, email and files, to exploit weaknesses in your business systems, networks or processes.

Human error

Many breaches result from mistakes, not malicious hacks. For example, staff inadvertently sending information to the wrong person, losing paperwork or failing to redact personal data.

What is a cyber attack?

A cyber attack is a deliberate, malicious attempt by a third party to damage, disrupt or alter:

• computer networks
• computer information systems
• computer or network infrastructure
• personal computer devices

There are many reasons behind cyber attacks. Criminals want to steal money, financial data or sensitive information. They may also want to disrupt operations or damage trust in your business. These attacks often lead to crimes such as financial fraud, information or identity theft.

Examples of cyber attacks

Cyber attackers use many tactics to target IT systems. The most common methods are:

• remote access to IT systems or websites
• unauthorised entry to networks or systems, or third-party services (eg hosted services)
• system infiltration or damage through malware
• disruption or denial-of-service to block access to your network or systems

Attacks may be targeted (specific to your business) or un-targeted (mass campaigns directed at as many devices, services and users as possible).

Read the National Cyber Security Centre's (NCSC) guidance to find out how cyber attacks work.

Can you avoid cyber attack?

You can prevent many attacks by following the steps recommended in the UK government's Cyber Essentials scheme. You can also use the NCSC's free tools and resources, including:

• their Cyber Health Check to scan your public-facing IT for common vulnerabilities
• their Cyber Action Plan for personalised steps to improve security

Keep in mind that even strong defences cannot stop every attack. If one happens, learn how to report a cyber crime.

Every business has assets criminals want to exploit – this is just as true for small businesses as it is for large companies and organisations. Understanding the common motives behind attacks will help you better understand the risks, and enable you to prioritise your defences.

Why do cyber attacks happen?

Most often, cyber attacks happen because criminals want:

• your business financial details
• customers' payment information (eg credit card data)
• sensitive personal data
• email addresses and login credentials
• customer or client databases
• IT infrastructure and services (
• eg the ability to accept online payments)
• intellectual property (eg trade secrets or product designs)

Most attacks are deliberate and aim for financial gain. Others stem from:

• hacktivism - making a social or political point
• espionage - eg spying on competitors for unfair advantage
• intellectual challenge - eg 'white hat' hacking

Types of cyber attackers: insiders and outsiders

Threats can originate inside or outside your organisation.

Insiders

Anyone with physical or remote access to your business assets can create cyber risk. For example:

• trusted employees who misplace information by accident
• careless employees who ignore policies and procedures
• disgruntled employees or ex-employees who want to harm your business
• malicious insiders with legitimate access to key systems and data

Business partners, clients, suppliers and contractors can also pose insider threats to cyber security.

Outsiders

External cyber security threats come from a variety of sources, including:

• organised crime groups
• professional hackers - malicious or state-sponsored
• amateur hackers - sometimes known as 'script kiddies'

Understanding where the threats come from will help you focus cyber risk management and allow you to prioritise your defences and tailor staff training to common tactics. It can also help predict the type of damage and plan your responses more effectively.

Why is cyber security important?

Cyber crime disrupts operations, causes financial loss and damages reputation. It can also trigger:

• regulatory fines or negligence claims
• breaches of contracts
• loss of trust among customers and suppliers

Read more about the potential impact of cyber attack on your business.

To strengthen your defence, stay informed using the National Cyber Security Centre's (NCSC) cyber threat alerts and sign up for their free Early Warning Service to get notifications of threats to your network as soon as possible.

A cyber attack can disrupt your business and cause lasting harm. Impacts can be broadly divided into three categories: financial, reputational and legal.

Economic cost of cyber attack

Cyber attacks often lead to substantial financial loss arising from:

• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
• recovery costs associated with repairing systems, networks and devices

The UK Cyber Security Breaches Survey 2025 shows that 43% of businesses and 30% of charities experienced breaches in the past 12 months. Medium and large businesses, and high-income charities, faced higher rates of breaches. The average cost of the worst breach was £1,600 for businesses and £3,240 for charities. Excluding zero-cost cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

Reputational damage

Customers expect secure handling of their data. Cyber breaches damage your reputation and erode trust, leading to:

• loss of customers
• loss of sales and profits
• strained supplier, investor or partner relationships

Legal consequences of a cyber breach

Data protection and privacy laws require you to secure all personal data you hold. Failure to do so can result in fines and regulatory sanctions from the Information Commissioner's Office (ICO).

Minimise the impact of cyber attacks on businesses

Assess and manage cyber risks before they happen.

You can use the National Cyber Security Centre's (NCSC) free Check your cyber security service to find vulnerabilities in your public-facing IT. You can also get a tailored Cyber Action Plan by answering a few quick questions.

After an attack, follow your cyber security incident response plan to limit damage, report incidents, clean up your systems, and restore operations in the shortest time possible. Invest in regular staff training, education and awareness on cyber security to safeguard your business.

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance. 

Spotting a cyber security breach is not always straightforward. Attackers often hide their activity to avoid detection and can remain undetected for months. Early detection can limit the impact of the breach on your business or customers.

