Incident response planning should be part of your business' cyber security regime, alongside risk management and cyber security breach detection. An incident response plan can help safeguard your business and protect it against the impact of cyber crime.
It’s important to plan your cyber security incident response before you actually detect any intrusions. As part of this process, consider ways in which you will handle cyber security and your readiness to:
- prepare for an incident
- deal with a cyber breach or intrusion
- follow up a cyber security incident
It's best to decide in advance how you will manage these different aspects of your response.
Steps in cyber incident response
STEP 1: Contain the breach
Once you detect a breach, your priority will generally be to contain it and mitigate the risk of further damage to your business or loss of data. To do this, you will have to:
- assess the nature and scope of the incident
- consider all systems that could have been affected
- look for concealed intrusions
- reroute network traffic or block a web attack, if applicable
- isolate or suspend compromised devices, networks or system areas
Occasionally, you may need to suspend your entire organisation's network or website, even if this causes further disruption to your business.
If the breach is limited to certain aspects of your business, determine which services, processes and operations can safely continue while you're dealing with the incident.
STEP 2: Form an incident response team
An incident response team will usually involve:
- technical or security personnel - to investigate the breach
- HR representatives - where employees are involvement in the breach
- PR experts - to control and minimise brand damage
- data protection experts - if personal data has been misused, leaked or stolen
You may also want to engage a legal adviser and - if you have insurance in place - consult your insurance provider.
STEP 3: Conduct an investigation
Look into the circumstances of the breach, and assess how it has affected you. Plan remedial actions, including those needed to:
- identify gaps in security that have led to the breach
- clean up affected systems and remove ongoing threats (eg malware)
- get systems up and running again
- address internal or external involvement in the breach
Carry out an investigation to determine which security controls have failed. Keep a record of this information and use it to:
- review and improve policies and procedures for your business
- develop a comprehensive incident response plan for any future intrusions
STEP 4: Address legal and regulatory requirements
As part of managing the incident, you may need to inform certain organisations or individuals about the breach. Be clear about who you need to notify and why. You may need to inform:
- the regulators if the breach results in the loss or theft of personal data
- any individuals or groups whose personal data has been compromised, such as customers, clients and suppliers
Businesses in specific sectors, eg financial services or telecommunications, may also need to notify relevant regulatory bodies about the incident.
STEP 5: Report the incident
Like any other crime, you should report cyber crime incidents to the law enforcement agency assigned to tackle it. You may need to contact different agencies depending on the type of the incident and if it is still in progress. Find out how to report a cyber crime.
STEP 6: Manage reputational damage and customer relations
Not all security breaches become public, but those that do (eg customers' personal data leaks) have the potential to cause significant reputational harm to businesses. In such circumstances, communicating quickly, openly and honestly to those affected by the incident is often the best course of action.
If the damage to your brand and business is significant, you may want to consider hiring a crisis manager or a public relations consultant to help you work out feasible strategies.
To help you prepare for and plan your response to a cyber incident, see also the NCSC's small business guide to response and recovery.