Skip to main content

Is Your Business Ready for a Cyber Attack?

Media Securely Share Passwords with Employees?

Would You Know What to Do If Your Systems Were Compromised Today?

Most businesses take steps to prevent cyber attacks.

They may use antivirus software, firewalls, multifactor authentication and cloud backups. These controls are important, but prevention is only one part of cyber security.

No organisation can guarantee that every attack will be stopped.

An employee could enter their password into a convincing phishing website. An unpatched application could be exploited, or a trusted supplier could suffer a security breach that affects your systems.

The real question is not only:

Can we prevent a cyber attack?

It is also:

Would we recognise an attack, contain it and recover from it?

A business that has prepared can make decisions quickly, limit the damage and begin restoring essential services.

A business without a plan may lose valuable time trying to work out who to contact, which systems to disconnect and whether its backups can be trusted.

The National Cyber Security Centre advises organisations to plan their response in advance because early detection and a quick, coordinated response can reduce the financial, operational and reputational impact of an incident.

What is a cyber attack?

A cyber attack is a deliberate attempt to gain unauthorised access to systems, information or online accounts.

The attacker may want to:

  • Steal confidential information
  • Commit financial fraud
  • Disrupt business operations
  • Encrypt files with ransomware
  • Access customer systems
  • Send phishing messages
  • Take control of Microsoft 365
  • Damage or delete information
  • Extort the organisation
  • Use its systems to attack other businesses

Not every cyber attack immediately causes computers to stop working.

An attacker may remain inside an environment for days or weeks while searching for information, increasing their access and identifying the systems that would cause the greatest disruption.

By the time ransomware appears or fraudulent emails are discovered, the original compromise may have happened much earlier.

This is why businesses need both preventative security and active monitoring.

Cyber security is not only an IT problem

A serious cyber attack can affect the whole organisation.

It may involve:

  • Senior management
  • IT support
  • Cyber security specialists
  • Employees
  • Customers
  • Suppliers
  • Insurers
  • Legal advisers
  • Data-protection personnel
  • Public-relations teams
  • Regulators
  • Law enforcement

Important commercial and legal decisions may need to be made quickly.

For example:

  • Should affected computers be disconnected?
  • Can the business continue operating?
  • Has personal information been exposed?
  • Should customers be informed?
  • Who is authorised to speak publicly?
  • Is the backup environment safe?
  • Which services should be restored first?
  • Does the cyber insurer need to approve specialist assistance?

These decisions should not be left entirely to one IT employee during an emergency.

Senior management should understand the cyber incident plan and know which decisions they may need to make.

1. Do you know which systems need protecting?

You cannot properly protect or recover systems you do not know exist.

A business should maintain a current record of its important technology, including:

The inventory should also identify which systems hold important or sensitive information.

For example, customer records may be stored across Microsoft 365, an accounting application, a CRM platform and employee laptops.

The organisation should know who owns each system, who supports it and how it would be recovered.

Without this information, an overlooked device, old account or forgotten cloud application could provide an attacker with an unexpected route into the business.

2. Have you identified your most important services?

Not every system has the same importance.

A marketing archive may be able to remain unavailable for several days. The application used to process customer orders may need to return within hours.

Your business should identify:

  • Which systems are essential
  • How long each system can be unavailable
  • How much recent information can be lost
  • Which services depend on one another
  • Which employees need access first
  • Which suppliers are required for recovery

This helps determine the order in which services should be restored.

The NCSC advises that incident and recovery plans should prioritise essential business functions and the systems and information required to support them.

Without clear priorities, valuable time may be spent restoring a low-impact system while employees remain unable to use a critical application.

3. Are important accounts protected with multifactor authentication?

Passwords can be stolen through phishing, malware, password reuse and data breaches.

Multifactor authentication, normally shortened to MFA, requires an additional verification method before access is granted.

MFA should be applied to important systems such as:

CISA recommends requiring MFA because it adds an additional security layer beyond passwords and can stop stolen credentials from immediately becoming a successful compromise.

The business should also consider the quality of the authentication method.

Employees should be trained never to approve an unexpected authentication request. Repeated approval prompts may indicate that an attacker already knows the user’s password.

Sensitive administrator accounts may require phishing-resistant authentication, such as a security key or passkey.