How to detect a security breach

Look for warning signs that could indicate that a cyber breach or intrusion is underway. For example:

• suspicious network activity, file transfers or login attempts
• sudden password or account changes
• suspicious or encrypted files in your system
• unexpected banking transactions
• inexplicable loss of network, email or social media access
• leaked customer data or company secrets - see data breach
• unusually slow connections or network issues
• browser or antivirus warnings about infections

For websites, check for code anomalies, login failures, traffic drops, unexpected design changes or performance issues - especially those affecting availability and accessibility of your site.

See how to detect spam, malware and virus attacks.

Criminals are always developing new methods to stay ahead of defences. Stay informed on the latest threats – monitor the National Cyber Security Centre's (NCSC) cyber threat alerts or join their Early Warning Service for network alerts.

Breach detection tools

Intrusion detection systems (software or hardware) can help you monitor your network for active threats, including:

• suspicious user behaviour
• vulnerability in the network
• threats in applications and programs

These tools monitor for known attack patterns or unusual activity, and alert security staff to take action. This helps contain the intrusion and limits the damage. Options range from free open-source solutions to commercial packages.

How to contain and control cyber breach

No single tool can guarantee protection against cyber breach, making it important to develop a comprehensive cyber security incident response plan in advance. Planning helps you contain and recover from any potential breach.

Use these free NCSC resources to:

• guide your business response and recovery
• test and practice responses - 'Exercise in a Box' online tool 

If you detect an intrusion or an attempted attack on your business, you should report it to the relevant authorities.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

• prepare for a cyber breach or intrusion
• deal with it to contain damage
• recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

• assess the nature and scope of the incident
• check all affected systems
• look for hidden intrusions
• reroute network traffic or block further attacks, if needed
• isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

• IT or security staff - to investigate the breach
• HR representatives - if employees are involved in the breach
• PR experts - to control and minimise brand damage
• data protection experts - if personal data has been misused, leaked or stolen
• legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

• identify security gaps that caused the breach
• clean systems and remove ongoing threats (eg malware)
• restore systems to full operations
• deal with any internal or external involvement
• review failed security controls
• record findings
• update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

• regulators, if personal data is lost or stolen
• affected individuals (customers, clients or suppliers), if the risk is high
• sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Businesses should use the Report Fraud service as the main way to report fraud and cyber crime across Northern Ireland, England and Wales. You can report specific incidents to other agencies where required - for example, technical cyber threats to the National Cyber Security Centre (NCSC), urgent local issues to local law enforcement, or data protection breaches to the Information Commissioner's Office (ICO).

If your business is affected by fraud and cyber crime

From 4 December 2025, use the Report Fraud service instead of Action Fraud to report fraud and cyber crime.

Report online

Use the Report Fraud online reporting tool to report fraud or cyber crime as an individual or organisation at any time.

Report by phone

Call Report Fraud on Tel 0300 123 2040 to speak to specialist advisers, available 24/7.

If you are a business, charity or organisation under a cyber attack, you can use the 24/7 phone service for urgent help and advice on how to manage the attack.

Reporting fraud and cyber crime in Northern Ireland

In Northern Ireland, use Report Fraud unless police action is urgently needed, and you are requesting a 'call for service'. This may in cases of:

• ongoing crime or recent incident (in the last 24 hours)
• known local suspect
• vulnerable victim (for example, due to age)
• evidence at risk (like CCTV)
• preventing financial loss

If you are making a 'call for service' report, call 101. In an emergency, call 999. Do not use the Report Fraud service in these cases.

Reporting cyber security incidents to NCSC

For serious issues like ransomware or data breaches, you can also report to the NCSC. They offer technical support and advice, but this does not replace police or Report Fraud reports.

Reporting personal data breaches

If a data breach happens and it risks individuals’ rights and freedoms, you must notify the ICO within 72 hours. Reporting to other services like Report Fraud, PSNI or NCSC does not notify the ICO automatically. Find guidance on reporting personal data breaches.

Report suspicious emails, phone calls, text messages or websites

If you come across fraudulent emails, phone calls, messages, social media or websites, report these in the following ways.

Reporting suspicious emails

Forward suspicious emails to the NCSC at report@phishing.gov.uk. Reports help them take down harmful websites and protect others from scams.

Reporting suspicious text messages

Forward a suspicious text message to 7726. Your network provider will investigate the origin of the message and block or ban the sender, if it is found to be malicious. You can also take a screenshot or screen recording of the text message and send it to the NCSC at report@phishing.gov.uk.

If you think you have been scammed or hacked after clicking a link or responding to a text message, contact Report Fraud straight away and change your passwords.

Reporting suspicious phone calls

To report a suspicious phone call, send a text to 7726 with the word 'call' followed by the caller's number. Your provider will be able to block or ban the number if it is found to be malicious.

Reporting suspicious websites

The NCSC investigates and removes suspicious websites. If you come across a fake or suspicious site, report it to the NCSC.

Why should you report fraud and cyber crime

Reporting helps protect your business and fight wider crime. Agencies can give you containment advice, help you reduce losses, support prosecutions and strengthen national defences against fraud and cyber crime.

Cyber Essentials is a government-backed cyber security certification scheme. It helps businesses protect their IT systems using five basic technical controls to prevent common cyber attacks.

What is Cyber Essentials standard?

