Responding to a cyber incident – a guide for CEOs

A cyber security incident is not merely a technical issue; it encompasses business continuity, communications, as well as legal and financial concerns.

It may be beneficial to appoint a dedicated Senior Responsible Officer (SRO) or to implement a comprehensive governance command structure, like the bronze, silver, and gold model, to assign overall responsibility for the incident.

Enlisting reliable external experts who can provide an objective perspective can greatly enhance decision-making and assist in managing legal, technical, operational, and communication challenges that arise from a serious incident. The primary purpose of these experts is to offer advice, not to make critical decisions.

The NCSC recommends the employment of a cyber incident response (CIR) company to aid in managing and recovering from the incident. The NCSC certifies several CIR companies.

If your organization carries cyber insurance, ensure that you notify your insurer, as they may provide in-house or preferred CIR companies, in addition to other support services during a cyber incident.

Once a cyber security incident concludes, lingering questions about data risks often remain, whether the data belongs to your organization or pertains to customers and staff in your possession. It is imperative to communicate any data risks to the data owners and to deliberate the regulatory obligations that may necessitate breach reporting.

The ICO (Information Commissioner’s Office) offers guidance on responding to personal data breaches, which elaborates on the necessary actions in response to a suspected breach. The ICO mandates that you report a notifiable breach to them ‘without undue delay’ and no later than 72 hours after becoming aware of it. Any delays beyond this timeline must be accompanied by justification.

Transparent and effective communications during a crisis not only reassure your employees but can also protect your organization’s external reputation. All communications should be factual and straightforward, being cautious not to misrepresent or underplay the incident, which may lead to future complications.

Different audiences may require varying levels of detail – from key decision-makers and stakeholders in your organization to broader employee communication and public outreach. Ensure that you identify in advance who needs to be included in your communication planning.

In the event that your organization falls victim to a ransomware attack, you may face stringent timelines for payment set by the perpetrators. It is advisable to consult the NCSC guidance on ransomware and payments.

The NCSC and UK law enforcement neither promote nor condone ransom payments; however, it is crucial to be aware of the inherent risks associated with making payments to criminals. Payment does not guarantee access to your data or networks, and research indicates that organizations that pay are more likely to be targeted in the future.

During a crisis, employees at all levels may experience anxiety and uncertainty, which can have severe repercussions. It is vital to prioritize their welfare and morale in your response plan. The NCSC has guidance on ensuring staff welfare during incidents.

Incidents may initiate intense workloads but can also entail prolonged effects, with impacts lasting for months. Teams will need to make critical decisions throughout this period, particularly concerning rebuilding and preventing future incidents. Avoiding staff exhaustion is essential.

Individuals with incident management experience are invaluable to an organization, and establishing sound well-being practices may aid in retaining talent long-term.

Post-incident, schedule a debrief with those involved in managing the situation. Reflect on both successes and areas for improvement, which is beneficial for staff welfare.

Undertake a review with the genuine intention of learning from the experience, seeking to understand the array of factors that contributed to the incident rather than pinpointing a single root cause. The focus should be on prevention and enhancement for future reference, rather than placing blame.

Numerous interrelated factors contribute to incidents, and comprehending their connections is crucial for bolstering organizational resilience.

A comprehensive cyber security review should also be prioritized to identify and address any vulnerabilities in your systems that could lead to future attacks.

The NCSC Cyber Security Toolkit for Boards is an excellent starting point for embedding cyber resilience and risk management across your organization, encompassing people, systems, processes, and technologies.

Finally, significant incidents should be reported to the NCSC and UK law enforcement, who are positioned to provide support. This practice also enhances the understanding of the threat landscape, contributing to greater preventive measures and improved security for everyone.

Report your cyber incident by utilizing the UK government signposting tool, which guides you on the organizations to inform based on the specifics of the incident.