Records Management & Cyber Attacks

It was an honour and a real pleasure to speak at the IRMS Conference 2023 about how good records management can help organisations recover from cyber-attacks, and help prevent them too.

The presentation was something new that I tried out; in an interactive session the audience helped respond to a cyber-attack in real time, and luck played its part in the outcome. I’m relieved to say it went really well, and I’ve had some very lovely feedback from attendees. If you were there, thank you for being a fantastic audience and getting stuck in!

In this post I’ll lay out an ideal outcome in the case of the simulated attack, highlighting the part that records management plays.

Image of Clare Paterson, consultant and director of CP Data Protection standing behind a podium, in front of a seated audience, pulling an exaggerated worried face, and doing an exaggerated shrug. Clare is a white woman in her 40s with long brown hair and wearing glasses and a dark green patterned blouse (which is hiding the coffee she spilled on it earlier in the day!)
Getting into the spirit of the acting during the session! Photo courtesy of Scott Sammons.

The simulation is a simplified version of the types of incidents any one of us could face, but it’s not completely imaginary either. Let’s look at what happened, and what the ideal response might look like. Robust Records Management processes are the foundation of all the positive responses that help reduce the impact of a cyber-attack, as we will see in this scenario.

At Thingy & Whosit Ltd the heads of IT, Operations, Customer Services, and Communications are gathered around, and they are having a bad day.

Every PC screen in the offices has gone blank, and an intimidating image has appeared instead, of a skull.

Thingy & Whosit Ltd have been hacked; they are a victim of a cyber-attack.

We speak to the Head of IT and the Head of Operations first, and tell them we’ve been hacked.

They know just who to talk to – they have IT specialists on speed dial, and a contract (with Data Processing clauses of course!) in place with them already. All the key colleagues are on the contacts list that the Head of Ops keeps to hand too, and the chain of command is established for emergency situations.

The Head of IT takes the lead, as already planned, as we work through the Response Plan, using the templates that have been designed to make sure we capture everything important, including learning when we get to the Review stages.

The Head of Communications knows where to find copies of draft comms, and uses them to put together information to share with colleagues. It’s already well known that no one should speak to the press. When we have something to share with the press, the Head of Comms will take the lead.

In the early stages of the incident, the Head of Customer Service tells customer-facing colleagues to hang tight for an hour, and they will be updated then.

The Head of Ops knows that, if needs be, we can carry on with a limited amount of work, because our processes are streamlined and we can fulfil some functions manually, without the computer systems.

The Head of IT, along with the crisis IT company, has made sure that every system was quarantined immediately, and in time systems will be brought back up in the previously agreed priority order.

As we start to consider what data is at risk, we can be confident that we only have/had data that we had good reason to have, and that it was all stored where it should have been. This reduces the amount of data that could have been accessed by the hackers.

When we are able to start investigating how this happened, having records of access-levels and access histories will make it much simpler to identify how the hackers were able to attack.


Being prepared for cyber-attacks, and other data breach incidents (as well as many other types of risk) should include the following steps:

Risk assessing and planning for likely incidents.

Recognising – being able to recognise a breach has occurred as soon as possible.

Reducing the risk – by containing the incident and taking mitigating actions.

Reporting as appropriate – including to customers and colleagues, as well as the appropriate authorities.

Reviewing – how well the incident was handled, and what can be learned for future.

I produced a set of phone wallpapers/lock screens with this checklist on, especially for the IRMS conference, which was free for a limited time, and you can now purchase for just £2.10 by clicking here. There are 12 different designs, so hopefully you can find one to suit you (or one for each month?)

If you would like to receive updates, links to blog posts when they’re published, and weekly freebies, you can sign up to the CP Data Protection mailing list by clicking here.

The Hive Live Event is happening soon!

Building on the success of The Hive, the free online group where we discuss all things data, especially personal data, in housing & other values-led sectors, we are proud to announce the first in-person, all-day event; The Hive Live in September 2023.

Taking the theme of ‘Blocker to Builder’ and focussing on building robust ‘Knowledge & Information Management’ it will be held in the stunning, and centrally located, Cosford Air Museum in Shropshire on 25th September 2023. This is a day for sharing knowledge, listening, learning, planning, and meeting friends old & new, in the interactive & engaging sessions.

Click here for all the details of The Hive Live 2023

Latest Posts:


  1. Great Blog Clare, seems common sense, but when it happens panic sets in , so its good to have this as a handy checklist to add to exisiting dpcumnets , thanks 🙂

    • Thanks Samm, glad it’s useful! 😊 I think you would have enjoyed the interactive session I presented at the conference this week; I’m thinking about the best way I can offer it out to a wider audience, so watch this space!

Leave a Reply

Your email address will not be published. Required fields are marked *