You are not alone in this situation
Cyber incidents happen to well-run businesses. They are not a reflection of negligence or carelessness. They are the inevitable consequence of operating in an environment where the threats are constant, sophisticated and frequently underestimated, often by the very suppliers whose job it is to protect you.
What matters now is not how it happened. What matters is what you do in the next few hours and days. The decisions made immediately after a cyber incident have a direct and significant impact on the commercial, regulatory and reputational consequences that follow.
Northstar provides independent, experienced advisory support at exactly this moment. Not vendor-led incident response services with an interest in selling you products. Not a junior consultant following a script. Carl Spencer, personally, with 27 years of experience in IT services, cybersecurity and commercial leadership, available to help you think clearly and act decisively.
"The decisions made in the first hours after a cyber incident shape every consequence that follows. Having the right independent voice in the room makes a material difference."
What to do right now
If you are in the middle of or have just discovered an incident, the following steps apply to the majority of situations. They are not a substitute for independent advice, but they are the right starting point.
-
1
Do not turn systems off immediately
Unless instructed to by a qualified advisor, shutting down systems can destroy forensic evidence and make it harder to understand what happened. Isolate affected systems from the network where possible, but do not power them off unless the attack is actively ongoing and causing immediate damage.
-
2
Disconnect affected systems from the network
Unplug network cables or disable Wi-Fi on affected devices to stop the spread. Do not do this by logging in remotely to a potentially compromised system.
-
3
Document everything you know so far
Write down what you noticed, when you noticed it, and what actions have been taken. Screenshots where possible. This documentation will be needed for insurance claims, regulatory reporting and forensic investigation.
-
4
Do not pay a ransom without independent advice
Paying a ransom does not guarantee data recovery and in some jurisdictions may create legal liability. Take independent advice before making any payment decision.
-
5
Get independent support immediately
Your MSP has a conflict of interest in this situation. They may have contributed to the vulnerability. You need an independent voice who can assess the situation honestly and represent your interests, not theirs.
The 72-hour reporting obligation
- If personal data has been compromised, you may be legally required to report the incident to the ICO within 72 hours of becoming aware of it.
- This obligation exists regardless of whether the incident was your fault.
- Failure to report within the window can result in regulatory action and significantly increased ICO scrutiny.
- The clock starts when you first become aware that a breach may have occurred, not when it is confirmed.
- Northstar can help you assess whether a reportable breach has occurred and what your obligations are, in plain English, without legal jargon.
What Northstar does in an incident situation
Northstar's role in a cyber incident is to provide calm, independent, commercially focused leadership when your business needs it most. That means:
Independent assessment of what has happened and what the likely impact is, without the conflict of interest that your IT supplier carries in this situation.
Regulatory guidance on your ICO reporting obligations, your insurer notification requirements, and what your contractual obligations to clients and partners may be. This is not legal advice, but it is the commercial clarity that helps you make the right decisions quickly.
Stakeholder communication guidance. One of the most damaging aspects of a cyber incident is often not the incident itself but how it is communicated, to clients, to partners, to staff, and in some cases to the public. Northstar helps you get this right.
MSP oversight and accountability. In many incident situations, the managed service provider has a role to play in the response. Northstar sits above that relationship, ensuring your MSP is responding appropriately and in your interests, not managing the narrative to protect themselves.
Recovery planning. Once the immediate incident is contained, Northstar helps you understand what needs to change, what the realistic recovery path looks like, and how to ensure this does not happen again without being oversold products by vendors with an interest in your fear.
After the incident
The period immediately following a cyber incident is one of the most commercially sensitive moments a business can experience. Clients may need to be informed. Insurers will be assessing the claim. The board will be asking questions. Staff will be uncertain.
Northstar provides the independent, senior IT and cyber leadership that ensures this period is navigated with clarity and confidence. Many businesses that engage Northstar during an incident go on to establish an ongoing fractional IT and cyber director relationship, precisely because the incident exposed the governance gap that allowed it to happen.
The best time to have independent IT and cyber oversight in place is before an incident. The second best time is right now.
Get in touch