When a company network suddenly experiences extreme traffic spikes, severe slowdowns or service outages, it may indicate a cyber incident such as: a Distributed Denial of Service (DDoS) attack malware spreading internally a compromised server sending malicious traffic ransomware attempting to propagate across the network unauthorised data exfiltration For many businesses, the first sign of trouble is simply that the network becomes unusable. The UK National Cyber Security Centre (NCSC) emphasises that organisations should focus on containing the incident first, before trying to fully investigate it. https://www.ncsc.gov.uk/collection/incident-management Cyber security expert Ciaran Martin, former head of the NCSC, has noted: “Most organisations do not prevent every cyber attack. What matters is how quickly they detect and respond to them.” Recognising the Signs of a Network Attack A sudden surge in network traffic may suggest that: an external attacker is flooding your network malware inside the network is communicating with attackers compromised devices are sending spam or attack traffic a botnet has infected internal machines Typical warning signs include: extremely slow internet connections servers becoming unresponsive unusual outbound traffic repeated connection attempts to unknown IP addresses When this happens, speed matters more than perfection. Step 1: Stay Calm and Confirm the Incident Verify the Problem Before assuming the worst, confirm that the issue is not caused by something routine such as: large internal file transfers software updates backup processes cloud synchronisation legitimate high website traffic Your IT team should immediately check: firewall logs router traffic reports server resource usage network monitoring tools The goal is to confirm whether the traffic is legitimate or suspicious. Step 2: Isolate the Problem Quickly Contain the Attack Once suspicious traffic is confirmed, containment becomes the priority. Your IT team should consider: disconnecting affected machines from the network blocking suspicious IP addresses at the firewall disabling compromised user accounts isolating critical servers If malware may be spreading internally, temporarily disconnecting infected machines can prevent further damage. The NCSC advises organisations to contain compromised systems quickly to prevent attackers gaining further access. https://www.ncsc.gov.uk/guidance/responding-to-a-cyber-incident Step 3: Contact Your Internet Service Provider Possible DDoS Attack If traffic levels are extremely high and coming from many external sources, the business may be experiencing a Distributed Denial of Service attack. Your ISP can: identify traffic sources apply traffic filtering block malicious IP ranges activate DDoS mitigation services Many UK providers have automatic DDoS protection systems, but they must often be notified before they activate mitigation. Step 4: Preserve Evidence Do Not Immediately Wipe Systems Although it may be tempting to reset systems immediately, avoid destroying evidence. Your IT team should preserve: firewall logs server logs authentication records suspicious IP addresses timestamps of abnormal activity These records may later help determine: how the attack began whether data was stolen whether systems remain compromised Step 5: Check for Compromised Systems Look for Malware or Unauthorised Access Your IT team should review: endpoint security alerts antivirus detections recent user account logins new administrator accounts unusual scheduled tasks If malware is detected, affected machines should remain isolated until cleaned or rebuilt. Step 6: Notify Senior Leadership and Key Staff Internal Communication Matters Cyber incidents quickly affect business operations. Management should be informed so they can: pause non-essential network activity alert staff about system disruptions prevent further risky actions prepare customer communication if necessary Clear communication prevents confusion and reduces the risk of additional mistakes during the incident. Step 7: Seek External Cyber Security Support Bring in Experts If the internal IT team lacks cyber security experience, external support is essential. Possible sources include: specialist cyber security consultancies managed security providers cyber insurance incident response teams government cyber response guidance The NCSC provides incident response support and guidance for UK organisations. https://www.ncsc.gov.uk/section/respond-recover/overview Step 8: Report Serious Incidents UK Cyber Incident Reporting Serious cyber incidents affecting UK businesses may be reported through the official government cyber reporting route. https://www.ncsc.gov.uk/section/respond-recover/report If personal data is compromised, organisations may also need to notify the Information Commissioner’s Office (ICO). https://ico.org.uk/for-organisations/report-a-breach Step 9: Restore Systems Safely Returning to Normal Operations Once the threat is contained and systems are verified as clean, recovery can begin. Typical recovery steps include: restoring systems from backups if needed patching vulnerabilities resetting passwords strengthening firewall rules enabling additional monitoring Operations should return gradually rather than switching everything back online at once. How Businesses Can Prepare for Future Incidents Even small organisations benefit from a simple incident response plan. Key preparations include: maintaining reliable offline backups enabling network monitoring tools using endpoint protection software training staff to recognise cyber threats documenting emergency contacts for cyber incidents The NCSC Small Business Guide to Cyber Security provides practical advice for improving cyber resilience. https://www.ncsc.gov.uk/collection/small-business-guide Final Thoughts The first cyber incident a business experiences can feel chaotic, especially if the internal IT team has little experience handling attacks. However, most incidents can be stabilised by following a structured response: confirm the issue isolate affected systems contain the attack preserve evidence seek expert help restore systems carefully Cyber attacks are no longer rare events. Even smaller UK businesses are increasingly targeted. The organisations that recover fastest are not the ones with perfect security. They are the ones that respond quickly, follow a clear plan and bring in expert support when needed. And perhaps the most uncomfortable lesson for many directors is this: cyber security is no longer just an IT responsibility. It is a core part of running the business. Post navigation The DDOS Attack is Over But You Still Have That Itch You Need To Scratch When Your Business Network Is Under Attack: A Practical Survival Guide for UK Company Directors