In today’s landscape of increasing cyber threats, preparing to respond quickly and robustly has never been more important. There is a need in the sector to have a strategy for cyber security and a plan to respond to incidents, says Simon Hickman, CEO, Access Insurance.
A narrated version of this blog is available at the bottom of the page
Many incident response planning frameworks consistently share six common steps: Preparation, Identification, Containment, Eradication, Recovery, and Review/Lessons Learned. These stages provide a structured approach to handling cyber incidents. This article shares some key things charities can do to be better prepared to respond to cyber threats.
For a deeper dive into incident response frameworks, stakeholders, and processes, the National Cyber Security Centre (NCSC) offers valuable insights and guidance.
Stay up to date with monitoring and reporting threats
Cybercrimes are constantly evolving, so you must be able to adapt your defences quickly. Regularly upgrading your monitoring tools ensures you are better equipped to face the latest advancements. Additionally, you will need to evaluate your capability level and budget constraints to respond effectively. Increasing your capabilities must involve training and your dedicated response team to better identify and respond to breaches. The NCSC’s Cyber Essentials is a good place to start, though to ensure preparedness, training must be regularly given. You may also consider investing in outsourced cyber security capability.
Monitoring is a crucial element in threat detection, and you will need to know which channels to watch to catch signs of suspicious activity. These channels could be anti-virus software, security systems and technical alerts, staff engagement or could involve third parties such as suppliers, members of the public, regulators or specialist teams.
When threats are identified, particularly by people or third parties, it is essential to have an efficient and easy reporting procedure to facilitate a rapid and coordinated response to potential breaches or incidents.
Prepare for different types of incidents
It is helpful to categorise potential incidents, defining the type of breach and a pathway to eradication and recovery. This will help allocate the appropriate people, resources, and processes to the problem. Categorisation enables tailored response strategies for different incident types, acknowledging that responses will vary. For example, a supply chain data breach will be handled differently from a ransomware attack.
This planning stage can culminate a series of playbooks, guides, or checklists to follow when an incident occurs and provides a clear process for tracking the response.
Categorisation also allows you to prioritise specific risks, allowing the most critical incidents to receive immediate attention. A severity matrix or risk assessment can be a helpful exercise when defining the potential incidents.
Don’t undervalue documentation
Clear and detailed documentation is crucial for incident response and improving cyber security. It streamlines decision-making during incidents, ensuring stakeholders follow predefined procedures efficiently. Use documentation such as forms and checklists to track and monitor the development of an incident as it progresses.
Documentation also serves as an evidence trail for compliance and regulatory purposes. This may include records such as communication and system logs, technical alerts and a timeline of events. In the event of reviews by courts or regulators, your incident documentation becomes indispensable. Furthermore, in post-incident analysis, documentation serves as a critical reference to identify vulnerabilities requiring attention and improvements in response procedures.
