Intended Audience for This Guidance
This guidance is designed for CEOs operating in both public and private sectors to effectively navigate a cyber incident. It outlines critical considerations to address at the onset and throughout the incident response process.
The Importance of This Guidance
In the wake of a significant cyber attack, organizations face numerous challenges. There may be an abundance of information in certain areas, while other aspects may remain unclear. Critical risk-based decisions will need to be made to protect operations, with the objective of minimizing the impact on the organization, its clients, and its workforce during subsequent weeks and months.
Establish Effective and Proportional Governance
A cyber security incident poses more than just a technical challenge. It affects business continuity, communication, and can also involve financial and legal dimensions.
It may be beneficial to appoint a separate Senior Responsible Officer (SRO) or implement a broader command structure, such as the bronze, silver, and gold model, to assign comprehensive responsibility for the incident.
To facilitate effective decision-making, your team should ensure that the following structures are in place:
-
Consider the comprehensive impact across the entire organization.
-
Facilitate regular gatherings for those managing the response.
-
Inform and empower senior decision-makers by clarifying the implications of technical issues.
-
Enable a strong response to all demands stemming from the incident, including internal and external communication, collaboration with regulators and insurers, and updates to the board.
Engage External Resources for Expertise and Support
Involving reliable external experts can significantly enhance decision-making quality during serious incidents by assisting with legal, technical, operational, and communication considerations. It is essential to remember that their role is advisory, not decision-making.
The NCSC recommends collaborating with a cyber incident response (CIR) firm to aid in managing and recovering from incidents. The NCSC certifies several CIR companies.
If your organization has cyber insurance, notify your insurer; they may provide access to preferred CIR firms along with additional resources during a cyber incident.
Assess the Consequences of a Data Breach
After resolving a cyber security incident, lingering questions regarding data risks often arise, covering both your organization’s data and any customer or employee data in your possession. It is vital to communicate any data risks to relevant data owners and to consider regulatory obligations for reporting breaches.
The ICO (Information Commissioner’s Office) provides guidance on personal data breaches, outlining steps for responding to suspected breaches. The ICO mandates that you report notifiable breaches ‘without undue delay’ and within 72 hours at the latest. If delays occur, valid reasons must be provided.
Strategize Your Public Messaging
Effective and transparent communication during a crisis can reassure employees and help safeguard your organization’s public reputation. Communications should be factual and clear, avoiding any misrepresentation or downplaying the incident, which could create complications in the future.
Adapt the level of detail shared with different groups—key decision-makers, stakeholders, general staff, partner organizations, and the public. Pre-identify who should be involved in your communication strategy.
Analyze the Risks of Complying with Ransom Payments
In the event of a ransomware attack, perpetrators may impose strict timelines for payment. Consult the NCSC guidance on ransomware and payments for further information.
The NCSC and UK law enforcement advise against the payment of ransom demands, highlighting the risks involved. Paying criminals does not guarantee data recovery and may lead to recurring targeting in future incidents.
Evaluate Team Resilience and Well-Being
During crises, team members across all levels likely experience stress and uncertainty, which can have adverse effects. Prioritize staff welfare and morale in your response planning. The NCSC offers guidance on staff welfare during incidents.
Cyber incidents often involve immediate, intense activity, followed by extended periods of impact. Teams will need to make crucial decisions throughout, especially regarding rebuilding efforts and mitigating future occurrences. It is essential to ensure staff do not become exhausted.
Staff with experience in incident response are invaluable, and implementing sound well-being practices can enhance staff retention over the long term.
Conduct a Post-Incident Review to Gather Insights
After an incident, organize a debriefing with all individuals involved in its management. Evaluate both successful aspects and areas for improvement. This practice also positively impacts staff morale.
Commit to a thorough review with the intention of learning from the experience and understanding the factors contributing to the incident. Ensure this is systemic rather than assigning blame to a single cause; the focus should be on preventing future occurrences and enhancing resilience.
Recognize the interconnected factors at play, which can assist in fortifying your organization’s resilience.
Conducting a comprehensive cyber security review should also be prioritized to identify and manage vulnerabilities in your systems that could lead to further attacks.
The NCSC Cyber Security Toolkit for Boards is a valuable resource for embedding cyber resilience and encompasses people, systems, processes, and technologies throughout the organization.
Ensure Incidents Are Reported
Finally, report significant incidents to the NCSC and UK law enforcement, as they can provide critical support. Reporting incidents not only enhances understanding of the threat landscape but also contributes to preventing future incidents and improving overall security.
Utilize the UK government signposting tool to determine the appropriate organizations to notify based on the circumstances of your incident.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/ceos-responding-cyber-incidents
