Cyber Attack on Your POS: What to Do in the First 48 Hours

The Attack That Shut Down a Chippy for Three Weeks#

A fish and chip shop chain with five locations across the East Midlands was hit by ransomware in autumn 2023. The attackers encrypted every file on their network — including their POS transaction history, their staff scheduling system, their supplier ordering records, and their customer loyalty database. Then they demanded £18,000 in bitcoin to restore access. The owners did not pay. Instead, they called their IT support company, who told them that without backups they would need to rebuild entirely from scratch. It took 21 days. During that time, three of the five locations could not process card payments. Two locations closed entirely. Staff were stood down. The total financial impact — lost revenue, IT recovery costs, and emergency staffing — was approximately £47,000. The customer loyalty database, built over six years, was lost permanently. This is not an extreme example. The UK's National Cyber Security Centre (NCSC) reported that 39% of UK businesses experienced a cyber attack in 2023, and the average cost to a small business was £3,230 — but for businesses where operational systems were compromised, the average exceeded £25,000. For hospitality and retail businesses dependent on POS systems, the impact is disproportionately severe because trading halts immediately and completely. The uncomfortable truth is that most SMB POS systems are significantly more vulnerable than their owners realise.

How POS Systems Get Compromised#

Understanding the attack vectors helps you prioritise defences. POS systems are targeted because they sit at the intersection of financial data and network connectivity — and they are often poorly maintained. Phishing emails remain the most common initial attack vector. An employee clicks a link in what appears to be a supplier email, invoice attachment, or shipping notification. The link installs malware that either encrypts files (ransomware) or quietly exfiltrates payment card data over weeks or months. In the UK, 83% of successful cyber attacks on businesses begin with phishing. Remote access vulnerabilities are the second most common vector. Many POS systems and retail networks use remote desktop protocol (RDP) for IT support access. Attackers scan for open RDP ports and use brute-force password attacks to gain access. If your IT support company connects to your POS remotely — and most do — this is a risk you need to explicitly address with them. Third-party software vulnerabilities affect businesses running outdated POS software. Legacy systems, particularly those no longer receiving security updates from their vendors, have known vulnerabilities that are actively exploited. If you are running a POS system that is more than 3–4 years old and has not been updated recently, you are at elevated risk. Point-of-sale malware — software specifically designed to capture card data as it is processed — represents a smaller but significant category of attack. This is typically introduced through physical access to the POS terminal or through network intrusion, and it operates silently for months before detection.

Hours 0–6: Containment#

The moment you suspect a cyber attack, your first priority is containment — stopping the attack from spreading further, not trying to understand or fix what has already happened. Isolate immediately. Disconnect affected systems from the network — physically, by unplugging ethernet cables and disabling Wi-Fi. If your POS terminals are networked together, disconnect them all. Containment is more important than continuing to trade. Yes, you will lose some hours of sales. The alternative is giving the attackers more time to encrypt more systems or exfiltrate more data. Do not turn systems off — yet. Counter-intuitively, in many attack scenarios, keeping infected systems running (but isolated from the network) preserves forensic evidence and may allow recovery of encryption keys. Do not shut down or reboot unless your IT specialist instructs you to. Call your IT support company immediately. If you do not have a support company on retainer, call a specialist cyber incident response firm. In the UK, the NCSC maintains a list of certified incident response companies — search "NCSC certified incident response." In Singapore, the Cyber Security Agency (CSA) provides similar guidance and can recommend response resources. Then call your cyber insurance provider. If you have a policy, report the incident within the timeframe specified — many policies require reporting within 24 hours of discovery. Your insurer will often provide access to their own incident response team as part of the claim. Notify your bank and payment processor about potential card data exposure. They will guide you on the appropriate response, which may include reissuing cards for affected customers.

Hours 6–24: Assessment and Communication#

Once containment is underway, your attention shifts to understanding what happened and communicating appropriately. Work with your IT team to establish the scope of the breach: which systems are affected, what data may have been exposed, and whether the attackers are still active on your network. This assessment drives both the recovery timeline and your legal obligations. If any customer payment card data or personal data may have been compromised, you have a legal notification obligation under UK GDPR (in the UK) or PDPA (in Singapore). In the UK, you must notify the ICO within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms. This is a hard deadline — missing it can result in regulatory fines that compound the attack's financial impact. For affected individuals whose data may have been exposed, you will also need to notify them "without undue delay." These communications must be clear, honest, and include the nature of the breach, the data affected, the likely consequences, and the measures you are taking. Do not minimise or obfuscate — the regulatory and reputational cost of a cover-up exceeds the cost of transparent communication. For customers waiting for service: communicate simply and honestly. "We are experiencing a technical issue and our card systems are temporarily unavailable" is sufficient for day one. If the outage extends beyond 24 hours, update your communication to acknowledge the situation more fully. Customers are remarkably understanding when businesses are honest — and remarkably unforgiving when they are not.

