Top 5 things to do in the event of cyber attack

This year has seen some major UK entities hit by significant cyber attacks, including Greater Manchester Police, Royal Mail, Capita, The Guardian and Barts Health NHS Trust.

There is an ever-increasing risk of cyber incidents as ransomware is deployed to extort payments in exchange for the return of or access to stolen data. Automated spam messages have also been at the heart of some key cyber attacks this year– even tech savvy money saving expert Martin Lewis was nearly caught by a phishing text. While the best protection is to prevent these incidents breaching your security, the next step is to have robust measures in place to help your organisation respond.

What to do if there is a cyber incident at your organisation?

1. Incident Response plan

The first step is before an incident occurs; preparation is everything. You should have a well-known, easily accessible Incident Response plan, that can be accessed even in the event of systems being inaccessible. There will be key strategic decisions to be made, including authorising financial spend, and deployment of resources, so there should be clear decision-makers appointed, with holiday cover built in. Early established channels of communication will be essential. It is important to think about how essential operations can be maintained in the event of a system shutdown – this might mean having the capability to return to paper-based systems in the short term, and alternative methods of communication.

2. Management

It is critical to move from initially responding to the crisis to managing the incident, and you should engage protections at the earliest stage to avoid contagion. This means managing business needs, as well as the incident. As well as thinking about how to manage the incident and systems, the data risk must be considered. The extent of the data you control and process will depend on the nature of your organisation, and the risk posed will depend on the extent of the disruption you are experiencing. However even at the lower end of the scale, data preservation and protection must be top priority.

People management is critical too – keeping staff up to date on next steps, and hopefully referring them back to prior training on what to do in the event of a security incident!

3. Assess

Assessing the nature and scale of a cyber incident will help you identify and prioritise what steps can be taken to recover systems and protect operations. The Incident Response plan should also have provision to help identify and categorise the issues faced, and how they can be tackled. There are a number of factors which determine the seriousness of the issues, and will be a balance of the operational, reputational, financial and system impacts.

4. Get help

Think about who is needed – engage independent forensic help as soon as possible. Engaging lawyers to instruct forensics can assist in asserting privilege should there be legal action at a later stage.  This might also mean engaging with the relevant insurers to trigger coverage, and access support. There will likely be multiple avenues to explore and having the relevant experts on board will be key to ensuring all are investigated thoroughly. If the incident is wide spread or large scale it may well be reported, and reputation management assistance should be sought.

You might also have a reporting obligation to sector regulators, the authorities, and crucially the Information Commissioner.

5. Recover

The ultimate objective is to reduce the impact of any cyber incident to facilitate a speedy and complete recovery. Acting quickly, to follow a detailed incident response plan to manage and assess the risk, with the support of relevant professionals will help you minimise the lasting impact and maximise recovery. Long term recovery also means learning lessons across the lifespan of the incident – prevention, management, resources, and recovery.

Our Burness Paull cyber team have significant experience in managing responses to cyber incidents and are on hand to work with you to prepare for in the aftermath of any cyber incidents, and put in place measures to help prevent them from occurring.