Responding to a cyber incident

You need to have an understanding of all your systems that could be affected by an attack and where your data is stored.

1. Identify the critical services, data locations and third parties you rely upon
2. assess your vulnerabilities as regards your policies, technology, and people
3. review backup and recovery procedures.

This will be the team who help steer your business through any cyberattack. The team should proportionate to the size and complexity of your firm (it may be one person, ideally with a back-up). It may include external contractors if you outsource your IT and cybersecurity. They will be responsible for coordinating damage limitation, incident investigation and communications.

• Define the roles and responsibilities of team members including authority levels for specific actions such as notifying the regulator of a breach or instructing technical response experts, external forensics or external lawyers if required
• Establish response guidelines by considering and discussing possible scenarios with employees.
• Establish an emergency contact procedure. There should be one contact list with names listed by contact priority.
• How do you define risk? You should consider and define a protocol that helps identify whether a threat is low risk, medium risk or high risk.

Communications –

Identify stakeholders and when they should be informed – colleagues, clients, third party suppliers, police, Information Commissioners Office, PR agency etc
If a breach becomes public, consider who will make statements in the media. Ideally, that person should have media training and be backed up by someone with technical expertise. If you do not have those skills, consider using a PR firm. If you have suitable insurance, the insurers might provide someone.

1. Train your staff - your staff need to know how to recognise what a breach looks like, what their immediate response is and who they should contact. Ideally you can set out a description process so that you can easily describe an incident in a way that everyone will understand. Your staff should also be familiar with your response teams’ plan.
   You can read more about the types of threats here.
2. Training for your response team - Your response team need to know that processes work and for that they need to road test the processes. This will help you identify quirks and gaps in your processes and it is by having a practice run that those issues can more easily be identified and remedied in advance of the real thing occurring. The classic example is around the location of the incident response plan: most organisations never think about it properly but if the plan is held only on the main server, how can it be accessed in the event of an incident.

Effective backups are an important ingredient of incident response and you should consider the following:

1. The backups need to include data, software, and system configuration to be effective. This is the information required to re-create your business systems, not just the files and documents.
2. The storage locations need to reflect the fact that the office may be out of bounds during an incident.
3. Make sure your backups follow best practice in terms of frequency, protected copies, and memory capacity (as examples).
4. Ensure staff understand what locations are backed up. Consider whether important information is stored on laptops that are not being backed up.
   Typically, firms forget the recovery part of this process. You do not want to be recovering files and systems for the first time in a live incident. Recovery should be rehearsed annually, and improvements noted and actioned. Consider whether your backups will survive a ransomware attack and how long your firm will be out of action if you need to recover the complete system and data.