Article by: Jason Scanlon | Virtual Chief Technology Officer
When an unexpected incident like a cyber-attack or breach occurs, it is a stressful period for business owners, their employees, and other vested stakeholders. A cybersecurity incident response plan is a document designed to help your organisation respond and recover from a cybersecurity incident.
A cyber incident has been defined by the UK’s National Cyber Security Centre (NCSC) as any unauthorised access to an organisation’s IT systems. These may be breaches, or malicious attacks (such as denial of service, ransomware, and phishing).
A cybersecurity response plan lays out a step-by-step approach, from whom to contact to how to handle communications and how to identify lessons learned to prevent future events.
Prepare: There’s an old saying, “Failing to plan is planning to fail.” Every business should aim to prepare for the most common threats you face by developing plans to handle incidents that are most likely to occur.
Identify critical assets and systems: These are the things that are essential to keeping your business operational, such as contact details, email systems and core documents and applications.
Put back-ups in place: Protect the critical assets and systems identified with back-up mechanisms.
Define your cyber incident response: Make sure that valuable information identified is stored in a safe place so that you can use it if your equipment is stolen or damaged by a cyber-attack. It is important to understand how to restore data from a backup, what timeframes are involved and if you could train relevant people in your business so they could perform this role.
Test your plan: You should aim to do this at regular intervals and adapt and update it as required.
Put cyber risk on the business agenda: Time should be afforded to discuss these at your management or senior leadership team's weekly catchups. Find out where cybersecurity threats sit in the overall priority list.
Respond to an incident: In the event of a cyber incident, the basic response process is to identify the cyber threat, contain it, eradicate it and then recover from it.
Report the incident: Upon resolution of a cyber incident, formal reporting will often be required to both internal and external stakeholders. There are certain incidents you are legally required to report to your local enforcement and compliance agency. The best practice would be to engage as early as possible. Such agencies are there to help you through what can be a stressful period for all involved. Any other regulatory bodies that you belong to may also require you to report a breach.
Implement lessons learned: Not only is it important to review your technical controls after the incident, but it is also a great opportunity to review and implement cybersecurity awareness training to help foster a culture of cyber awareness within your business. It is worth noting that your employees are your strongest asset but also your weakest link. The role of educating your employees on good cyber practices cannot be underestimated or taken for granted.
Keep improving and adapting Reassess your risk and make any necessary changes when and where required. For example, if an employee’s password was compromised and you decide to implement a new password policy, increasing password complexity, providing new training on password management, or enforcing the use of a password management app for more secure password storage might be a measure worth considering. To ensure best practice adoption, you might want to consider partnering with a cybersecurity specialist.
To help you begin to protect your business against cybersecurity threats we’ve developed a step-by-step approach to help your organisation respond and recover from a cybersecurity attack. Download our free Cybersecurity Incident Response Plan which guides how to detect, respond, and recover from a cybersecurity attack.