Cyber security incidents (such as a data breach or ransomware infection) can have a huge impact on an organisation in terms of cost, productivity, reputation and loss of customers. Being prepared to detect and quickly respond to incidents will prevent the attacker from inflicting further damage, and can reduce the financial and operational impact.
Fire Drills – Cyber Drills
We generally know what to do in the event of a fire – we’ve been taking part in fire drills since school and legislation and regulation require the provision of signage and undertaking of fire risk assessments. The threat of a fire is robustly managed and rightly so, given the life threatening impact. This significantly minimises the likelihood of a serious fire taking place.
We often cannot say we are as prepared for a cyber incident. There is little regulation requiring us to exercise our response to a cyber incident, yet cyber incidents are now highly likely to affect every business at some stage. The cost is significant and may be lost productivity, direct financial loss, customer data loss, regulatory fines or more.
Planning for a cyber incident is likely to significantly reduce the time taken to spot and react to an unfolding cyber incident. This then minimises the impact and allows your business to continue functioning normally – or as near normally as possible.
Questions to Consider
What data does our team need to function? Consider:
- What data is critical to our role?
- What do we do if we lose access to critical data?
- What do we do if we lose access to all data?
- What do we do if we lose integrity of our data?
- What do we do if our data is stolen?
What technology do we use to access and process data to operate? Consider:
- What technology is critical to storing our data?
- What technology is critical to accessing or processing our data?
- What can we do if software or hardware becomes a risk? (i.e. vulnerability)
- What if we have a hardware or software failure?
- How do we replace technology, quickly? Who / what is the priority?
How do we communicate within our team?
How do we communicate with those outside our team? Consider:
- What communications platforms are we dependent on?
- In a crisis, how do we communicate with our team, and others?
- What do we do if we lose control of our comms platforms – how do we communicate that they cannot be trusted?
Incident Response Planning
- Planning can significantly reduce response time, resolution time and impact
- Start with plans on the most likely threats:
- Ransomware (as specific plan)
- Network or system intrusion
- Data breach or loss
- Denial of Service
- For each plan, think about:
- How you are likely to detect the problem
- The systems or people the incident is likely to affect
- The impacts of such an incident – and how they could be mitigated
- How you might isolate the problem and stop the spread
- Who you would call for assistance – and how
- How you would gather more information for responders
- Steps to recover from the incident
- How you would learn from the incident and improve the plan
Develop incident response plans for likely threat types
NB: in case of complete system failure, have printed copies!
Get your free Cyber Incident Response Plan template from the Cyber Resilience Centre for the South-East:
Quick Win Tools
Check Your Email Security
Check your email security quickly and simply! There are three simple and free* tools which help reduce the risk of your business emails being impersonated – Sender Protection Framework (SPF), Domain-based Message Authentication Reporting and Conformance (DMARC) and Domain Keys Identified Mail (DKIM) provide significant email security by identifying computer servers which are permitted to send emails for your business and digitally signed them. Take a couple of minutes to check your email security:
* the records which create these tools cost nothing extra to having a business email domain, but your ICT provider may charge a fee for implementing these. You may be able to do this yourself.
Check Your Cyber Security
Check some basics about your cyber security for free! This service performs a range of simple online checks to identify common vulnerabilities in your public-facing IT.
All checks are remote, without the need to install software and uses the same kind of publicly available information as cyber criminals use to find easy targets.
These checks function when you’re connecting to the internet from your office network and on your business devices.
Early Warning System
The NCSC’s free Early Warning service processes a number of UK-focused threat intelligence feeds from trusted public, commercial and closed sources, which includes several privileged feeds not available elsewhere.
By providing details of the assets your organisation owns, Early Warning will deliver feeds of the following types of threat information:
- Incident Notifications – Activity that suggests an active compromise of your system.
- Example: Your IP address has been involved in a DDOS attack.
- Network Abuse Events – Indicators that your assets have been associated with malicious activity.
- Example: A client on your network is a part of a Botnet.
- Vulnerability Alerts – Indications of vulnerable services running on your assets.
- Example: You have a vulnerable port open.
Cyber Protect Services
The Cyber Protect network exists across the UK and provides FREE cyber awareness training sessions to organisations including business, education, public services, local government and the charitable sector*. Fine out more: