You may have heard the phrase that it is not ‘if’ but ‘when’ you suffer a successful cyber-attack, so you may well be asking the question as to what things should your business or organisation need to be considering? Being the victim of a cyber-attack can be particularly challenging, with risk-based decisions required to protect your business continuity and reputation, but also your clients and supply chain. So, it is important to be prepared for the attack, which means having a plan!

The National Cyber Security Centre (NCSC) provides guidance in preparing your Cyber Incident Response  Plan: Your cyber incident response processes - NCSC.GOV.UK and you may wish to consider implementing the following NCSC guidance as part of your response:

1.      Put in place effective governance during a cyber security incident.

This is because it won’t just be a cyber security problem, it is also a business continuity and communications problem, and maybe a financial and legal one too. In policing it is common to appoint an SRO (senior responsible officer) or to use a command structure, such as the bronze, silver and gold model to assign overall and individual responsibilities for an incident.

2.      Bring in resources for advice and support.

There is support available in the event of a successful attack, so consider who can assist you in managing the situation. The NCSC advises using a cyber incident response (CIR) company to help you manage and recover from the incident. If you have a cyber insurance policy then inform your insurer as it may have in-house or preferred incident response companies, as well as other services to help you during the incident.

3.      Report to law enforcement through Action Fraud.

Police can provide support to your business or organisation both during and after an incident. Also, by reporting you are improving law enforcement’s intelligence allowing a better understanding of the threat landscape, which ultimately helps to prevent further incidents and improve security for everyone.

4.      Consider the impact of a data breach.

It is critical that you communicate any risks to data to the data owners, and that you consider the regulatory requirements you may have to report breaches. The ICO (Information Commissioner’s Office) has guidance on personal data breaches which sets out clearly how to respond to a suspected breach. You must report a notifiable breach ‘without undue delay’ and not later than 72 hours after becoming aware of it.

5.      Think about your public messaging.

Take control of communications so you can control the narrative. As well as offering reassurance to your employees, it can help protect your organisation's reputation. Communications should be factual and clear, ensuring there is no misrepresentation or downplaying of the incident which could create future difficulties or reputational damage. As part of your response plan consider who would need to be brought into your communications strategy.

6.      If you are subject to a ransomware attack, consider the risks of making a payment.

UK police do not encourage, endorse, or condone the payment of ransom demands, but this should not prevent you from reporting it to the authorities. Be aware of the risks around making payments to criminals – there is no guarantee that you will get access to your data or networks and research shows you are more likely to be targeted again. 

7.      Consider your team’s welfare.

Being involved in a cyber incident is stressful for all, staff at all levels of your business will experience stress and uncertainty, which can have a detrimental impact on resilience and decision making. So put their welfare and morale at the top of your response plan. The NCSC has guidance on staff welfare during an incident.

8.      Review lessons learned.

It’s rare that a response goes perfectly to plan, so the importance of a post-incident debrief cannot be understated. Identifying what went well, and the things that could have been done differently. This gives all involved the opportunity to raise any concerns, and to better prepare for potential future incidents. Also, by carrying out a general cyber security review you will be able to understand and manage any vulnerabilities that may lead to further attacks.

The WCRC is here to help you on your journey to strengthen your cyber posture, so please contact the team if you would like additional support with preparing a plan.

We will be running an incident response event on Wednesday 11 September in collaboration with our board member Thales and advisory group member Capital Law, and cyber incident response company Bridewell. Please visit our events page for more information.