Responding to a Cyber Incident

A government survey found that about a third of UK businesses identified a cyber security breach or attack in the year leading up to April 2023. This number is believed to be much higher due to small and medium sized businesses being less likely to report on cyber incidents. However, only 21% of businesses have a formal incident response plan for how to act when a cyber incident does occur.  

It’s all well and good to say you will take action following a cyber incident, but what actions will you take? Who is responsible for taking those actions? And what will happen if the decision makers or experts aren’t present at the time of the incident? A formal incident response plan answers all these questions for you and ensures everyone is on the same page when it comes to responding to a cyber incident or attack. 

Be prepared 

The first thing that needs to happen before executing your incident response plan is making one in the first place! Being prepared and creating a plan to follow is the most important step any business can take. When a crisis hits, it’s too late to prepare, so be sure to take steps now, and not while you are trying to deal with an attack. 

The UK National Cyber Security Centre (NCSC) defines 4 core stages that need to be taken in response to any cyber incident.  

• Analyse 

• Contain 

• Remediate 

• Recover 

1 - Spot the threats 

In the analysis stage, you should review everything that could potentially introduce threats to the business, including a technical analysis to find any gaps in the cyber security of the organisation. Identifying potential threats and conducting risk assessments can allow your incident response plan to be well-informed and appropriate for the type of cyber incident you might face. Testing for flaws in the cyber security of the business in a simulated attack, such as penetration testing, helps everyone to understand the potential impact of an incident occurring. 

2 - Contain the damage 

When an incident or attack occurs, making sure the damage or effects of it are contained to affect the smallest area possible can reduce the impact, and increase the chance for full recovery. Decisions may need to be made at this stage to help mitigate the threat, such as taking key business systems offline, in order to prevent things from getting worse. 

3 - Remove the threat 

The remediation stage involves elimination of the threat. Both stages 2 and 3 can be performed successfully by antivirus software, such as SentinelOne. This is an example of endpoint detection and response software that not only identifies malicious software such as ransomware, but also is capable of removing it from your systems, and reversing any changes made. Ensuring all malicious files and malware has been completely removed from all devices and networks prevents the incident reoccurring and allows for the recovery stage to begin. 

4 - Recover and repair 

After the incident has been cleared from the network you can begin to conduct business as usual again. Minimising the amount of time it takes before getting to this step is the main goal behind having an effective incident response plan. 

Lessons Learned 

After the incident has occurred it is important to review how the incident response process was managed and learn from the incident. This allows everyone to see what went well and what could be improved upon within the incident response plan. It is also important to analyse how the incident occurred in the first place so that steps can be taken to ensure the same incident does not happen again. Important questions to ask during this review include the 5 W’s – Who, What, When, Where, and Why. The results of this should be shared with everyone in the business, such as through employee training sessions, to best ensure the weaknesses and threats that triggered the incident are not allowed to repeat. 

Test and Practice 

Testing and re-testing the incident response plan should be carried out to see if it covers everything necessary to properly ensure the security of the business and its assets. Testing the plan can help everyone in the organisation become familiar with what to do if an incident occurs and help reduce the recovery time for the business.  

The plan will get tested at some point, don’t let that be during a real cyber incident! 

The best way to test out your incident response plan is to simulate an incident within the company. This involves gathering together the decision makers within the business as well as the people designated as your emergency response team to test if they know what actions they should take if an incident occurs. Help and advice in planning these sessions is made available for free by GHCQ on the NCSC website.