Cyber Essentials sets basic cyber security standards for all organisations. It covers:

• firewall protection to block unauthorised access
• secure configuration to reduce vulnerabilities
• user access control to manage permissions
• malware protection to prevent harmful software
• security updates to keep systems patched and safe

The National Cyber Security Centre (NCSC) and IASME (the scheme operator) review these standards every year.

Two levels of Cyber Essentials certification

Under the scheme, there are two levels of certification.

1. Cyber Essentials (self-assessment)

To certify, businesses complete a questionnaire on the five key controls. A qualified assessor reviews the responses to verify the information provided. Costs start at £320 plus VAT, depending on business size. Certification lasts 12 months and must be renewed annually.

Download free self-assessment questions and apply online.

2. Cyber Essentials Plus

The higher tier certification includes self-assessment plus a technical audit of your IT systems by a qualified security assessor. Costs depend on your network size and complexity. Certification also lasts 12 months and requires annual renewal.

Get a quote for Cyber Essentials Plus certification.

Cyber Essentials requirements for IT infrastructure

Cyber Essentials requirements update yearly to ensure that technical controls evolve against current risks. Certifications starting on or after:

• 28 April 2025 - use version 3.2 of the NCSC requirements for IT infrastructure
• 27 April 2026 - use version 3.3 of the NCSC requirements for IT infrastructure

Updates adjust how you meet each of the five controls. For example, version 3.3 adds more stringent rules on cloud services (under secure configuration), multi-factor authentication (under access control), and software security. Review the latest NCSC requirements each year before certifying.

How to get Cyber Essentials certified

To certify, check your setup with the free IASME readiness tool. Based on your answers, you will receive a tailored action plan to help you prepare for certification. You can also book a free 30-minute consultation with an NCSC-assured Cyber Advisor and access IASME's Cyber Essentials guidance for more information.

If you already hold a Cyber Essentials certification and need to renew it, review updated requirements early to avoid any compliance gaps and ensure your certification stays valid.

Benefits of Cyber Essentials certification

Certification gives automatic cyber liability insurance to UK businesses with under £20 million turnover (terms apply). It also helps your business:

• reduce cyber security risk
• build trust with customers, suppliers and investors
• win more contracts and attract new business

Cyber Essentials is also mandatory for some public sector suppliers handling personal data or providing certain technical products and services. Read the government procurement policy note to find out more.

Cyber attacks range from malware and phishing to hacking and ransomware. Some types of attacks are more effective than others, but all present a significant - and increasingly unavoidable - business risk.

In order to reduce that risk, it helps to understand the different cyber threats you may face and the various ways criminals might try to cause harm to your business.

Common cyber security threats

The most likely threats to your business include:

• cyber fraud - including phishing, spear phishing, vishing and whaling
• malware attacks - including viruses, worms, trojans, spyware and rootkits
• ransomware
• drive-by downloads
• hacking - including distributed denial-of-service attacks (DDoS), keylogging, etc
• password decryption
• out-of-date, unpatched software

Criminals use multiple routes, including web links, email and files, to exploit weaknesses in your business systems, networks or processes.

Human error

Many breaches result from mistakes, not malicious hacks. For example, staff inadvertently sending information to the wrong person, losing paperwork or failing to redact personal data.

What is a cyber attack?

A cyber attack is a deliberate, malicious attempt by a third party to damage, disrupt or alter:

• computer networks
• computer information systems
• computer or network infrastructure
• personal computer devices

There are many reasons behind cyber attacks. Criminals want to steal money, financial data or sensitive information. They may also want to disrupt operations or damage trust in your business. These attacks often lead to crimes such as financial fraud, information or identity theft.

Examples of cyber attacks

Cyber attackers use many tactics to target IT systems. The most common methods are:

• remote access to IT systems or websites
• unauthorised entry to networks or systems, or third-party services (eg hosted services)
• system infiltration or damage through malware
• disruption or denial-of-service to block access to your network or systems

Attacks may be targeted (specific to your business) or un-targeted (mass campaigns directed at as many devices, services and users as possible).

Read the National Cyber Security Centre's (NCSC) guidance to find out how cyber attacks work.

Can you avoid cyber attack?

You can prevent many attacks by following the steps recommended in the UK government's Cyber Essentials scheme. You can also use the NCSC's free tools and resources, including:

• their Cyber Health Check to scan your public-facing IT for common vulnerabilities
• their Cyber Action Plan for personalised steps to improve security

Keep in mind that even strong defences cannot stop every attack. If one happens, learn how to report a cyber crime.

Every business has assets criminals want to exploit – this is just as true for small businesses as it is for large companies and organisations. Understanding the common motives behind attacks will help you better understand the risks, and enable you to prioritise your defences.

Why do cyber attacks happen?

Most often, cyber attacks happen because criminals want:

• your business financial details
• customers' payment information (eg credit card data)
• sensitive personal data
• email addresses and login credentials
• customer or client databases
• IT infrastructure and services (
• eg the ability to accept online payments)
• intellectual property (eg trade secrets or product designs)

Most attacks are deliberate and aim for financial gain. Others stem from:

• hacktivism - making a social or political point
• espionage - eg spying on competitors for unfair advantage
• intellectual challenge - eg 'white hat' hacking

Types of cyber attackers: insiders and outsiders

Threats can originate inside or outside your organisation.

Insiders

Anyone with physical or remote access to your business assets can create cyber risk. For example:

• trusted employees who misplace information by accident
• careless employees who ignore policies and procedures
• disgruntled employees or ex-employees who want to harm your business
• malicious insiders with legitimate access to key systems and data

Business partners, clients, suppliers and contractors can also pose insider threats to cyber security.

Outsiders

External cyber security threats come from a variety of sources, including:

• organised crime groups
• professional hackers - malicious or state-sponsored
• amateur hackers - sometimes known as 'script kiddies'

Understanding where the threats come from will help you focus cyber risk management and allow you to prioritise your defences and tailor staff training to common tactics. It can also help predict the type of damage and plan your responses more effectively.

Why is cyber security important?

Cyber crime disrupts operations, causes financial loss and damages reputation. It can also trigger:

• regulatory fines or negligence claims
• breaches of contracts
• loss of trust among customers and suppliers

Read more about the potential impact of cyber attack on your business.

To strengthen your defence, stay informed using the National Cyber Security Centre's (NCSC) cyber threat alerts and sign up for their free Early Warning Service to get notifications of threats to your network as soon as possible.

A cyber attack can disrupt your business and cause lasting harm. Impacts can be broadly divided into three categories: financial, reputational and legal.

Economic cost of cyber attack

Cyber attacks often lead to substantial financial loss arising from:

• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
• recovery costs associated with repairing systems, networks and devices

The UK Cyber Security Breaches Survey 2025 shows that 43% of businesses and 30% of charities experienced breaches in the past 12 months. Medium and large businesses, and high-income charities, faced higher rates of breaches. The average cost of the worst breach was £1,600 for businesses and £3,240 for charities. Excluding zero-cost cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

Reputational damage

Customers expect secure handling of their data. Cyber breaches damage your reputation and erode trust, leading to:

• loss of customers
• loss of sales and profits
• strained supplier, investor or partner relationships

Legal consequences of a cyber breach

Data protection and privacy laws require you to secure all personal data you hold. Failure to do so can result in fines and regulatory sanctions from the Information Commissioner's Office (ICO).

Minimise the impact of cyber attacks on businesses

Assess and manage cyber risks before they happen.

You can use the National Cyber Security Centre's (NCSC) free Check your cyber security service to find vulnerabilities in your public-facing IT. You can also get a tailored Cyber Action Plan by answering a few quick questions.

After an attack, follow your cyber security incident response plan to limit damage, report incidents, clean up your systems, and restore operations in the shortest time possible. Invest in regular staff training, education and awareness on cyber security to safeguard your business.

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance. 

Spotting a cyber security breach is not always straightforward. Attackers often hide their activity to avoid detection and can remain undetected for months. Early detection can limit the impact of the breach on your business or customers.

How to detect a security breach

Look for warning signs that could indicate that a cyber breach or intrusion is underway. For example:

• suspicious network activity, file transfers or login attempts
• sudden password or account changes
• suspicious or encrypted files in your system
• unexpected banking transactions
• inexplicable loss of network, email or social media access
• leaked customer data or company secrets - see data breach
• unusually slow connections or network issues
• browser or antivirus warnings about infections

For websites, check for code anomalies, login failures, traffic drops, unexpected design changes or performance issues - especially those affecting availability and accessibility of your site.

See how to detect spam, malware and virus attacks.

Criminals are always developing new methods to stay ahead of defences. Stay informed on the latest threats – monitor the National Cyber Security Centre's (NCSC) cyber threat alerts or join their Early Warning Service for network alerts.

Breach detection tools

Intrusion detection systems (software or hardware) can help you monitor your network for active threats, including:

• suspicious user behaviour
• vulnerability in the network
• threats in applications and programs

These tools monitor for known attack patterns or unusual activity, and alert security staff to take action. This helps contain the intrusion and limits the damage. Options range from free open-source solutions to commercial packages.

How to contain and control cyber breach

No single tool can guarantee protection against cyber breach, making it important to develop a comprehensive cyber security incident response plan in advance. Planning helps you contain and recover from any potential breach.

Use these free NCSC resources to:

• guide your business response and recovery
• test and practice responses - 'Exercise in a Box' online tool 

If you detect an intrusion or an attempted attack on your business, you should report it to the relevant authorities.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

• prepare for a cyber breach or intrusion
• deal with it to contain damage
• recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

• assess the nature and scope of the incident
• check all affected systems
• look for hidden intrusions
• reroute network traffic or block further attacks, if needed
• isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

• IT or security staff - to investigate the breach
• HR representatives - if employees are involved in the breach
• PR experts - to control and minimise brand damage
• data protection experts - if personal data has been misused, leaked or stolen
• legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

• identify security gaps that caused the breach
• clean systems and remove ongoing threats (eg malware)
• restore systems to full operations
• deal with any internal or external involvement
• review failed security controls
• record findings
• update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

• regulators, if personal data is lost or stolen
• affected individuals (customers, clients or suppliers), if the risk is high
• sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Businesses should use the Report Fraud service as the main way to report fraud and cyber crime across Northern Ireland, England and Wales. You can report specific incidents to other agencies where required - for example, technical cyber threats to the National Cyber Security Centre (NCSC), urgent local issues to local law enforcement, or data protection breaches to the Information Commissioner's Office (ICO).

