Responding to a cyber incident – a guide for CEOs

A cyber security incident encompasses more than just technical concerns; it also implicates business continuity, communication challenges, and potential financial and legal impacts.

It may be beneficial to appoint a dedicated Senior Responsible Officer (SRO) or employ a governance structure, such as the bronze, silver, and gold model, to delineate overall responsibility for the incident.

Enlisting trusted external experts to provide an objective perspective can greatly enhance decision-making and assist in navigating the legal, technical, operational, and communication challenges that accompany a serious incident. These experts are there to advise, not to make decisive choices.

The NCSC recommends deploying a cyber incident response (CIR) organization to aid in the management and recovery from the incident. The NCSC endorses several CIR companies.

If your organization possesses cyber insurance, it is advisable to inform your insurer, as they might have in-house or preferred CIR companies available, along with additional resources to assist during a cyber incident.

Once a cyber security incident is resolved, lingering questions about the risk to data often remain, whether it’s your own data or that of your customers and employees. It is imperative that you communicate any data-related risks to data owners and consider the regulatory obligations you may have for reporting breaches.

The ICO (Information Commissioner’s Office) offers guidelines on personal data breaches, clarifying how to respond to a suspected breach. The ICO dictates that a notifiable breach must be reported without undue delay and no later than 72 hours after its discovery; a delay must be justified.

Implementing effective and transparent communications during a crisis can not only offer reassurance to your employees but can also safeguard your organization’s reputation externally. All communications must be factual and clearly articulated, avoiding any misrepresentation or downplaying of the incident that could lead to future complications or relationship issues.

Different stakeholder groups may require varying levels of detail; ensure that you identify in advance who needs to be involved in your communication strategy.

If your organization suffers a ransomware attack, it is likely that the perpetrators will impose stringent timelines for payment. It is vital to consult the NCSC guidance on ransomware and payments.

The NCSC and UK law enforcement do not advocate for the payment of ransom demands—be aware of the risks associated with such payments. Paying a ransom does not ensure access to your data or systems and may increase the likelihood of future attacks.

During a crisis, employees at all levels may experience significant stress and uncertainty, which can have detrimental effects. Ensuring the welfare and morale of your team should be a primary focus within your response strategy. The NCSC offers guidance on staff welfare during incidents.

While incidents often start with a surge of activity, many also feature a prolonged aftermath. The team will need to make crucial decisions throughout this period, especially when strategizing for recovery and future prevention. It is vital to prevent staff burnout.

Experienced team members hold significant value for your organization; implementing sound well-being practices can also foster staff retention over time.

Following the incident, it is essential to conduct a debriefing with all involved parties. Assess what strategies were effective and what could be improved. This review is beneficial for staff welfare as well.

The objective should be to genuinely learn from the experience and to identify the factors that contributed to the incident, focusing on a systemic approach rather than identifying a singular root cause. The ultimate goal should be to prevent future incidents and enhance future responses.

Consider implementing a comprehensive cyber security review as a priority to identify and address any vulnerabilities that might invite further attacks.

The NCSC’s Cyber Security Toolkit for Boards enables organizations to integrate cyber resilience and risk management across all areas, including people, systems, processes, and technologies, serving as an excellent starting point.

Finally, it is crucial to report significant incidents to the NCSC and UK law enforcement for effective support. This action contributes to a better understanding of the threat landscape, ultimately aiding in the prevention of future incidents and enhancing security for all.

You can report your cyber incident using the UK government signposting tool, which provides guidance on which organizations to notify based on the specifics of the incident.