Most UK businesses experience their first cyber incident exactly the same way: the network slows down dramatically, staff start complaining that systems are unusable, and the IT team realises something abnormal is happening. Heavy network traffic can indicate several types of cyber attack, including: Distributed Denial of Service (DDoS) Malware communicating with external servers Compromised internal machines sending spam Data exfiltration Ransomware spreading across the network The UK National Cyber Security Centre (NCSC) stresses that organisations must prioritise containment and recovery before deep investigation. https://www.ncsc.gov.uk/collection/incident-management Former NCSC chief executive Ciaran Martin has explained: “Cyber incidents happen to organisations of all sizes. The key difference between organisations is how effectively they respond.” Recognising the Warning Signs of a Network Attack If network traffic suddenly increases dramatically, typical symptoms include: internet connections becoming extremely slow cloud applications timing out servers responding slowly large volumes of unknown outbound traffic repeated connection attempts to unusual IP addresses Before assuming a cyber attack, confirm that the traffic is not legitimate. Your IT staff should immediately check: firewall dashboards router traffic statistics server resource usage recent system updates or backups Sometimes the cause is simply a large internal transfer or automated update. Unfortunately, it is often something less innocent. Step 1: Stabilise the Situation Immediately Pause Non-Essential Network Activity The first priority is reducing network load. Your IT team should: pause large backup jobs stop file synchronisation services temporarily halt cloud data transfers disable non-essential internal systems This helps you determine whether the traffic spike is internal or external. If performance improves significantly, the issue may be internal misconfiguration or malware. Step 2: Identify the Source of the Traffic Look at Firewall and Router Logs Your IT staff should examine: firewall connection logs top source IP addresses top destination IP addresses bandwidth usage by device Key questions: Is traffic coming from outside the company? Is a specific internal machine generating traffic? Is a server sending large amounts of data externally? This information determines the next action. Step 3: Contain the Attack Disconnect Suspicious Devices If one machine appears responsible for large volumes of traffic, isolate it immediately. Steps include: disconnect the device from the network disable its switch port remove Wi-Fi access power down the system if necessary This prevents malware from spreading further. The NCSC advises isolating compromised devices quickly to stop attackers maintaining access. https://www.ncsc.gov.uk/guidance/responding-to-a-cyber-incident Step 4: Contact Your Internet Provider Possible Distributed Denial of Service Attack If traffic is coming from thousands of external sources, you may be experiencing a DDoS attack. Your internet service provider can: identify attack traffic patterns block malicious IP ranges apply upstream filtering activate DDoS mitigation services Contact the ISP’s technical support team immediately and explain the situation. Many providers have emergency procedures specifically for this scenario. Step 5: Preserve Evidence Do Not Wipe Systems Yet Before resetting systems, collect evidence. Your IT team should export: firewall logs server logs login records network traffic reports suspicious IP addresses These will help determine: how the attack started whether data was stolen whether attackers still have access Step 6: Check for Compromised Accounts Investigate User Activity Check for: unusual administrator logins recently created accounts password changes suspicious scheduled tasks unexpected software installations If suspicious accounts exist, disable them immediately. Step 7: Seek Professional Cyber Security Assistance Bring in External Incident Response Experts If your internal IT team lacks cyber expertise, external help is essential. Possible sources include: cyber security consultancies managed security service providers cyber insurance incident response teams The NCSC provides guidance on responding to cyber incidents and directing organisations to support resources. https://www.ncsc.gov.uk/section/respond-recover/overview Step 8: Report Serious Incidents UK Cyber Incident Reporting Major cyber incidents affecting UK businesses may be reported via the official government reporting routes. https://www.ncsc.gov.uk/section/respond-recover/report If personal data may have been compromised, organisations may need to notify the Information Commissioner’s Office (ICO). https://ico.org.uk/for-organisations/report-a-breach Step 9: Restore Business Operations Safely Recover Systems Carefully Once the attack is contained: restore affected systems from backups patch vulnerabilities reset passwords across the network update firewall rules increase monitoring of traffic patterns Bring systems back online gradually to ensure the threat is truly removed. Preparing for the Next Incident Most SMEs only begin thinking seriously about cyber incident response after the first attack. To reduce risk in the future: implement network monitoring tools maintain reliable offline backups enforce multi-factor authentication deploy endpoint security protection create a simple incident response plan The NCSC Small Business Cyber Security Guide provides practical advice for UK companies. https://www.ncsc.gov.uk/collection/small-business-guide Final Thoughts Discovering that your business network is under attack can feel overwhelming, especially when internal IT teams lack dedicated cyber security expertise. However, most incidents can be stabilised by focusing on a few critical priorities: confirm the problem contain the attack quickly isolate compromised systems involve external experts restore operations safely Cyber attacks are now a normal business risk rather than a rare event. The organisations that recover fastest are not those with perfect security, but those that act quickly, communicate clearly and follow a structured response plan. And the first rule during a cyber crisis is simple: panic later. Fix the network first. Post navigation When Your Business Network Is Under Attack: A Practical Incident Response Guide for UK SMEs Ransomware on a Work Computer: What a UK Small Business Director Must Do Immediately