Guide to Cyber Security Incident Response

408

By Georgina Donovan, Evalian

According to a report by Business Insurance firm Hiscox, the average cost of a cyber-attack on UK firms in 2019 was £184,000 and the frequency of attacks is on the increase with 55% of respondents having faced an attack last year, an increase of 40% in 2018.


Even if you have followed all the best practice to keep your systems secure, there is still a risk that you will suffer an incident and attacks on small medium firms is on the rise with the average proportion being attacked up 59%.

Therefore, no matter your business size, you need to assume that an attack is likely to occur and could be successful. As with any major incident you need to have an incident response plan to turn to when it does.

What is an Incident Response Plan?

An Incident Response (IR) plan, is your standard operating procedure, your playbook. It defines the type of incident, (we cover what constitutes a cyber incident here), consequent risks to the business and set of procedures to follow in each case.

Each incident will have a different impact level, from a relatively minor hardware malfunction with no suspicious external influence, to a full-on ransomware attack shutting down all systems and leading to a data breach. In each case the response level will be different.

The aim of the plan is to enable you to ring fence the damage, prevent its spread and return to business as usual as quickly as possible.

The IR plan should be accessible in hard copy and backed up on a system unconnected to your main IT network so it can be accessed by key stakeholders even if all corporate systems are unavailable.

What does a cyber incident response plan include?

The IR plan includes:

  • A list of the IR team members each with their roles and authority levels defined including contact details. Remember usual methods of contact may be inaccessible so ensure you have alternative contact details and methods.
  • A list of external experts and agencies along with key personnel within those organisations and their contact details. Even the largest corporates require specialist IT firms to step in. It’s a good idea to have these on retainer. The NCSC has a list of companies that offer certified Incident Response services.

The IT solutions provider Softcat provides organisations with 2-hours of free incident response access provided by global cyber security specialist Check Point, accessible using the incident-response@softcat.com email.

  • An inventory of your IT assets and systems each assigned with risk levels to your business if they are compromised or inaccessible. These can then be prioritised as to what needs to be fixed first to allow critical operations to resume or alternatives to these systems if they can’t be recovered quickly or at all. This might include retrieving your backed-up data and commissioning new cloud services or returning to paper-based systems in the interim.
  • communication strategy which outlines how, what and when you need to communicate with your stakeholders. Again, if this is directly, you will need to refer to a backup of contact details and have a trusted means of contacting them outside of your current systems. Stakeholders include:
    • Staff who will want to know what to do, whether they can help or how long they will be unable to work, what not to do to ensure they don’t exacerbate the problem.
    • Third parties, up or down the supply chain who rely on your systems or provide you with services and could even be the target of the attack.
    • Authorities you may be legally obliged to contact such as the ICO if a data breach is suspected, law enforcement agencies such as the National Cyber Security Centre, your region’s organised crime unit (scroll down for area specific contact details) and regulators if your business falls under National Infrastructure.
    • Customers, who will need to be made aware of events and given advice on what steps to take if a data breach is suspected such as changing passwords, regularly checking bank accounts for suspicious transactions and being wary of phishing emails or scam telephone calls.
    • Investors and the media.

As with any crisis communications plan, it would be prudent to have draft templates for each type of communication which of course you can tailor where necessary, but which can help your communication team focus under a high stress situation and issue the communication promptly.

Creating a cyber incident response plan – where to begin?

We have previously written a blog specifically on how to create an incident response plan here. Its thorough so please do refer to it. What both of these blogs assume however, is that you’re at a certain starting point already, that is you have knowledge of your IT infrastructure and all of your assets, that you know what data is stored including with third parties and that you have back-ups of critical data in place located separately from your IT systems.

We know from experience that many small businesses are not in this position and the Hiscox Cyber readiness report referred to above confirms this by revealing that 72% of UK firms surveyed received the lowest scores for cyber readiness out of the three categories.

If you are one of these firms there are a number of steps to take before you can attempt your Incident Response plan such as creating a data map and developing it into an information asset register.

Need help?

Whether you are a corporate, an SME or a micro business consisting of you and your best mate, we can help you secure your IT systems, secure your data and prepare your incident response so that when it’s does occur, you can be back to business as quickly as possible. Contact us for a friendly chat with no hard sell.