4. Do too many people have administrator access?

Administrator accounts can make significant changes to computers, cloud services and security systems.

An administrator may be able to:

  • Install software
  • Disable security controls
  • Create accounts
  • Reset passwords
  • Change permissions
  • Access confidential information
  • Delete backups
  • Alter security policies

If a powerful administrator account is compromised, the attacker may gain far more access than they would through a normal employee account.

Businesses should apply the principle of least privilege.

This means giving each person only the permissions they genuinely need.

Administrator access should be:

  • Assigned to named individuals
  • Protected with strong MFA
  • Separate from everyday email accounts
  • Regularly reviewed
  • Removed when no longer required
  • Monitored for unusual activity

Shared administrator passwords make it difficult to establish who completed a particular action and should be avoided wherever possible.

Former employees and suppliers should not retain access simply because nobody remembered to remove them.

5. Are computers and applications kept updated?

Cyber criminals frequently exploit known software vulnerabilities.

In many cases, a security update is already available, but the affected organisation has not installed it.

Update management should cover more than Windows computers.

It may need to include:

  • Windows and macOS
  • Servers
  • Mobile devices
  • Microsoft applications
  • Third-party software
  • Firewalls
  • VPN appliances
  • Routers and switches
  • Backup systems
  • Website platforms
  • Firmware
  • Remote-access tools

The business should be able to identify which devices are missing updates and why.

Unsupported systems are particularly risky because the manufacturer may no longer provide security fixes.

Older applications may sometimes need to remain in use for operational reasons. Where this happens, the risk should be formally documented and reduced through measures such as isolation, restricted access or replacement planning.

6. Are your devices centrally managed?

It is difficult to maintain consistent security when every employee controls their own computer.

Central device management can help the business enforce requirements such as:

  • Disk encryption
  • Antivirus protection
  • Firewall settings
  • Security updates
  • Screen locking
  • Approved applications
  • Password or PIN standards
  • USB restrictions
  • Device compliance

Platforms such as Microsoft Intune can also help identify devices that have stopped reporting or no longer meet the organisation’s requirements.

Conditional Access can then restrict access to Microsoft 365 when a device is unknown, unmanaged or non-compliant.

This changes the security decision from:

Does the user know the correct password?

to:

Is the user properly authenticated, and are they using a trusted device?

7. Are personal devices controlled?

Employees may access company information from personal laptops, phones and tablets.

The business may not know whether those devices:

  • Receive security updates
  • Use encryption
  • Have suitable antivirus protection
  • Are shared with other people
  • Contain malicious software
  • Save company information locally
  • Remain accessible after the employee leaves

Organisations should decide whether personal devices will be:

  • Completely blocked
  • Enrolled and managed
  • Limited to browser-only access
  • Allowed to use protected mobile applications
  • Restricted from downloading files

The correct approach will depend on the sensitivity of the information and how employees need to work.

The important thing is that personal-device access should be a deliberate business decision rather than something that happens simply because Microsoft 365 permits it.

8. Would you know that an attack was happening?

Security software can generate warnings when it identifies suspicious activity.

Possible warning signs include:

  • An unusual Microsoft 365 login
  • A new administrator account
  • Security software being disabled
  • A suspicious PowerShell command
  • Large numbers of files being changed
  • A mailbox-forwarding rule being created
  • An employee receiving repeated MFA prompts
  • An unknown application accessing company information
  • Backup recovery points being deleted
  • A device connecting to a malicious internet address

These warnings provide limited protection when nobody reviews them.

A business should know:

  • Which systems produce security alerts
  • Who receives them
  • Whether they are monitored outside office hours
  • How quickly they are investigated
  • What actions can be taken
  • Who is contacted during an emergency

Cyber criminals do not restrict their activity to normal working hours.

An attack that begins on Friday evening may remain unnoticed until employees return on Monday unless security events are actively monitored.

9. Do you have tested and protected backups?

Backups are essential, particularly during ransomware, accidental deletion and system failure.

However, a backup is useful only when it:

  • Includes the required information
  • Completes successfully
  • Cannot easily be deleted by an attacker
  • Is retained for long enough
  • Can be restored within an acceptable time
  • Has been tested
  • Is free from malware

The NCSC advises businesses not to rely solely on the recovery features built into an online service for critical information. It recommends keeping an independent copy in another safe location or service.

