The First 24 Hours After a Breach Determine Everything

No business plans to get breached. But 43% of UK businesses experienced a cyber breach or attack in the past year (DSIT 2025), and the average time to detect one is 241 days (IBM 2025). When you do discover a breach, the actions you take in the first 24 hours determine whether it is a contained incident or a full-blown crisis.

This guide covers the practical steps to take immediately after a breach, who to contact, what to preserve, and how to recover. Whether you run an accountancy practice, a law firm, a recruitment agency, or any other professional services business, these steps apply.

Even if you never work with us, bookmark this page. Having a response plan before you need it is the single most valuable thing you can do.

Concerned your systems may already be compromised? Run a credential exposure check or call 0151 452 3060. It takes minutes and shows whether your business credentials are already circulating from known breaches.

Step 1: Isolate, Do Not Shut Down

Your first instinct may be to turn everything off. Resist it. Shutting down systems can destroy forensic evidence that is critical for understanding the breach and preventing recurrence.

Instead, isolate the affected systems from the network. Disconnect compromised devices from Wi-Fi and wired connections. Keep them powered on. This preserves logs, memory contents, and evidence trails that forensic analysis requires.

Think of it as quarantining a problem, not severing all connections.

Step 2: Contact Your IT Provider or Security Partner Immediately

This is not the time for trial and error. If you have an IT provider or managed security partner, contact them immediately. If you do not, this is exactly why having one matters.

A security specialist can assess the breach scope, identify the attack vector, and guide containment. Attempting to handle a breach internally without specialist expertise often makes the situation worse, particularly if the attacker is still active in your systems.

For professional services firms, a co-managed approach works well here. Your internal IT handles day-to-day operations while a specialist security partner handles incident response, forensics, and recovery. The time to establish that relationship is before a breach, not during one.

Step 3: Reset Credentials and Lock Down Access

Immediately reset passwords for any potentially compromised accounts, starting with admin accounts and accounts with access to sensitive data. Do not reuse previous passwords.

Enable multi-factor authentication if it is not already in place. Only 40% of UK businesses use MFA on email (DSIT 2025). If your business is in the other 60%, a breach is the moment that changes.

Apply least-privilege access: restrict permissions to only what each person needs during the investigation. This limits the attacker’s ability to move laterally if they still have access.

Already Experienced a Breach? We Can Help.

Hilt Digital provides incident response support for businesses across Liverpool, the Wirral, Chester, and the wider North West. We assess the damage, contain the threat, and help you recover.

Call 0151 452 3060 now or request an urgent assessment.

Step 4: Assess the Damage

Work with your IT provider or security partner to determine:

  • What data was accessed or stolen? Client records, financial data, personal information, intellectual property.
  • Which systems were affected? Email, file shares, cloud services, line-of-business applications.
  • How did the attacker get in? Phishing email, compromised credentials, unpatched vulnerability, supply chain compromise.
  • Is the attacker still present? Check for persistence mechanisms like scheduled tasks, new user accounts, or email forwarding rules.

For accountancy practices, this assessment must include whether client financial data, tax records, or HMRC credentials were exposed. For law firms, determine whether legally privileged information was accessed, as this triggers specific SRA reporting obligations.

Step 5: Notify the Right People

Under GDPR, if personal data has been compromised in a way that presents a risk to individuals, you must notify the ICO within 72 hours. This is not optional.

You also need to consider:

  • Affected clients or customers: Transparency builds trust. Hiding a breach and having it discovered later is far more damaging than honest, prompt communication.
  • Your cyber insurance provider: Many policies require notification within a specific timeframe. Delayed notification can void your cover.
  • Professional regulators: SRA for law firms, FCA for financial services, Ofsted for schools. Sector-specific reporting obligations may apply.
  • Action Fraud: Report the incident to Action Fraud (0300 123 2040) for law enforcement awareness.

Step 6: Fix the Root Cause

Containing the breach is only half the job. You need to identify and fix the vulnerability that allowed it to happen. 85% of attacks start with phishing (DSIT 2025), so the root cause is often a combination of human error and missing technical controls.

Common fixes include:

  • Implementing or enforcing MFA across all accounts
  • Applying outstanding security patches
  • Removing unnecessary admin accounts
  • Deploying advanced endpoint protection
  • Running a vulnerability assessment to identify remaining weaknesses

Step 7: Strengthen Your Defences for Next Time

A breach is a painful but effective motivator. Use it to implement the security measures that should have been in place before the incident:

  • Credential exposure monitoring: Continuous monitoring for compromised business credentials from third-party breaches.
  • Endpoint protection: Behavioural detection that catches threats traditional antivirus misses.
  • Email security: Advanced filtering that stops phishing emails before they reach your team.
  • Regular vulnerability assessments: Quarterly CREST-accredited assessments that identify weaknesses before attackers do.
  • Documented incident response plan: Update your plan based on lessons learned from this breach, and rehearse it regularly.

What to Do Next

Whether you have just experienced a breach or want to make sure you are prepared for one, here are three options:

  1. Credential exposure check – Find out immediately if your business credentials are already circulating from known breaches.
  2. Vulnerability assessment – A CREST-accredited assessment of your external security posture, identifying the weaknesses an attacker would exploit.
  3. H-Protect Complete (from GBP 89/user/month) – Comprehensive protection including endpoint security, email threat protection, credential monitoring, quarterly vulnerability scanning, and incident response support.

Request an assessment or call 0151 452 3060. We are based in Liverpool and work with businesses across the North West.