No matter the size of your organisation, most will, at some point, fall victim to a cyber security incident.
We recently published Evalian’s checklist for planning and preparing for one here, which can help reduce the likelihood of cyber threats and improve your cyber security.
But what do we do if we fall victim to a cyber attack?
It’s important to know the steps to take to minimise the time systems are down/ not operational and to help your business recover.
When responding to an incident, there is usually pressure to focus on getting systems back up ASAP – especially business-critical systems. Particularly if you have SLAs with customers where there may be financial or other penalties or reputational repercussions if your systems aren’t functioning. But this can exacerbate the problem.
Evalian have put together a high level checklist to give you a good starting point.
Incident Response checklist for dealing with an incident:
Contain the breach
Disconnect affected systems from the network, segregate sections of the network, disable compromised user accounts and advise users not to connect or use specific systems. If you move too quickly to try and recover systems then the problem may spread and/or systems may simply become infected again, which will slow you down and use up valuable resources.
When the incident is under control you have reached the point at which you can reconnect or recover systems. Ensure you know the critical systems within the business and the impact an incident will have if they are compromised or become affected. Prioritise those systems aggressively during containment, eradication and recovery.
Your recovery activity could include, for example, restoring from backups, rebuilding systems from the ground up, patching, changing authentication details, tightening controls and running enhanced monitoring on compromised systems in the immediate aftermath. Much of this can be pre-planned, especially for priority, specialist, or legacy systems where knowledge may be limited.
Remember to keep recording all details about the incident, including decisions made by the IRT and to gather and store evidence in line with a set procedure and in a manner that protects it and where it came from.
Post incident: lessons learned review
Use this as a genuine opportunity to identify steps to be taken to help prevent similar incidents and to respond more effectively in the future. Schedule the review as soon as possible after the incident so it is fresh in the IRT’s mind and refer back to the records and notes kept during the incident. If you want to know the key questions to include in your review, read this Guide to Incident Response.
Create a follow-up report for the incident. This can be used as a reference point for the IRT to assist them with handling similar incidents in future. You should share your report with management for their review so that they can then evaluate, discuss and approve your suggested recommendations.
Evalian are cyber security experts who are experienced in supporting organisations with incident response and providing internal employee training exercises such as phishing awareness assessments. They are CREST accredited and are also a certification body for Cyber Essentials & Cyber Essentials Plus.