This is a call no one in any organisation wants to receive. But if you did get that call from a colleague or your outsourced IT provider, would you know what to ask and what to do next?
Your first question: what has happened and what is the impact?
The National Cyber Security Centre (NCSC) defines a cyber incident as “unauthorised access (or attempted access) to an organisation’s IT systems. These may be malicious attacks (such as denial of service attacks, malware infection, ransomware or phishing attacks), or could be accidental incidents (such as damage from fire/flood/theft)”. This is a wide definition covering many different situations and of course each situation could be of varying severity. For example, the incident could affect a small isolated part of your IT system, limited data and information and have minimal operational impact or, at the other end of the scale, your whole network and large volumes of confidential and commercially sensitive information and personal data could be impacted with trading severely compromised.
So the starting point should be to understand (as best you can based on the information available, which may initially be limited) what has happened and what is the impact?
Next: what is being done to contain and resolve the incident?
Swift action is essential to prevent further damage and to gain a clearer understanding of the situation so that appropriate steps can be taken. Hopefully this process is already underway.
Who needs to know and is there an incident response plan?
Your organisation should have an incident response plan outlining how cyber incidents are managed and who needs to be informed. Being prepared is key, so make sure you are familiar with your organisation’s plan and know how to access an up-to-date offline copy if needed.
Prevention is key, but so is preparation
Whilst preventing a cyber incident should be a top priority, even organisations with robust cyber security measures can fall victim. That’s why preparation is vital. Proactive planning ensures that if an incident does occur, reactive measures can be taken swiftly and effectively, minimising disruption and aiding recovery.
You can read more about the importance of preparation and what should be included in an incident response plan here.
Are external reports required?
If you are a director of the organisation, or in a legal or compliance role, consider whether the following notifications are necessary:
- Contact Action Fraud and the NCSC: they can offer support.
- Notify your insurers: under your cyber or professional indemnity policy. This should be done without delay. Your policy may require you to use specialists nominated by the insurer to contain the damage.
- Report to the ICO: if personal data has (or may have) been affected, consider whether a personal data breach has occurred and if whether it needs to be reported to the ICO and potentially to affected individuals.
What lessons can be learnt?
It is key following any cyber incident that the incident is reflected upon and lessons are learnt. If:
- Patching vulnerabilities: this should be a priority.
- Updating processes or response plans: make necessary changes.
- Addressing user error: provide additional training where needed.
Want to read more?
The NCSC has various resources available to support organisations preparing for and responding to cyber incidents: https://www.ncsc.gov.uk/section/advice-guidance/large-organisations
________________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