If your business is affected by fraud and cyber crime

From 4 December 2025, use the Report Fraud service instead of Action Fraud to report fraud and cyber crime.

Report online

Use the Report Fraud online reporting tool to report fraud or cyber crime as an individual or organisation at any time.

Report by phone

Call Report Fraud on Tel 0300 123 2040 to speak to specialist advisers, available 24/7.

If you are a business, charity or organisation under a cyber attack, you can use the 24/7 phone service for urgent help and advice on how to manage the attack.

Reporting fraud and cyber crime in Northern Ireland

In Northern Ireland, use Report Fraud unless police action is urgently needed, and you are requesting a 'call for service'. This may in cases of:

• ongoing crime or recent incident (in the last 24 hours)
• known local suspect
• vulnerable victim (for example, due to age)
• evidence at risk (like CCTV)
• preventing financial loss

If you are making a 'call for service' report, call 101. In an emergency, call 999. Do not use the Report Fraud service in these cases.

Reporting cyber security incidents to NCSC

For serious issues like ransomware or data breaches, you can also report to the NCSC. They offer technical support and advice, but this does not replace police or Report Fraud reports.

Reporting personal data breaches

If a data breach happens and it risks individuals’ rights and freedoms, you must notify the ICO within 72 hours. Reporting to other services like Report Fraud, PSNI or NCSC does not notify the ICO automatically. Find guidance on reporting personal data breaches.

Report suspicious emails, phone calls, text messages or websites

If you come across fraudulent emails, phone calls, messages, social media or websites, report these in the following ways.

Reporting suspicious emails

Forward suspicious emails to the NCSC at report@phishing.gov.uk. Reports help them take down harmful websites and protect others from scams.

Reporting suspicious text messages

Forward a suspicious text message to 7726. Your network provider will investigate the origin of the message and block or ban the sender, if it is found to be malicious. You can also take a screenshot or screen recording of the text message and send it to the NCSC at report@phishing.gov.uk.

If you think you have been scammed or hacked after clicking a link or responding to a text message, contact Report Fraud straight away and change your passwords.

Reporting suspicious phone calls

To report a suspicious phone call, send a text to 7726 with the word 'call' followed by the caller's number. Your provider will be able to block or ban the number if it is found to be malicious.

Reporting suspicious websites

The NCSC investigates and removes suspicious websites. If you come across a fake or suspicious site, report it to the NCSC.

Why should you report fraud and cyber crime

Reporting helps protect your business and fight wider crime. Agencies can give you containment advice, help you reduce losses, support prosecutions and strengthen national defences against fraud and cyber crime.

Cyber Essentials is a government-backed cyber security certification scheme. It helps businesses protect their IT systems using five basic technical controls to prevent common cyber attacks.

What is Cyber Essentials standard?

Cyber Essentials sets basic cyber security standards for all organisations. It covers:

• firewall protection to block unauthorised access
• secure configuration to reduce vulnerabilities
• user access control to manage permissions
• malware protection to prevent harmful software
• security updates to keep systems patched and safe

The National Cyber Security Centre (NCSC) and IASME (the scheme operator) review these standards every year.

Two levels of Cyber Essentials certification

Under the scheme, there are two levels of certification.

1. Cyber Essentials (self-assessment)

To certify, businesses complete a questionnaire on the five key controls. A qualified assessor reviews the responses to verify the information provided. Costs start at £320 plus VAT, depending on business size. Certification lasts 12 months and must be renewed annually.

Download free self-assessment questions and apply online.

2. Cyber Essentials Plus

The higher tier certification includes self-assessment plus a technical audit of your IT systems by a qualified security assessor. Costs depend on your network size and complexity. Certification also lasts 12 months and requires annual renewal.

Get a quote for Cyber Essentials Plus certification.

Cyber Essentials requirements for IT infrastructure

Cyber Essentials requirements update yearly to ensure that technical controls evolve against current risks. Certifications starting on or after:

• 28 April 2025 - use version 3.2 of the NCSC requirements for IT infrastructure
• 27 April 2026 - use version 3.3 of the NCSC requirements for IT infrastructure

Updates adjust how you meet each of the five controls. For example, version 3.3 adds more stringent rules on cloud services (under secure configuration), multi-factor authentication (under access control), and software security. Review the latest NCSC requirements each year before certifying.

How to get Cyber Essentials certified

To certify, check your setup with the free IASME readiness tool. Based on your answers, you will receive a tailored action plan to help you prepare for certification. You can also book a free 30-minute consultation with an NCSC-assured Cyber Advisor and access IASME's Cyber Essentials guidance for more information.

If you already hold a Cyber Essentials certification and need to renew it, review updated requirements early to avoid any compliance gaps and ensure your certification stays valid.

Benefits of Cyber Essentials certification

Certification gives automatic cyber liability insurance to UK businesses with under £20 million turnover (terms apply). It also helps your business:

• reduce cyber security risk
• build trust with customers, suppliers and investors
• win more contracts and attract new business

Cyber Essentials is also mandatory for some public sector suppliers handling personal data or providing certain technical products and services. Read the government procurement policy note to find out more.

Cyber attacks range from malware and phishing to hacking and ransomware. Some types of attacks are more effective than others, but all present a significant - and increasingly unavoidable - business risk.

In order to reduce that risk, it helps to understand the different cyber threats you may face and the various ways criminals might try to cause harm to your business.

