Responding to a cyber incident – a guide for CEOs

A cyber security incident transcends mere technical concerns; it also poses threats to business continuity, communication, financial stability, and legal matters.

Considering the appointment of a dedicated Senior Responsible Officer (SRO) or employing a broader governance structure, such as the bronze, silver, and gold model, may help clarify overall responsibility during the incident.

Having reliable external experts can enhance decision-making quality and assist in managing legal, technical, operational, and communication aspects of a serious incident. Their role is purely advisory; they do not make key decisions.

The National Cyber Security Centre (NCSC) recommends utilizing a cyber incident response (CIR) company to effectively manage and recover from an incident. The NCSC certifies several CIR firms.

If your organization holds cyber insurance, inform your insurer, as they may possess in-house or preferred CIR providers along with other supportive services during a cyber incident.

Once a cyber security incident is resolved, lingering questions regarding data risk may remain, whether related to your own data or that of customers and staff. It is essential to communicate any data risks to the data owners and consider the regulatory obligations you might have to report breaches.

The Information Commissioner’s Office (ICO) offers guidance on personal data breaches, detailing how to address suspected breaches. The ICO mandates that notifiable breaches be reported ‘without undue delay,’ within 72 hours of awareness. Failure to comply will require justification for the delay.

Effective and transparent communication during a crisis will not only reassure your workforce but may also protect your organization’s external reputation. All communications should be factual and clearly articulated, while also avoiding any misrepresentation or minimization of the incident, which could lead to future complications.

Adjust the level of detail based on your audience, whether it’s key decision-makers, wider staff, partner organizations, or the general public. Prepare in advance to identify who should be included in your communication planning.

In the event of a ransomware attack, the perpetrators often impose strict payment deadlines. It is advisable to review the NCSC guidance on ransomware and payments.

The NCSC and UK law enforcement do not advocate or support paying ransom demands. Be aware that making payments to criminals comes with inherent risks, and there is no guarantee of regaining access to your data or networks after payment. Research indicates that paying ransoms increases the likelihood of being targeted again in the future.

During a crisis, employees throughout the organization will likely experience stress and insecurity, which can be detrimental. Ensure that the welfare and morale of your staff are primary concerns in your response plan. The NCSC provides guidance on staff welfare during incidents.

While incidents may begin with an intensive action phase, they often extend with ongoing ramifications lasting for months. Important decisions will need to be made throughout the process, especially regarding rebuilding and preventing future incidents, so preventing staff burnout is crucial.

Staff members with incident experience are invaluable, and implementing solid wellbeing practices can also contribute to long-term staff retention.

After the incident, debrief with those involved in its management. Evaluate both what was successful and what could be improved. This process is beneficial for staff welfare as well.

Carry out a review with an aim to genuinely learn from the experience and identify factors that contributed to the incident’s occurrence. This analysis should be broad rather than focusing on a single root cause, with the goal being to prevent future occurrences and enhance organizational resilience.

It is crucial to identify how various factors interact and relate to one another. Conducting a general cyber security review should also be prioritized to address any vulnerabilities that could lead to further attacks.

The NCSC’s Cyber Security Toolkit for Boards is a valuable resource to integrate cyber resilience and risk management throughout your organization, encompassing people, systems, processes, and technologies.

Ultimately, it’s essential to report significant incidents to the NCSC and UK law enforcement agencies for guidance and support. Such reporting enhances the understanding of the threat landscape, contributing to prevention efforts and improved security for everyone.

Document your cyber incident using the UK government signposting tool, which assists in identifying relevant organizations to notify based on the incident’s specifics.