Incident Response Process

Unless you know that an incident has happened (or may have happened), you will not be able to respond effectively, if at all. How you detect an incident will vary depending on the nature of that incident – a stolen or lost laptop is quickest to discover via a staff report, for instance, while cyber attacks will likely require some form of security monitoring. Where an anomaly is detected (multiple failed login attempts to a user account, for example), an alarm is raised for someone to manually investigate.

As mentioned previously, it is only possible for an anomaly to be detected if you know what ‘out of the ordinary’ looks like. Equally, staff will only report an incident if they know what constitutes one and are trained to report it to the appropriate person or team.

Triage, which normally involves a manual follow-up to a cyber security event, needs to occur as quickly as possible after the initial report. This process must establish whether you are dealing with a false alarm or a cyber incident and, if the latter, how to escalate it. It is important you document the process, showing how you reached your conclusions and providing information you may need later.

If it appears to be an actual incident, you need to assess the situation to determine what further steps you must take. What type of incident are you dealing with? What systems and/or data have been affected? Understanding the nature of the incident will help direct your remediation activities – for instance, if you are dealing with ransomware, affected devices will need to be cleaned for malware and restored using backups.

Depending on the nature of the incident, you may also need to act quickly to contain the damage (for instance, if you are aware of an attacker moving through your systems, you could force logout). Note the importance of planning ahead here: you cannot force a logout, or complete various other containment actions, if you have not enabled that feature in advance.

Where applicable, need to report the incident to relevant stakeholders, such as Action Fraud, regulators, insurers, partners and customers.

If the breach is significant enough that you need to inform your data subjects (whether they are partners, customers or otherwise), you may also have to issue a public statement and/or provide comment to the press.

Remediate the situation and repair the damage. If you are dealing with malware, for example, you need to eliminate every trace of it, and likely harden and patch your systems before recovering them.

Recovery is all about getting back to business as usual. At this stage, any trace of malware or other cyber threats should be eradicated, meaning that systems and backups can be safely restored (although it is sensible to test impacted systems before connecting and using them as normal again). It is also a good idea to let users know that everything is up and running again.