Common cyber security threats

The most likely threats to your business include:

• cyber fraud - including phishing, spear phishing, vishing and whaling
• malware attacks - including viruses, worms, trojans, spyware and rootkits
• ransomware
• drive-by downloads
• hacking - including distributed denial-of-service attacks (DDoS), keylogging, etc
• password decryption
• out-of-date, unpatched software

Criminals use multiple routes, including web links, email and files, to exploit weaknesses in your business systems, networks or processes.

Human error

Many breaches result from mistakes, not malicious hacks. For example, staff inadvertently sending information to the wrong person, losing paperwork or failing to redact personal data.

What is a cyber attack?

A cyber attack is a deliberate, malicious attempt by a third party to damage, disrupt or alter:

• computer networks
• computer information systems
• computer or network infrastructure
• personal computer devices

There are many reasons behind cyber attacks. Criminals want to steal money, financial data or sensitive information. They may also want to disrupt operations or damage trust in your business. These attacks often lead to crimes such as financial fraud, information or identity theft.

Examples of cyber attacks

Cyber attackers use many tactics to target IT systems. The most common methods are:

• remote access to IT systems or websites
• unauthorised entry to networks or systems, or third-party services (eg hosted services)
• system infiltration or damage through malware
• disruption or denial-of-service to block access to your network or systems

Attacks may be targeted (specific to your business) or un-targeted (mass campaigns directed at as many devices, services and users as possible).

Read the National Cyber Security Centre's (NCSC) guidance to find out how cyber attacks work.

Can you avoid cyber attack?

You can prevent many attacks by following the steps recommended in the UK government's Cyber Essentials scheme. You can also use the NCSC's free tools and resources, including:

• their Cyber Health Check to scan your public-facing IT for common vulnerabilities
• their Cyber Action Plan for personalised steps to improve security

Keep in mind that even strong defences cannot stop every attack. If one happens, learn how to report a cyber crime.

Every business has assets criminals want to exploit – this is just as true for small businesses as it is for large companies and organisations. Understanding the common motives behind attacks will help you better understand the risks, and enable you to prioritise your defences.

Why do cyber attacks happen?

Most often, cyber attacks happen because criminals want:

• your business financial details
• customers' payment information (eg credit card data)
• sensitive personal data
• email addresses and login credentials
• customer or client databases
• IT infrastructure and services (
• eg the ability to accept online payments)
• intellectual property (eg trade secrets or product designs)

Most attacks are deliberate and aim for financial gain. Others stem from:

• hacktivism - making a social or political point
• espionage - eg spying on competitors for unfair advantage
• intellectual challenge - eg 'white hat' hacking

Types of cyber attackers: insiders and outsiders

Threats can originate inside or outside your organisation.

Insiders

Anyone with physical or remote access to your business assets can create cyber risk. For example:

• trusted employees who misplace information by accident
• careless employees who ignore policies and procedures
• disgruntled employees or ex-employees who want to harm your business
• malicious insiders with legitimate access to key systems and data

Business partners, clients, suppliers and contractors can also pose insider threats to cyber security.

Outsiders

External cyber security threats come from a variety of sources, including:

• organised crime groups
• professional hackers - malicious or state-sponsored
• amateur hackers - sometimes known as 'script kiddies'

Understanding where the threats come from will help you focus cyber risk management and allow you to prioritise your defences and tailor staff training to common tactics. It can also help predict the type of damage and plan your responses more effectively.

Why is cyber security important?

Cyber crime disrupts operations, causes financial loss and damages reputation. It can also trigger:

• regulatory fines or negligence claims
• breaches of contracts
• loss of trust among customers and suppliers

Read more about the potential impact of cyber attack on your business.

To strengthen your defence, stay informed using the National Cyber Security Centre's (NCSC) cyber threat alerts and sign up for their free Early Warning Service to get notifications of threats to your network as soon as possible.

A cyber attack can disrupt your business and cause lasting harm. Impacts can be broadly divided into three categories: financial, reputational and legal.

Economic cost of cyber attack

Cyber attacks often lead to substantial financial loss arising from:

• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
• recovery costs associated with repairing systems, networks and devices

The UK Cyber Security Breaches Survey 2025 shows that 43% of businesses and 30% of charities experienced breaches in the past 12 months. Medium and large businesses, and high-income charities, faced higher rates of breaches. The average cost of the worst breach was £1,600 for businesses and £3,240 for charities. Excluding zero-cost cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

Reputational damage

Customers expect secure handling of their data. Cyber breaches damage your reputation and erode trust, leading to:

• loss of customers
• loss of sales and profits
• strained supplier, investor or partner relationships

Legal consequences of a cyber breach

Data protection and privacy laws require you to secure all personal data you hold. Failure to do so can result in fines and regulatory sanctions from the Information Commissioner's Office (ICO).

Minimise the impact of cyber attacks on businesses

Assess and manage cyber risks before they happen.

You can use the National Cyber Security Centre's (NCSC) free Check your cyber security service to find vulnerabilities in your public-facing IT. You can also get a tailored Cyber Action Plan by answering a few quick questions.

After an attack, follow your cyber security incident response plan to limit damage, report incidents, clean up your systems, and restore operations in the shortest time possible. Invest in regular staff training, education and awareness on cyber security to safeguard your business.

