By having a thorough incident response plan in place, and acting quickly to implement it upon discovering a breach, you can successfully protect your business and build resilience in the future. It can dramatically increase the chances of a positive outcome.
The UK Council for Registered Ethical Security Testers (CREST) has published an extremely thorough guide on all aspects of incident response, from preparation to response and post-incident action. The National Cyber Security Centre also has guidance for small businesses to plan your response to a cyber incident.
We’ve summarised this advice and offered digestible, practical steps that anyone suffering from an incident can implement.
What should you do if you’ve identified an issue?
✔️ Remove the affected device or devices from any network. If identifiable, you should disconnect network cables or turn off Wi-Fi. If it’s a mobile device, enable airplane mode straight away.
✔️ Invoke your incident response plan.
✔️ Consider engaging professional help. You should think about using a company that has a CREST or NCSC certification for incident response, as this proves that the provider has certified and experienced professionals that can handle cyber incidents.
✔️ Contact the FSB Cyber Protection helpline. We’ll be able to advise FSB members every step of the way.
✔️ Establish a reporting and communication channel. Include all parties requiring incident details and updates. Nominate someone to be responsible for distributing these details and updates on a regular schedule – for example, every two hours.
✔️ Document the incident. This could simply involve a timeline detailing what actions have been performed, and by who.
✔️ Secure any potential evidence for investigation purposes. This may include physical media such as USB sticks/CDs or non-physical evidence such as screenshots or photos of screens.
✔️ Preserve pertinent logs. If you have logging turned on, these will be vital in understanding what has happened. If you can, keep copies of these.
✔️ Conduct interviews of any involved users immediately and make notes.
✔️ Consider if anyone needs to be informed. This may include authorities, customers, staff or insurers.
❌ Wait to invoke your incident response plan. It’s important that you respond quickly to help minimise any damage or further risks.
❌ Forward any suspicious emails or documents. Phishing emails containing malware attachments shouldn’t be opened.
❌ Run any anti-virus or other utilities on affected systems. Leave this to the investigation.
❌ Turn off affected systems. This can damage evidence.
❌ Reconnect affected systems until you are sure they are safe.
What should I do after a cyber incident?
Once an incident has been successfully contained and any business impacts have been negated, it’s wise to complete some or all of the steps below to reduce future risk, improve company preparedness and maximise customer satisfaction.
- Investigate the incident more thoroughly. Being able to successfully identify the cause of an incident may allow you to negate future attacks of this nature.
- Report the incident to relevant stakeholders. This will likely be a more thorough update than those provided during the incident as any impacts affecting the past, present and future should now be known.
- Carry out a post-incident review.
- Communicate and build on lessons learned.
- Update key information, controls and processes.