Responding to a cyber incident – a guide for CEOs

A cyber security incident is not merely a technical problem. It is also a matter of business continuity and communications, with potential financial and legal implications.

Consider appointing a separate Senior Responsible Officer (SRO) or implementing a broader governance command structure, such as the bronze, silver, and gold model, to assign overall responsibility for managing the incident.

Enlisting reliable external experts who can provide an objective viewpoint can greatly enhance decision-making quality and help manage the legal, technical, operational, and communication challenges that arise during a serious incident. These experts should provide guidance, not make key decisions.

The NCSC recommends utilizing a cyber incident response (CIR) company to facilitate management and recovery from the incident. The NCSC certifies several CIR companies.

If your organization has cyber insurance, inform your insurer, as they may provide in-house or preferred CIR firms along with additional services during a cyber incident.

After resolving a cyber security incident, questions regarding data risk often arise, whether it pertains to your own data or that of customers and employees. It is essential to communicate any data risks to the respective data owners and to consider the regulatory obligations for reporting breaches.

The ICO (Information Commissioner’s Office) provides guidance on personal data breaches, clearly outlining how to respond to a suspected breach. The ICO mandates that you report a notifiable breach ‘without undue delay’ and no later than 72 hours after becoming aware of it. If the response time exceeds this, you must justify the delay.

Effective and transparent communication during a crisis not only reassures employees but can also protect your organization’s reputation externally. Communications should be factual and clear, avoiding any misrepresentation or downplaying of the incident that could lead to future issues.

Consider providing varying levels of detail to different audiences – key decision-makers, wider staff, partner organizations, and the public. It’s crucial to plan ahead regarding who should be involved in your communications strategy.

If your organization falls victim to a ransomware attack, the attackers may impose strict deadlines for payment. It’s advisable to review the NCSC guidance on ransomware and payments.

The NCSC and UK law enforcement do not support or endorse paying ransom demands; however, it’s essential to recognize the risks involved in such payments. Paying does not guarantee data recovery and may increase the chances of being targeted again in the future.

During a crisis, employees across your organization may face stress and uncertainty, which can be detrimental. Prioritizing their welfare and morale should be central to your response strategy. The NCSC offers guidance on staff welfare during incidents.

While incidents often begin with acute activity, they may also have a prolonged impact lasting months. It’s essential to ensure that staff do not become exhausted, as they will need to make critical decisions, especially during the recovery phase.

Staff with incident management experience are invaluable, and establishing effective well-being practices can contribute to long-term staff retention.

After an incident, it’s important to hold a debrief with those involved in managing the situation. Consider what worked well and what could be improved. This process also supports staff well-being.

Engage in a review aimed at genuinely learning from the experience and understanding the factors that led to the incident. Focus on systemic issues rather than assigning blame. Identifying interrelated factors will help bolster organizational resilience.

Prioritizing a comprehensive cyber security review will assist in identifying and managing vulnerabilities within your systems that may lead to future attacks.

The NCSC’s Cyber Security Toolkit for Boards is a valuable resource to enhance cyber resilience and risk management across the organization.

Lastly, report significant incidents to the NCSC and UK law enforcement, as they can offer support. Reporting also contributes to a better understanding of the threat landscape, aiding in the prevention of future incidents and enhancing overall security.

You can report your cyber incident using the UK government signposting tool, which will guide you on which organizations to notify based on the specifics of the incident.