This applies to cloud systems such as Microsoft 365 as well as traditional servers.

Could an attacker delete your backups?

Ransomware groups often search for backup systems before encrypting the main environment.

If the same administrator account controls the network and backup platform, compromising that account could allow the attacker to destroy both the original information and the recovery copies.

Ransomware-resistant backup controls may include:

  • Separate administrator accounts
  • Multifactor authentication
  • Immutable recovery points
  • Delayed or protected deletion
  • Offline or isolated copies
  • Restricted permissions
  • Monitoring of destructive changes
  • Multiple backup locations

The NCSC’s ransomware-resistant backup guidance recommends making it possible to isolate the backup solution and protecting it from unauthorised or destructive access.

Have you tested a full recovery?

A successful backup email does not prove that an entire business system can be restored.

A recovery test may reveal:

  • Missing application data
  • Incorrect passwords
  • Damaged backup files
  • Slow download speeds
  • Missing software licences
  • Outdated instructions
  • Incompatible replacement hardware
  • Unrealistic recovery expectations

CISA advises organisations to perform and test backups, noting that incomplete or damaged backups may leave ransomware victims unable to recover.

The test should measure how long recovery actually takes rather than relying only on an estimated figure.

10. Do you have a written incident response plan?

An incident response plan explains what the organisation will do when a cyber incident is suspected or confirmed.

It should be practical enough to use during a stressful situation.

The plan may include:

  • How employees report an incident
  • Who leads the response
  • Who can authorise systems to be disconnected
  • Which IT and security providers should be contacted
  • How evidence will be preserved
  • Who contacts the insurer
  • Who assesses legal and regulatory duties
  • How customers and employees will be informed
  • Which systems should be restored first
  • How decisions will be recorded
  • How the business will continue operating

NIST defines an incident response plan as a predetermined set of instructions for detecting, responding to and limiting the consequences of a malicious cyber attack.

The plan should be available even when normal systems are inaccessible.

Storing the only copy inside a SharePoint site or server that becomes unavailable during the incident could make the plan impossible to use.

Maintain a protected offline or independently accessible copy of:

  • The response plan
  • Important telephone numbers
  • Supplier details
  • Insurance information
  • Recovery instructions
  • Key decision-makers’ contact information


11. Do employees know how to report suspicious activity?

Employees often notice the first signs of an attack.

They may see:

  • An unusual login warning
  • A suspicious email
  • An unexpected MFA request
  • Files changing names
  • A ransom message
  • Security software being disabled
  • A device behaving unusually
  • Messages sent from their account that they did not create

Employees should know exactly how to report these events.

They should also understand that a suspected cyber incident should be reported immediately rather than waiting to see whether the problem disappears.

The reporting process should be simple and should include an alternative method when email or Microsoft Teams is unavailable.

Employees should not fear being blamed for making a mistake.

An employee who reports a malicious attachment immediately gives the security team a much better chance of containing the attack.

12. Are your external suppliers included in the plan?

Your business may depend on external providers for:

  • IT support
  • Microsoft 365
  • Internet connectivity
  • Telephone services
  • Cloud applications
  • Website hosting
  • Backups
  • Cyber security
  • Payment processing
  • Specialist software

A cyber incident affecting one of these suppliers could disrupt your organisation even when your own systems have not been directly compromised.

Your response plan should record:

  • Which suppliers support critical systems
  • How they can be contacted urgently
  • Their support hours
  • Their incident-response responsibilities
  • Their escalation process
  • Your contractual notification requirements
  • Available alternatives or workarounds

You should also understand how your IT and security providers protect their privileged access to your systems.

An outsourced provider may hold administrator permissions across Microsoft 365, computers, servers, firewalls and backups. Their access should be protected with MFA, individual accounts, restricted permissions and security monitoring.

13. Have you planned how the business will continue operating?

Recovering technology can take time.

The organisation should consider how it will continue providing essential services while systems are unavailable.