Hours 24–48: Recovery Planning#

By hour 24, the acute containment phase is over and recovery begins. This phase is driven almost entirely by whether you have backups and what state those backups are in. Backups are the single most important factor in recovery time and cost. A business with clean, recent, isolated backups can often restore systems within 24–72 hours. A business without backups faces complete reconstruction, which typically takes 2–6 weeks for a multi-site retail or hospitality operation. Isolated backups are critical. Many businesses back up their data to a network-attached storage device or cloud service that is connected to the same network as their operational systems. When ransomware hits, it encrypts the backups as well as the primary data. Your backups must be isolated — either physically disconnected external drives rotated on a schedule, or an air-gapped cloud backup service that cannot be reached from your operational network. For POS-specific recovery: most modern cloud-based POS systems maintain their transaction data and configuration in the vendor's cloud infrastructure, which is separate from your local network. If you use Square, Lightspeed, or a similar cloud POS, your transaction history is likely recoverable even if your local systems are compromised. Confirm this with your POS vendor as part of your recovery planning — and if you are on a legacy local-server POS, consider this a compelling reason to migrate to cloud. AskBiz's cloud-based architecture means that even if your local infrastructure is compromised, your business analytics, inventory data, and financial reporting remain accessible and safe.

Cyber Insurance: What to Buy and What It Covers#

Cyber insurance has become an essential component of SMB risk management. A policy that would have cost £800–£1,500 per year in 2020 might now cost £2,500–£5,000 for a business with five locations and card payment volumes above £1 million per year. But even at those prices, the coverage is compelling. A good cyber insurance policy for an SMB should cover: incident response costs (your IT recovery team's fees); ransomware payment (in the event you choose to pay — controversial, but sometimes the least costly option); business interruption loss (revenue lost during system outage); data breach notification costs (letters, call centres, credit monitoring for affected customers); regulatory fines and defence costs; and PR and crisis communications support. Not all policies cover all of these. Read the exclusions carefully, particularly around ransomware — some policies exclude payment to attackers, some limit business interruption coverage to a specific daily rate, and some exclude breaches resulting from poor security hygiene (such as not applying security updates). Your broker should help you understand the coverage gap between the cheapest policy and the one that actually protects you. The premium, while meaningful, should be assessed against the realistic worst-case cost of an uninsured breach. For a five-location business dependent on POS systems, a 3-week outage and full system rebuild could easily cost £80,000–£150,000. At £4,000 per year, cyber insurance is among the best-value cover available.

Prevention: The Defences Every SMB POS Should Have#

Prevention is exponentially cheaper than recovery. These are the non-negotiable security measures for any SMB operating POS systems. Multi-factor authentication (MFA) on every system with remote access capability, including your accounting software, email, and any cloud-based management tools. MFA alone prevents approximately 99% of automated credential attacks. If your POS vendor does not support MFA, this is a significant security gap that you should raise with them explicitly. Endpoint detection and response (EDR) software on all networked computers and POS terminals. Unlike traditional antivirus, EDR identifies suspicious behaviour — such as a process encrypting large numbers of files — and can halt it before widespread damage occurs. Annual cost for a 10-device business is typically £300–£800, which is a fraction of any recovery cost. Regular, tested, isolated backups. Set a weekly schedule. Rotate external drives. Test a restore quarterly — many businesses discover their backups are not working only when they need them. Cloud backup services like Backblaze Business or Veeam Cloud Backup provide isolated off-site backups with version history for a few hundred pounds per year. Staff training on phishing recognition. The best technical defences are undermined by a single employee clicking a malicious link. Annual phishing awareness training — even a 30-minute online module — measurably reduces click rates on simulated phishing tests. AskBiz's cloud infrastructure is independently security-audited and maintains your financial and operational data in a secure, redundant environment entirely separate from your local network. Even in a worst-case attack, your business intelligence and reporting remain intact.

• Cyber attacks on SMB POS systems are rising sharply.
• The businesses that recover fastest have an incident response plan, isolated backups, and cyber insurance.
• Without all three, a single attack can cost £50,000–£200,000 and weeks of downtime.