It’s 2am. Alerts are firing. Logs are spiking. A threat has been detected, and the initial incident response is underway. Technical leads are assessing the situation, gathering evidence, beginning containment. Most of the business is still unaware that by early morning, this will be their biggest priority. The breach has already happened. The headlines haven’t… yet.
In the past week or so, a number of well-known UK retailers have been in the headlines, but for something no brand wants: cyber attacks. Co-op, M&S, Harrods. Big names. Big pressure. The public sees disruption. The media asks questions. Experts offer opinions. Then the headlines move on.
But the breach is only the part people see. The work of containment, coordination and recovery rarely makes the news.
We’ve worked with organisations referred to us during active cyber attacks, supporting them from the first signs of disruption through expelling attackers from their system, and finally, recovery and the shoring of cyber defences.
Not in theory, but in practice.
We’ve seen how incidents ripple through a business, affecting not just systems, but people, communication and confidence. The immediate disruption is only the start. What follows is a complex mix of technical challenges, tough decisions and leadership under pressure.
In one recent incident, a mid-sized organisation in the professional services sector contacted us during a live ransomware attack. They weren’t a customer at the time, but they needed immediate support after several core systems were encrypted.
What stood out wasn’t perfection or control. It was composure. People stayed focused. Priorities were agreed quickly. Internal messaging was calm and consistent. The situation was difficult, but the way it was handled made all the difference.
We’ve also worked with organisations where the pressure came not from encryption or outages, but from the public eye. A company in the retail sector faced a breach that had limited technical impact but serious reputational risk. In that case, the recovery wasn’t about restoring systems. It was about managing information, communicating clearly, and moving quickly to contain uncertainty. The headlines were short-lived. The trust they preserved was not.
That’s something we’ve seen more and more. For public-facing brands, response plays out on two fronts: operational and reputational. It’s not just about getting systems back online. It’s about making confident decisions under scrutiny. Who speaks first? What do you say? What happens when customers, regulators and journalists are all watching at once?
The work that matters most often happens after the noise has died down. The breach may only dominate the news cycle for a day or two. But inside the organisation, containment and recovery can stretch for weeks or longer. Rebuilding infrastructure. Reassessing risks. Preparing for audits. Supporting teams that have worked flat out and are now navigating the emotional and operational aftermath.
This phase is quieter, but no less significant. It’s where the real resilience work begins. And it is often the point where external support makes the biggest difference.
Recovery isn’t easy. It never is. But it can be steady. And that steadiness can be the difference between a setback and a crisis.
Across the many incidents we’ve supported, we’ve seen three qualities in organisations that recover well.
First, incident response is treated as a leadership responsibility, not just an IT function.
These organisations don’t isolate cyber in the tech stack. They think about its impact across finance, legal, operations, communications, reputation and people. And they make recovery part of broader resilience planning.
Second, they’ve clarified roles and decision-making before the pressure hits.
When every minute matters, knowing who has authority and what gets prioritised is critical. Waiting for perfect information is a luxury most incidents don’t allow.
Third, they trust the people around them because they’ve built that trust before they need it.
That includes internal teams and external partners. Recovery is not something you should try to coordinate from scratch in the middle of an incident.
One of the most important truths we’ve learned is this: more technology doesn’t necessarily make recovery faster. Clarity does.
Yes, you need robust controls, monitoring and response tools. But the ability to recover well is defined by how clearly people understand what to do, how effectively they communicate, and how confident they feel taking action under pressure.
Our role isn’t just technical. It is about focus, structure and support. Sometimes we help prioritise which systems to restore first. Sometimes we help leadership prepare for difficult conversations. Often, we simply help keep momentum steady and measured when everything else feels uncertain.
This work rarely becomes public. That’s the point. A well-managed incident response and recovery should not be loud. It should be deliberate.
If you’re reading this and wondering how your own business would respond, rest assured you’re not alone. These are difficult questions, but they are best asked early. Not in a crisis. Not in the middle of a headline.
Cyber security isn’t just about keeping threats out. It is about being ready if something gets through.
The breach might make the headlines. But the response defines what happens next.
And getting that right is something we care deeply about, because that’s where leadership and preparation are tested, and where the right support makes all the difference.
My advice is simple. Make time now to check how prepared you are, and whether your people, processes and systems are ready to respond with clarity and control.
