A cyber-attack can cause significant disruption, from systems going offline to employee data being compromised. When this happens, the impact isn’t only operational, it’s also deeply personal for affected employees, who may worry about how the incident affects them.

For employers, responding swiftly and sensitively is essential. While IT and legal teams focus on containing the technical damage, HR and cybersecurity also play a crucial role in managing communication, maintaining trust, and supporting employees through uncertainty.

HR and cybersecurity: steps for managing a business cyber attack

A complete business continuity plan for cyber attacks can support your organisation with overcoming immediate threats. This is where HR can play its part, offering a professional approach to managing the situation and limiting disruption.

1. Stay calm and follow the incident response plan

If your organisation has a cyber security or business continuity plan, activate it immediately and make sure everyone understands their role.

If employee data has been compromised, notify your Data Protection Officer (DPO) straight away.  The DPO will lead on assessing the risk, advising the organisation, and deciding whether to report the breach to the Information Commissioner’s Office (ICO) within 72 hours, as required under the UK GDPR.

If your organisation doesn’t have a DPO, responsibility for this assessment usually sits with your data protection lead, senior leadership, or external legal advisers. HR must ensure the issue is escalated quickly and that all actions are recorded.

Employment lawyer’s advice: Make sure you stick to any agreed internal procedures and keep clear records of all decisions and actions taken. This will demonstrate that you acted reasonably and took prompt, organised action, which regulators and tribunals will expect to see if the incident later leads to claims or enforcement action.

2. Coordinate with IT, legal and senior leadership

Work collaboratively with IT, data protection, and leadership teams to:

• Understand the scale and type of attack.
• Identify whether employee data – such as payroll information, personal details, disciplinary records, or medical data – has been compromised.

• Support containment and recovery efforts.

Employment lawyer’s advice: Treat employee data as highly sensitive. If the breach affects HR systems, involve your Data Protection Officer immediately and document all steps taken to protect personal information. These records may be critical evidence if the ICO investigates or if employees raise complaints.

3. Communicate and support employees

HR plays a vital role in reassuring staff who may feel unsettled and anxious due to the breach.

• Keep communication channels open and ensure communications are consistent across all departments.
• Notify affected employees promptly, explaining what’s happened, what’s being done, and what action they can take (e.g. password resets, monitoring accounts).
• Be clear about how you’re preventing such issues from happening again.
• Offer wellbeing support through your Employee Assistance Programme (EAP) or mental health resources.

Where a DPO is involved, they can support HR in drafting compliant communications that meet data protection requirements.

Employment lawyer’s advice: Employees are likely to be highly concerned so you must communicate carefully and be transparent but factual. You should not speculate or admit liability. Have your planned communications reviewed by your legal advisers and your data protection team to reduce legal and reputational risks.

4. Manage disruption to work

Cyber incidents can cause serious practical challenges, particularly if HR systems, payroll software, or scheduling tools are affected.

• Work with finance to ensure employees are paid correctly, even if manual payments are needed.
• Keep temporary manual records for absences or leave.
• Support managers dealing with staff frustration or delays.
• Prepare alternative contact methods if systems are down.

Employment lawyer’s advice: Failing to pay employees because of a cyber incident could lead to unlawful deduction of wages claims. You should take all possible steps to make interim payments, even if data systems are down.

5.Review, learn and strengthen your response

Once the immediate crisis is over, HR should be actively involved in the post-incident review:

• Participate in a formal debrief with IT, legal, and your DPO.
• Communicate to employees what’s been learned and how you’re preventing such issues from happening again.
• Review and update your data protection and IT security policies.
• Refresh employee training on phishing, password management, and secure data handling.

Employment lawyer’s advice: You should review employment contracts and HR policies to ensure they cover data breaches and cyber incidents, including clear procedures for responding, reporting, and managing employee data. Any learnings from the incident can be built into updates to contracts and policies where necessary. You can also revisit data processing agreements with third-party providers where possible.