Possible arrangements may include:

  • Employees working from another location
  • Using temporary laptops
  • Diverting telephone calls
  • Processing urgent work manually
  • Using a backup internet connection
  • Accessing a disaster recovery environment
  • Prioritising selected customers or services
  • Using alternative suppliers
  • Communicating through a separate platform

These arrangements form part of business continuity.

Disaster recovery focuses primarily on restoring technology and information. Business continuity considers how the wider organisation will continue operating during the disruption.

The two plans should support one another.

14. Do you understand your legal and regulatory responsibilities?

A cyber attack may also create a personal data breach.

The business may need to determine:

  • Which information was affected
  • Whether it was accessed or stolen
  • Which individuals are at risk
  • Whether the ICO must be notified
  • Whether affected people should be informed
  • Whether contractual partners must be contacted
  • Whether an industry regulator must be notified

Under UK data-protection law, a notifiable personal data breach must be reported to the ICO without undue delay and, where feasible, within 72 hours of the organisation becoming aware of it. The organisation should not wait until every technical detail is known before beginning its assessment.

Not every cyber incident must be reported to the ICO.

However, the business should document its risk assessment and the reasons behind its decision.

Contact details for legal advisers, data-protection personnel and insurers should be recorded before an incident occurs.

15. Is your cyber insurance information available?

Cyber insurance may provide access to:

  • Incident-response specialists
  • Legal advisers
  • Forensic investigators
  • Data-breach support
  • Public-relations assistance
  • Business interruption cover
  • Recovery expenses

However, policies contain conditions and exclusions.

The business should understand:

  • Which incidents are covered
  • Who must be contacted first
  • Whether the insurer must approve external specialists
  • Which security controls are required
  • Whether ransom payments are covered
  • What records will be needed
  • Which response costs are excluded

Insurance details should be stored somewhere that remains accessible when normal systems are unavailable.

Cyber insurance can support recovery, but it cannot replace effective security controls and a tested incident plan.

16. Have you practised your response?

A plan that has never been exercised may contain serious gaps.

A tabletop exercise allows the business to practise its response without disrupting real systems.

For example:

It is 8am on Monday. Employees cannot open shared files, several computers display a ransom note and a criminal group claims to have stolen customer information. What happens next?

Participants should discuss:

  • Who takes control?
  • Who contacts IT support?
  • Should the network be disconnected?
  • How will employees communicate?
  • Can backups be trusted?
  • Which services should be restored first?
  • Who contacts the insurer?
  • Does the ICO need to be notified?
  • What should customers be told?
  • How will decisions be recorded?

NIST’s current incident-response guidance treats preparation, detection, response and recovery as connected parts of wider cyber risk management. Exercising the plan can improve the speed and effectiveness of the real response.

Exercises commonly reveal missing telephone numbers, unclear responsibilities and assumptions about recovery that have never been tested.

The plan should be updated after every exercise and real incident.

What should you do during the first few minutes?

The correct response will depend on the type and scale of the incident.

However, the early priorities will normally include:

  • Report the incident immediately.
  • Contact your IT support or cyber security provider using the agreed emergency method.
  • Contain affected devices.
  • Disconnect suspected devices from wired, wireless and mobile networks where appropriate.
  • Do not destroy evidence.
  • Avoid wiping computers, deleting logs or making uncontrolled changes before the incident has been assessed.
  • Protect important accounts.
  • Reset or disable compromised accounts and revoke active sessions through a controlled process.
  • Establish secure communication.
  • Use an alternative method if normal email or Teams accounts may be compromised.
  • Record decisions and actions.
  • Note what happened, who was contacted and which changes were made.
  • Contact relevant specialists.
  • This may include security responders, insurers, legal advisers and data-protection personnel.
  • Check backups before restoration.
  • Do not reconnect backups to an environment that may still contain an active attacker.

During ransomware, the NCSC advises disconnecting infected devices, contacting technical support, checking that backups and restoration devices are clean, and rebuilding affected systems through a controlled process.

At Hamilton Group, we aim to make first contact on IT support requests within 15 minutes. Serious security concerns should also be reported by telephone so they can be identified and escalated appropriately.

What should you avoid doing?