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance. 

Spotting a cyber security breach is not always straightforward. Attackers often hide their activity to avoid detection and can remain undetected for months. Early detection can limit the impact of the breach on your business or customers.

How to detect a security breach

Look for warning signs that could indicate that a cyber breach or intrusion is underway. For example:

• suspicious network activity, file transfers or login attempts
• sudden password or account changes
• suspicious or encrypted files in your system
• unexpected banking transactions
• inexplicable loss of network, email or social media access
• leaked customer data or company secrets - see data breach
• unusually slow connections or network issues
• browser or antivirus warnings about infections

For websites, check for code anomalies, login failures, traffic drops, unexpected design changes or performance issues - especially those affecting availability and accessibility of your site.

See how to detect spam, malware and virus attacks.

Criminals are always developing new methods to stay ahead of defences. Stay informed on the latest threats – monitor the National Cyber Security Centre's (NCSC) cyber threat alerts or join their Early Warning Service for network alerts.

Breach detection tools

Intrusion detection systems (software or hardware) can help you monitor your network for active threats, including:

• suspicious user behaviour
• vulnerability in the network
• threats in applications and programs

These tools monitor for known attack patterns or unusual activity, and alert security staff to take action. This helps contain the intrusion and limits the damage. Options range from free open-source solutions to commercial packages.

How to contain and control cyber breach

No single tool can guarantee protection against cyber breach, making it important to develop a comprehensive cyber security incident response plan in advance. Planning helps you contain and recover from any potential breach.

Use these free NCSC resources to:

• guide your business response and recovery
• test and practice responses - 'Exercise in a Box' online tool 

If you detect an intrusion or an attempted attack on your business, you should report it to the relevant authorities.

A cyber incident response plan is essential alongside risk management and breach detection. It helps you:

• prepare for a cyber breach or intrusion
• deal with it to contain damage
• recover faster after the event

It's best to decide in advance how to handle preparation, response and follow-up.

Steps in cyber incident response

Each business handles a cyber breach differently based on its situation, but a typical response plan follows these steps.

STEP 1: Contain the breach

After detecting a breach, act fast to limit damage to your business or loss of data. To do this, you will have to:

• assess the nature and scope of the incident
• check all affected systems
• look for hidden intrusions
• reroute network traffic or block further attacks, if needed
• isolate or suspend compromised devices, networks or system areas

Occasionally, you may need to pause your network or website, despite business disruption. If the breach is limited to certain aspects of your business, keep safe services and operations running where possible.

STEP 2: Form a response team

An incident response team will usually involve:

• IT or security staff - to investigate the breach
• HR representatives - if employees are involved in the breach
• PR experts - to control and minimise brand damage
• data protection experts - if personal data has been misused, leaked or stolen
• legal adviser and/or insurer - for compliance and claims

STEP 3: Investigate and recover from the breach

Look into the circumstances of the breach to find its cause, assess its impact on your business, and plan the necessary fixes. You will typically need to:

• identify security gaps that caused the breach
• clean systems and remove ongoing threats (eg malware)
• restore systems to full operations
• deal with any internal or external involvement
• review failed security controls
• record findings
• update policies, procedures and incident response plans

This sequence matches standard cyber incident response phases: investigate, remediate, recover, and learn.

STEP 4: Meet legal and regulatory duties

As part of managing the incident, you may need to notify key parties about certain types of breach. Not all incidents need to be reported - only specific incidents trigger statutory obligations. You may need to notify:

• regulators, if personal data is lost or stolen
• affected individuals (customers, clients or suppliers), if the risk is high
• sector regulators, for breaches in critical sectors like finance or telecoms

You must notify the Information Commissioner's Office (ICO) of certain cyber breaches involving personal data under the UK General Data Protection Regulation (UK GDPR) rules. Notification is required within 72 hours if the breach poses a risk to individuals' rights and freedoms.

If your business falls under the Network and Information Systems (NIS) Regulations (as updated by the Cyber Security and Resilience Bill), you may face additional duties, including expanded incident reporting for significant disruptions. This mainly affects operators of essential services and key digital suppliers.

STEP 5: Report the incident to law enforcement

UK law treats cyber crime like any other crime. Reporting is voluntary in most cases, unless the incident triggers specific obligations to notify regulators or individuals. Reporting incidents like phishing, ransomware and denial-of-service attacks is strongly recommended to aid investigations and prevent wider harm. Find out how to report a cyber crime.

STEP 6: Manage reputation and customer relations

A cyber breach can harm your business reputation, especially if it's significant and exposed publicly (eg customer data leak). Media coverage and customer concerns often follow, so it's important to communicate quickly, openly and honestly with those affected.

If the damage to your brand and business is significant, consider hiring a crisis manager or a public relations consultant to help you work out feasible recovery strategies.

Further advice on incident planning

Use the National Cyber Security Centre's (NCSC) small business guide to response and recovery to develop or refine your plan. You can also test your approach in a safe setting with their 'Exercise in a Box' online tool.

Remember to update your full incident response plan after every incident and review it regularly (at least yearly) to stay prepared.

