To ensure some sense of order when you are attacked, start by following the cyber incident response checklist.
If your organisation is under a cyber-attack, you will feel an incomprehensible sense of pressure and stress. People will demand facts and the hunt for answers will be relentless. To ensure some sense of order when you are attacked, there are a few critical cyber incident response steps that you can take to save the day.
We got our CEO Amar Singh, to share a brief list of the top 5 things you can do during the Golden Hour (we cover this concept and more in our cybersecurity training and specifically our NCSC-Certified cyber incident response training).
With this list as a reference, and regular cybersecurity training within your organisation, you may just be able to successfully combat the attackers!
- Preserve the sanctity of evidence: A cyber-attack will lead to panic, there’s no two ways about it, at least for a team made up of humans. It’s important, however, not to delete or tamper with evidence during this panic. Integrity of evidence has to be maintained for understanding what happened, what can be done to control the attack, what future preventive steps can be taken. Evidence is also imperative for regulatory compliance once the attack has been reported.
- Record everything: Apart from the evidence itself, it’s essential that someone in your team records everything that is happening and all the actions that are being taken on a physical notepad. Remember, you don’t want to upload more information on a system that is already compromised. It’s also important to record the chain of events in terms of timing.
- Focus on Triage: If you have ever been in an ER or emergency room you will be familiar with the concept of triage. A nurse will ask you about your allergies, what you ate and/or drank, if you are on any medication etc. Here is a fact. Bad or wrong triage can very often lead to a wrong limb being chopped off and in the worst case, death! The same concept applies in cyber incident response. Bad triage leads to successful cyber-attacks. In many cases poor incident triage can lead to an all out cyber crisis.
- Act on regulatory requirements: During the cyber-attack, the cybersecurity team has to multi-task with agility. While focussing on controlling the attack and mitigating the impact, it is absolutely necessary to identify if there are any regulatory implications of the attack that has taken place and if sensitive customer data has been breached and then acting on it with urgency. This step is an absolute must-do to protect your business reputation and also save it from financial implications. The security team must be trained in this aspect and to think of regulatory requirements as a natural response during their cybersecurity training sessions.
- Make mental well-being a priority: While panic and chaos are natural when your business and security infrastructure is being compromised, it is also important to think of the mental well-being of your team during the attack. It is critical to not unnecessarily pressurise or admonish anyone and not play the blame game. This will further dampen morale and maybe even slow down people’s reflexes and prevent them from acting in the fastest and smartest way at the most crucial moments.
If you need more information on how to design effective cyber incident response plans and best practices associated with responding to a cyber incident, take a look at our NCSC Assured Cyber Incident Planning & Response course.