Why one page beats a forty-page binder
When ransomware locks your file server at 7am, the beautifully detailed incident response document stored on that server is worthless. Small firms do not need a binder; they need one printed page that tells a stressed person exactly what to do in the first hour, who to phone, and which deadlines are now ticking. The first sixty minutes of an incident decide most of the eventual cost, and they are precisely when people freeze.
A good one-pager has four parts: a contact block, three short playbooks for the incidents most likely to hit a small business (ransomware, account takeover and a personal data breach), the ICO reporting rules, and one line on who speaks for the company. Everything below can be adapted straight into yours.
The contact block: fill this in first
In an incident you will not have time to hunt for phone numbers, and you may not have access to your own systems. Write these down and keep the page printed at the office and at home.
- Your IT support company, including its out-of-hours number.
- Your cyber insurer's 24-hour breach hotline and your policy number. Call them before engaging any external help; most policies require you to use their approved responders.
- Your bank's fraud line. Many UK banks can be reached by dialling 159, the anti-fraud short code.
- Action Fraud on 0300 123 2040 for England, Wales and Northern Ireland, or Police Scotland on 101.
- The ICO helpline on 0303 123 1113 for breach reporting advice.
- Your accountant, key supplier contacts and anyone else who would need warning quickly.
Add a named incident lead and a deputy, so nobody has to debate who is in charge while everything is on fire.
Need a hand with this?
Our team delivers IT & Cyber Security for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →
Playbook one: ransomware
You arrive to encrypted files and a ransom note. The first actions:
- Disconnect affected machines from the network. Unplug cables and switch off Wi-Fi rather than powering everything down, and do not wipe anything.
- Photograph the ransom note on your phone, then leave it alone.
- Call your insurer and IT support before touching backups. Confirm backups are offline and clean before any restore begins.
- Do not pay or negotiate before taking advice. Payment is no guarantee of recovery, and your insurer, the NCSC and the police will all want a say.
- Report the attack to Action Fraud, and consider reporting to the NCSC, which offers practical recovery guidance.
If personal data was encrypted or stolen, the ICO clock described below is already running. Note the exact time you first became aware.
Playbook two: account takeover
Someone's email or cloud account is sending messages they did not write, or a login alert has arrived from an unfamiliar country. Business email compromise usually ends in invoice fraud, so speed matters.
- From a known-clean device, reset the account password and sign out of all active sessions.
- Check mailbox rules and forwarding settings. Attackers hide rules that divert or delete replies.
- Revoke connected apps and app passwords, and switch on multi-factor authentication if it was somehow off.
- Search sent and deleted items for fraudulent invoices or payment requests already issued in your name.
- Warn recent contacts not to act on payment instructions from that account, and phone your bank immediately if money has moved. Recalling a diverted payment is time-critical.
- Check whether the same password was reused anywhere else, and change it there too.
Playbook three: the data breach and the 72-hour clock
Under UK GDPR you must report a personal data breach to the ICO within 72 hours of becoming aware of it, where the breach is likely to pose a risk to individuals. The clock includes weekends. Not every breach is reportable; a stolen laptop that was fully encrypted may pose no risk, for instance. But every breach must be logged internally, including your reasoning if you decide not to report. The Data (Use and Access) Act reforms did not change these deadlines.
- Record what happened, when you became aware, what categories of data are involved and roughly how many people are affected.
- Record the likely consequences and what you have done to contain the breach.
- Report within 72 hours even if the picture is incomplete; the ICO accepts reports in phases.
- If the breach is high risk for individuals, you must also tell them without undue delay, in plain language.
Key Takeaway
Write one printed page with a contact block (IT support, insurer's breach hotline, bank, Action Fraud, ICO) and three short playbooks for ransomware, account takeover and data breaches. Remember the UK GDPR rule: report a risky personal data breach to the ICO within 72 hours of becoming aware, weekends included. Print it, keep a copy outside your own systems, and rehearse it twice a year with a 45-minute tabletop exercise.
Build it, print it, test it twice a year
Draft the page this week; it should take less than two hours. Then make it real:
- Name the incident lead and deputy on the page itself.
- Agree one communication rule: only the named person speaks to customers, media or social channels during an incident.
- Print copies for the office, and store a PDF somewhere the business's own systems do not control.
- Run a 45-minute tabletop walkthrough twice a year. The NCSC's free Exercise in a Box makes this easy.
- Update the page after every incident, near-miss, insurer change or staff change.
A plan you have rehearsed, even casually, turns a panicked morning into a checklist. If you would like help hardening the systems behind the plan, from backups to email security, our team can help.
