Back

Blogs

NHS DSPT New Submission Requirements

View All

Case Studies

Powering Alt HAN Co.'s Smart Meter Rollout

View All

Upcoming Events

LEMA Summit 2024

View All

Webinars

Thoughts

The Power of a Cyber Incident Response Plan

9th Jan, 2024

Picture this: someone, posing as the CISO, has rung the IT department in a manner of urgency. An unsuspecting employee – thinking that the infiltrator was who they said they were – sent them credentials to a crucial system.

The successful social engineering attempt led to threat actors stealing customer data and bringing your systems down. Your company has worked tirelessly overnight to restore order, causing financial losses and upset customers.

You ask yourself during this precarious situation: “How could this have happened?

One of the biggest misconceptions is that Cyber Security incidents only happen to large enterprises. Especially those that operate in key industries. On July 31st 2023, LockBit – a prolific cybercrime organisation – targeted a 440-pupil school on with ransomware. They gave the victims two weeks to pay the ransom with the threat of releasing pupils’ data.

In the UK, cyber-crime has cost the economy approximately £27 billion per annum.

My company got hacked! What do I do?

There are certain legal obligations that an organisation must follow when an incident has been discovered, depending on the severity. Knowledge of these processes is crucial, especially when the breach concerns a customer’s personal data. A lack of transparency will only worsen a situation and reduce trust. Usually, there is a certain period of disclosure required after knowledge of an incident; in the UK, this must be within 72 hours.

The media spotlight will be on your organisation during this time. Thus, it’s important the board takes the lead and remains operationally focused to display leadership, alleviate stress, and provide reassurance – a sure-fire step to restoring operations quickly and effectively.

Preventing incidents

It was found that 77% of organisations do not have an incident management plan. A disorganised approach only makes dealing with a breach a more stressful and anxiety-inducing experience, leading to a delay in recovery and continuity. An effective strategy will minimise the impact on your organisation’s profit, reputation, and stakeholder relationships.

To ensure that incident awareness is consistently communicated throughout the business, keep all stakeholders (such as employees, customers and suppliers) well-informed. Set up a communication channel so all personnel – whether they work in the cyber security department or not – are aware of any critical issues that arise.

Alongside an incident management plan, the NCSC recommends that a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP) are established to determine a consistent system for restoring operations as soon as possible after a breach.

Practice your plan

To truly measure a plan’s effectiveness, it must be trialled – just like a fire drill. Conduct regular tabletop exercises and attacker simulations to find flaws in business processes and to check that the roles of everyone involved are clear.

Learn lessons

Looking over what went wrong and what could be changed is the first step to preventing similar situations. In this phase, the designated team can review how the incident happened, and reflect on the incident response plan in place to decide what works and what can be improved.

It is important to remember that no-one is perfect; even the most seasoned cyber security experts can fall for the ‘simplest’ scams.

Prevent incidents from occurring

There are always warning signs before an incident occurs. To catch the attack attempt in the early stages, constantly and continually observe network traffic to detect patterns and anomalies. Understand what exact signs were missed and employ preventative security measures for the future.

All employees should undergo training to minimise the chances of successful social engineering attempts. Consider implementing an efficient system for reporting suspicious activity.

Authors