In our latest research, Cyber Security Insights Report 2022, we saw a steep rise in the frequency of serious cyber incidents experienced by large organisations within the past three years – from 60% in 2021 to 75% in 2022. Evidence, if more is needed, that businesses must be prepared for a cyber-attack.
In our new video, The first 48 hours of a cyber incident, we share how a business under attack should respond - from the first hours when unplugging safely and getting external expert support is critical, through to remediation and recovery once the incident is contained. We hope it helps in your organisation’s cyber preparedness.
0 to 4 hours
During the initial phase unplugging safely is the first step along with contacting your insurer. Key actions include:
- DO provide a comprehensive handover of information
- DO insure you act on the initial advice from the technical vendor
- DON’T be slow to act
- DON’T delay notifying the insurer
- DON’T ignore containment advice.
Your legal, technical, operations and C-suite will each have internal recovery activities. But the success of a serious cyber crisis response rests on communication and the right governance of all teams. Ensure everyone knows their role and communicates effectively.
Now the investigation is underway. The technical responders will analyse the forensic evidence, for example in a ransomware incident they’ll examine:
- How did the threat actor get in?
- How did data exfiltration take place, and what data has been lost?
- What’s been seen or changed in the environment by the threat actor?
Containment is vital and it is the monitoring team that will detect and remove malware. Don’t slow down this phase. Make sure you have a clear understanding of your network and the devices connected to it, for example the number and location of laptops and security controls around them.
Recovery can take you well beyond 48 hours, the more prepared you are the quicker it will be, some key steps include:
- Planning before a response
- Prioritising during a response
- Having a good understanding of what systems are critical
Contact S-RM if you would like to discuss how to improve your cyber resilience or our incident response services.