Here is a number that should be on the agenda at your next leadership meeting.
72% of senior managers say cyber security is a top priority for their organisation. Only 29% have a formal incident response plan in place.
The two figures come from the UK government’s latest cyber security breach survey. They were mentioned in Aviemore by Gordy McDonald and Heather Lowry from the Scottish Government Cyber Resilience team. The gap between feeling secure in cybersecurity and actually being prepared is where most damage occurs.
WHAT A BUSINESS OWNER EXPERIENCES
You arrive at the office, or log in remotely, and something is wrong. Systems are slow or unresponsive. Files are behaving strangely. A staff member mentions an odd email from last week that they weren’t sure about. Or everything is simply gone. In the first minutes and hours of a cyber incident, the questions come fast: Who do I call? What do I say? Who is in charge if my usual IT contact is unavailable? Do we have to notify anyone? By when?
If you have not worked out the answers in advance, you will be working them out under the worst possible conditions.
WHAT IS REALLY HAPPENING IN THE BACKGROUND
Most organisations do not lack the will to respond well. They lack the preparation. Gordy McDonald shared a real incident from a Friday evening. He wasn’t the main responder, just support. The pressure was intense. Emails poured in, video call requests piled up, and urgent information was needed. It felt like his brain might burst. And that was from the outside. For the organisation at the centre, things get worse quickly without a plan, clear roles, or rehearsed decisions.
Heather Lowry framed it with the Scottish Government Strategic Cyber Resilience Framework. Resilience is about our shared ability. It is not something the IT team holds on behalf of everyone else. It’s built across leadership, HR, finance, operations, and communications. You need to know who does what when things go wrong.
The detail most plans miss is deputisation. It is not enough to have an incident response plan that assumes the right people are available. Gordy, a Police Scotland dive supervisor for 22 years, made a key point: he’d never send a team into a risky situation without making sure everyone knew what to do. Cyber incident response is no different. Your primary IT contact may be on holiday. Your FD may be unreachable. The plan has to work with whoever is actually there.
THE 72-HOUR RULE
If personal data is involved, like client info or employee records under GDPR, you must notify the Information Commissioner’s Office within 72 hours of noticing. This is a legal obligation. The ICO’s guidance is clear: the faster you notify, the more you show that you take the incident seriously. This means you’re not just trying to deal with it quietly. Late notifications, or no notification at all, raise the risk of regulatory penalties. This adds to your existing challenges.
ACTION THIS DAY
1. In your next leadership meeting, ask one key question: If we faced a major cyber incident tomorrow, who would take charge? Who would be their deputy? Do both of them know their roles? If you cannot answer all three parts of that question confidently, that is where your incident response plan needs to start.
2.
Here are the four key contacts for any cyber incident:
Your IT provider or managed service contact
Your cyber insurer’s claims line
ICO reporting line: 0303 123 1113
Police Scotland’s cyber crime reporting: call 101 or contact the NCSC
Keep this list in both a physical and digital form. If a ransomware attack happens, your digital files could get encrypted.
3. Book a one-hour session with your IT provider in the next two weeks, specifically to review your incident response plan, or to create one if it does not exist. The NCSC provides a free incident response guide at ncsc.gov.uk that gives a clear structure. Use it.
CONVERSATION TO HAVE WITH YOUR TEAM
Ask at your next all-staff meeting: if you came in tomorrow and nothing worked, what would you do in the first hour? Listen to the answers. If people are unclear, uncertain, or looking at each other, that is the gap this article is about. Organisations that cope well with cyber incidents often lack advanced technology. They don’t always need the latest tools to succeed. They are the ones where everyone already knows their role before the crisis starts.
This is Article 5 of the Cyber Resilience for Business Owners series. It is based on the Highlands and Moray Chambers Joint Cyber Resilience Event in Aviemore, February 2026. Speakers: Gordy McDonald (Police Scotland), Heather Lowry (Scottish Government), Mark Gallagher (Police Scotland).
