Cyber attacks and data breaches are huge risks for organisations. With the GDPR (General Data Protection Regulation) mandating that incidents be reported within 72 hours of discovery, you need a plan in case disaster strikes.
You might think that’s an impossibly short deadline, but if you follow the four steps we outline here, you can ensure that you meet your compliance requirements.
Free download: Cyber Incident Response Management – A beginner’s guide
Download our free green paper to:
- Understand exactly what constitutes a cyber incident;
- Learn about the potential consequences of suffering an incident;
- Find out what to include in your incident response plans; and
- Discover a step-by-step incident response process.
Contain the breach
Once an organisation realises it has been breached, it needs to identify how the incident happened. This will allow the organisation’s security staff to take any appropriate action to prevent any further damage.
In many cases, this will mean disconnecting the organisation’s systems from the Internet, but doing this isn’t always appropriate.
If the breach was caused by a database that wasn’t password protected or an insider losing a removable disk, for instance, disconnecting your systems will unnecessarily halt business and probably cause panic among your staff.
Assess the risks
Once the threat has been contained, organisations should assess the extent of the damage and consider how to proceed. They should find out:
- What type of data is involved;
- How sensitive the data is;
- Approximately how many people’s data is affected;
- Who is affected (customers, staff, suppliers, etc.);
- Whether the information contains financial information or other high-risk data;
- Whether the stolen data is encrypted; and
- Whether the organisation backed up the data.
Notify regulators and those affected
Depending on the answers to those questions, organisations will have to notify regulators and/or the affected individuals.
Under the GDPR, data breaches only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”.
This generally refers to the possibility of affected individuals facing economic, social or reputational damage, or financial losses.
Prepare for the future
After an organisation has responded to an incident, it should take appropriate action to prevent future breaches.
It should use the information it gathered responding to the incident as the starting point to investigate further, identifying how its cyber security measures can be improved.
This might include investing in better security technology, updating its policies or making its staff more aware of their cyber security responsibilities.
Cyber incident response services from IT Governance
If you need help preparing for and responding to cyber security incidents, we have everything you need.
Cyber Incident Response – Readiness Assessment
This assessment provides an impartial and detailed review of your organisation’s ability to identify, contain, mitigate and recover from a cyber incident. It covers:
- How your processes, policies and procedures contribute to your cyber incident response capabilities;
- Whether key stakeholders know how to report a suspected incident and what to do from there;
- Who in your organisation is responsible for escalating, containing, remediating and recovering from an incident, and their roles and responsibilities throughout the process;
- Which technologies are relevant throughout an incident’s lifecycle, such as preventive measures, monitoring technologies and response capabilities; and
- Which physical controls may be affected by a cyber incident.
After the review, you will receive a detailed report with our findings, recommendations and guidance on remediation tactics, and a prioritised action plan.
Cyber Incident Response – Tabletop Exercises
We will develop tabletop exercises to test and engage staff from across your business in order to highlight deficiencies, recommend improvements and ensure that everyone knows what to do in the event of an incident.
Cyber Incident Response – Emergency Support
If you suffer a cyber security incident, we can support you by:
- Reviewing the evidence of the incident to determine its nature and extent;
- Advising on the measures necessary to contain the incident, limiting its spread and reducing the harm;
- Directing the available resources to manage your recovery activities;
- Providing key information about the incident and the response to management and staff involved in response activities, and about what your organisation can learn from the incident;
- Gathering and preserving critical information about the incident, which can be passed to authorities and used to prevent future incidents;
- Showing you how to proceed following the incident, including what to prioritise, which resources need to be allocated to resolve the issue, and which internal and external parties need to be notified; and
- Reviewing your incident response procedures to highlight improvements and inform your planning.
The Cyber Incident Response – Emergency Support service is based on a combination of the best-practice cyber incident response framework developed by CREST and the international standard on incident management, ISO/IEC 27035.
Cyber Incident Response – Retainer
A version of this blog was originally published on 14 December 2017.