Back to Blog
17 Feb 2023

Ten operational clean-ups after a cyber attack

Operations Managers are responsible for the day-to-day running of an organisation. Cyber attacks cause disruption. So while Ops may not action the technical response, they are responsible for employees, customer service and compliance during recovery.

The response and recovery after a cyber attack must be a joint effort between the IT and Operations departments. When we asked over 120 IT leaders, “Cyber attacks on my organisation are an issue because…” their view was that disruption to operations was the most significant issue (42%). So it appears IT and Operations can agree on the damage.

The role of the Operations Manager typically includes staff training which can consist of post-attack cyber awareness. In addition, they will be responsible for providing continued service and reassurance to customers and managing the impact on compliance.

That’s a lot of responsibility. To help, we have identified 10 procedures to follow in the clean-up after a cyber incident.

1. Isolate the affected systems

The first step in the recovery process is to isolate the affected systems to prevent the attack from spreading to other parts of the network.

2. Identify the scope and impact of the attack

Once the systems have been isolated, the IT team should identify the scope and impact of the attack. This will help them understand the extent of the damage and determine the appropriate course of action and identify any data that has been compromised.

3. Determine the cause of the attack

It is essential to determine the cause of the attack to prevent similar attacks in the future. This will involve conducting a thorough investigation of the affected systems to identify any vulnerabilities that were exploited.

4. Remove the malware or other malicious software

The IT team will need to remove any malware or other malicious software installed during the attack.

5. Report the incident

The operations team should report the attack to the relevant authorities, such as the local police, cybercrime agencies, and the Information Commissioner’s Office.

There is a legal responsibility under UK data laws to report any data breach within 72 hours of it being discovered. More details at UK GDPR data breach reporting (DPA 2018).

6. Communicate with affected parties

The operations manager should communicate with clients and customers, informing them of the breach and any potential impact on their personal data.

7. Restore data and systems

Once the malware has been removed, the IT team will need to restore any data and systems affected by the attack.

8. Implement security measures to prevent future attacks

Finally, the IT team should implement security measures to prevent future attacks. This may include updating software, installing security patches or additional firewalls and implementing new security protocols.

9. Conduct regular security audits

Consider conducting regular security audits to identify any vulnerabilities and take action to mitigate them.

10. Train staff

Regular cybersecurity training should already be part of an organisation’s defence. Don’t just train them during their induction and then forget it. Cyber attacks constantly evolve, and employees and contractors must be aware of best practices to prevent future breaches.

In summary, recovering from a cyber attack requires a multi-faceted approach that requires cooperation between IT and Operations. The team must assess the damage, isolate infected systems, strengthen security, train staff, plus inform customers and the authorities. Early warning of attacks and fast response is essential, and cybersecurity training needs to be engaging and up-to-date.


Graham Smith

By Graham Smith