During a suspected cyber attack, avoid:

  • Continuing to use a visibly infected computer
  • Connecting backup drives to affected systems
  • Paying a ransom without specialist advice
  • Deleting suspicious files before evidence is collected
  • Communicating sensitive details through compromised email
  • Making public statements without agreement
  • Resetting every password without a coordinated plan
  • Reconnecting devices before they have been checked
  • Assuming the attack is over because systems appear to work
  • Concealing the incident from senior management

A hurried but uncoordinated response can cause additional damage or remove evidence needed to understand the attack.

The response should be fast, but it should also be controlled.

Warning signs that your business may not be ready

Your organisation may not be prepared if:

  • Nobody monitors security alerts
  • Backups have never been restored
  • The incident plan exists only in someone’s head
  • Employees do not know who to contact
  • One person holds all administrator passwords
  • Former employees still have active accounts
  • Important systems use unsupported software
  • Personal devices have unrestricted access
  • The same account manages both production systems and backups
  • There is no alternative communication method
  • Senior management has never discussed a cyber incident
  • Nobody knows which systems should be restored first
  • Supplier contact details are out of date
  • Cyber insurance requirements have not been reviewed
  • The business assumes Microsoft 365 automatically protects and backs up everything

Any one of these issues could make recovery slower and more expensive.

A simple cyber attack readiness checklist

Your business should be able to answer yes to the following questions:

  • Do we know which systems and information are most important?
  • Are important accounts protected with MFA?
  • Is administrator access restricted and regularly reviewed?
  • Are computers, servers and applications kept updated?
  • Are company devices centrally managed?
  • Is access from personal devices controlled?
  • Are endpoint, email and identity security alerts monitored?
  • Are backups independent, protected and regularly tested?
  • Do we have a written incident response plan?
  • Can we access the plan when normal systems are offline?
  • Do employees know how to report an incident?
  • Are critical suppliers included in the plan?
  • Do we know how the business will continue operating?
  • Are legal, insurance and regulatory contacts documented?
  • Have we practised our response through an exercise?

A “no” answer does not necessarily mean the business has no protection.

It identifies an area that should be improved before a real incident exposes the gap.

Can every cyber attack be prevented?

No organisation can remove every cyber risk.

Even businesses with strong security can face:

  • Previously unknown vulnerabilities
  • Sophisticated phishing
  • Supplier compromises
  • Malicious insiders
  • Stolen authenticated sessions
  • Human mistakes

Readiness is therefore about reducing both the likelihood and impact of an attack.

A resilient business creates several layers of protection:

  • Email security may block the phishing message.
  • Employee training may identify it.
  • MFA may stop the stolen password.
  • Conditional Access may block the unknown device.
  • Endpoint protection may detect malicious activity.
  • Monitoring may alert the security team.
  • Network controls may limit the spread.
  • Protected backups may support recovery.
  • A tested response plan may reduce confusion and downtime.

No single layer must be perfect when the remaining controls can identify, contain or recover from the failure.

How can Hamilton Group help?

At Hamilton Group, we help businesses prevent, detect and recover from cyber attacks.

We can assist with:

  • Cyber security readiness assessments
  • Microsoft 365 security reviews
  • Microsoft Defender for Business
  • Microsoft Defender for Office 365
  • Microsoft Intune
  • Conditional Access
  • Multifactor authentication
  • Administrator access reviews
  • Managed detection and response
  • 24/7 cyber security monitoring
  • Email security
  • Firewall and network security
  • Vulnerability and update management
  • Ransomware-resistant backups
  • Microsoft 365 backup
  • Disaster recovery
  • Incident response planning
  • Recovery testing
  • Cyber Essentials preparation
  • Employee cyber security training

We can review your existing environment and help answer important questions such as:

  • Would we know if an attacker accessed Microsoft 365 tonight?
  • Who would respond to a security alert?
  • Can an attacker delete our backups?
  • How quickly could our essential systems be restored?
  • Who would lead the incident?
  • Do employees know what to do?
  • Are our recovery expectations realistic?
  • Could the business continue operating while systems are unavailable?

Being ready for a cyber attack does not mean expecting your security to fail.

It means recognising that preparation can make the difference between a contained incident and a complete business crisis.

Contact Hamilton Group to arrange a cyber security readiness review and make sure your organisation is prepared before an attack occurs.

Call us on 0330 043 0069 or book an appointment with one of our experts.