Businesses should use the Report Fraud service as the main way to report fraud and cyber crime across Northern Ireland, England and Wales. You can report specific incidents to other agencies where required - for example, technical cyber threats to the National Cyber Security Centre (NCSC), urgent local issues to local law enforcement, or data protection breaches to the Information Commissioner's Office (ICO).

If your business is affected by fraud and cyber crime

From 4 December 2025, use the Report Fraud service instead of Action Fraud to report fraud and cyber crime.

Report online

Use the Report Fraud online reporting tool to report fraud or cyber crime as an individual or organisation at any time.

Report by phone

Call Report Fraud on Tel 0300 123 2040 to speak to specialist advisers, available 24/7.

If you are a business, charity or organisation under a cyber attack, you can use the 24/7 phone service for urgent help and advice on how to manage the attack.

Reporting fraud and cyber crime in Northern Ireland

In Northern Ireland, use Report Fraud unless police action is urgently needed, and you are requesting a 'call for service'. This may in cases of:

• ongoing crime or recent incident (in the last 24 hours)
• known local suspect
• vulnerable victim (for example, due to age)
• evidence at risk (like CCTV)
• preventing financial loss

If you are making a 'call for service' report, call 101. In an emergency, call 999. Do not use the Report Fraud service in these cases.

Reporting cyber security incidents to NCSC

For serious issues like ransomware or data breaches, you can also report to the NCSC. They offer technical support and advice, but this does not replace police or Report Fraud reports.

Reporting personal data breaches

If a data breach happens and it risks individuals’ rights and freedoms, you must notify the ICO within 72 hours. Reporting to other services like Report Fraud, PSNI or NCSC does not notify the ICO automatically. Find guidance on reporting personal data breaches.

Report suspicious emails, phone calls, text messages or websites

If you come across fraudulent emails, phone calls, messages, social media or websites, report these in the following ways.

Reporting suspicious emails

Forward suspicious emails to the NCSC at report@phishing.gov.uk. Reports help them take down harmful websites and protect others from scams.

Reporting suspicious text messages

Forward a suspicious text message to 7726. Your network provider will investigate the origin of the message and block or ban the sender, if it is found to be malicious. You can also take a screenshot or screen recording of the text message and send it to the NCSC at report@phishing.gov.uk.

If you think you have been scammed or hacked after clicking a link or responding to a text message, contact Report Fraud straight away and change your passwords.

Reporting suspicious phone calls

To report a suspicious phone call, send a text to 7726 with the word 'call' followed by the caller's number. Your provider will be able to block or ban the number if it is found to be malicious.

Reporting suspicious websites

The NCSC investigates and removes suspicious websites. If you come across a fake or suspicious site, report it to the NCSC.

Why should you report fraud and cyber crime

Reporting helps protect your business and fight wider crime. Agencies can give you containment advice, help you reduce losses, support prosecutions and strengthen national defences against fraud and cyber crime.

Cyber Essentials is a government-backed cyber security certification scheme. It helps businesses protect their IT systems using five basic technical controls to prevent common cyber attacks.

What is Cyber Essentials standard?

Cyber Essentials sets basic cyber security standards for all organisations. It covers:

• firewall protection to block unauthorised access
• secure configuration to reduce vulnerabilities
• user access control to manage permissions
• malware protection to prevent harmful software
• security updates to keep systems patched and safe

The National Cyber Security Centre (NCSC) and IASME (the scheme operator) review these standards every year.

Two levels of Cyber Essentials certification

Under the scheme, there are two levels of certification.

1. Cyber Essentials (self-assessment)

To certify, businesses complete a questionnaire on the five key controls. A qualified assessor reviews the responses to verify the information provided. Costs start at £320 plus VAT, depending on business size. Certification lasts 12 months and must be renewed annually.

Download free self-assessment questions and apply online.

2. Cyber Essentials Plus

The higher tier certification includes self-assessment plus a technical audit of your IT systems by a qualified security assessor. Costs depend on your network size and complexity. Certification also lasts 12 months and requires annual renewal.

Get a quote for Cyber Essentials Plus certification.

Cyber Essentials requirements for IT infrastructure

Cyber Essentials requirements update yearly to ensure that technical controls evolve against current risks. Certifications starting on or after:

• 28 April 2025 - use version 3.2 of the NCSC requirements for IT infrastructure
• 27 April 2026 - use version 3.3 of the NCSC requirements for IT infrastructure

Updates adjust how you meet each of the five controls. For example, version 3.3 adds more stringent rules on cloud services (under secure configuration), multi-factor authentication (under access control), and software security. Review the latest NCSC requirements each year before certifying.

How to get Cyber Essentials certified

To certify, check your setup with the free IASME readiness tool. Based on your answers, you will receive a tailored action plan to help you prepare for certification. You can also book a free 30-minute consultation with an NCSC-assured Cyber Advisor and access IASME's Cyber Essentials guidance for more information.

If you already hold a Cyber Essentials certification and need to renew it, review updated requirements early to avoid any compliance gaps and ensure your certification stays valid.

Benefits of Cyber Essentials certification

Certification gives automatic cyber liability insurance to UK businesses with under £20 million turnover (terms apply). It also helps your business:

• reduce cyber security risk
• build trust with customers, suppliers and investors
• win more contracts and attract new business

Cyber Essentials is also mandatory for some public sector suppliers handling personal data or providing certain technical products and services. Read the government procurement policy note to find out more.