How to respond to cyber security incidents

Although nobody likes planning for the worst, it really does help when it comes to cyber security.

As cyber attacks are becoming more widespread and frequent, it is helpful to have a ‘when’, not ‘if’ approach.  

If you assume an incident will happen, you can focus on what to do to minimise the impact to your organisation.

In this article, you will learn what a cyber security incident is, how you can prepare for one and what to do if you are the victim of an attack.  

What is a cyber security incident?  

A cyber security incident is when someone gains unauthorised access to your systems or data, usually over the internet.

That’s what people generally mean when they say that your systems have been hacked.  

An incident is a broad term and includes lots of different types of incidents.

A cyber security breach is any incident that results in the loss, publication, or lack of access to systems or data. This is often what happens when an organisation is a victim of a ransomware attack.

The incident becomes a breach when the data is encrypted and cannot be accessed and then also when or if it is stolen by the attacker. 

Being prepared and responding quickly is important as what you do in the minutes, hours, and days after an incident, can dictate how serious it ultimately is.

There could be penalties to pay, or you may need to report any breach to the authorities, including the Information Commissioner’s Office. 

The secret ingredient is to plan thoroughly 

The most critical thing about managing anything unexpected is planning.

Whether your organisation is 10 people or 10,000, investing time into how to handle incidents will help you make better decisions under the pressure of a real scenario.  

Creating an effective plan will help you identify any gaps in your incident-handling capabilities, such as who to call for help or identifying who in the organisation is authorised to make big decisions.

You can also make a start, by registering with your local Cyber Resilience Centre who can provide support in the event of any incident. 

3 important things to consider when planning for an incident

1. Record everything you need to keep your business running  

This could be specific IT systems or services, databases, or people in certain roles. This can be done through a workshop with colleagues or even just running through a typical day and making a list of everything you would need to be operational.

Once you have worked out what your minimum viable business is, you can look at those things and ask yourself “what if I couldn’t access this for some time, for example, 2 weeks? Do I have alternatives? How long can my business survive without it?” and make plans on that basis. 

The main difference between a cyber security incident and other types of operational failure is that a cyber security incident involves an attacker who may still be inside your systems when you are trying to respond and recover.  

There are numerous examples of organisations who have restored data and services, only for an attacker to just encrypt them again because they still have access.

Recovering systems to ‘clean’ versions might not be straightforward and needs to be part of your planning. 

2. Create an emergency list

This should consist of critical roles, individuals, and supporting companies to help in important domains such as customer services, legal, communications and IT, or cyber security support.  

Ask yourself, who would be the first person to contact in the event of a cyber security incident? Who else needs to be contacted after this to provide support?

This could be employees, service providers, specialist technical or legal advice, or even regulators or law enforcement.  

Remember, you might not have access to your systems so your most important contacts should be made available separately from your usual systems.

Many organisations struggle to contact customers when incidents occur—how would you do this? What would you say to them?  

You also need to consider your legal obligations, such as data privacy regulations. In many parts of the world, regulators must be notified within a few days of an incident occurring.   

If you don’t have the right cyber security or legal skills within your organisation then it’s worth identifying external support in advance, so you have someone to call who can guide you through the situation.

It is also important that any incident-management plan, is easily understandable by non-technical people. 

3. Plan for incident roles and responsibilities and be clear on the priorities 

In the event of an incident, it is very common for emotions to take over and send people on a tangent. Clear roles are important to stay focused. This will tell you who will make decisions during an incident and in what areas.  

This sounds simple but decisions you make during an incident are often under pressure and can have a big impact, so you need the right people making them at the right time.

For example, how do you decide when and if customers need to be notified? Or whether to report an incident to the authorities?

Having all of this written down and well communicated will reduce stress in the event of an attack.  

Finally, it is always a good idea to bring people together and simulate a situation like this. This can be done as part of a tabletop exercise where you gather key people in your organisation and work through these points together.

You’ll be surprised how many different ideas and points of view will be shared.  

Many organisations create an incident playbook, which can be as simple as a list of things they need to think about when an incident occurs.  

Final thoughts 

Understand what you have and what could be impacted in the event of a cyber incident. Creating your plan before anything happens and preparing your organisation will pay off in the long run. 

Most of all, the key factors in managing an incident are:

• Staying calm
• Knowing what to do
• Communicating clearly and in a timely way with customers and stakeholders.