top of page

Cyber Incident Response Plans

Cyber Incident Response Plans Image

Cyber incident Response Plans need to cover a wide range of issues including:

  • The types of cyber attack that can occur

  • How cyber attacks can be detected

  • How to understand the impact of a cyber attack

  • What to do when to respond and recover from the cyber attack

What types of cyber attack should we consider in Cyber Incident Response Plans?

There are several types  of cyber attack - each one has different methods of infiltrating your system and some have different objectives when they do.  The most common types of cyber attack are:

  • Brute forcing where the attacker is trying to force their way into your system by guessing passwords

  • Ransomware where the attacker is attempting to deny access to your data by encrypting it and demanding a ransom to decrypt it

  • data exfiltration where the attacker is trying to steal data from you with a view to reselling it to other hackers & criminals (they might also demand a ransom to return it

  • Using social engineering (such as phishing emails) techniques to facilitate payment fraud or to introduce malicious code for data exfiltration and/or ransomware

Each of these attacks uses different strategies to attack an organisation and therefore requires different approaches to respond to and recover from.​

What capabilities should be built into Cyber Incident Response Plans to detect cyber attacks?

This is your first line of defence - being able to recognise that you are under attack and that any preventative measures may have been compromised. Typical indicators of attack include:

  • Brute force attacks are often indicated by multiple login failures within a short time period

  • Ransomware attacks (where your data is encrypted "in situ") are often indicated by bursts of file update activity,

  •  Data exfiltration is often indicated by excessive outbound activity on your network 

  • A phishing attack may be identified by a vigilant user who thinks an email (which may have slipped through automated email defence)  looks suspicious and then refers it to helpdesk for investigation

In all of these cases some kind of initial response is required. If detection is prompt the attack can be handled by IT specialists and the organisation as a whole continues as usual.  However, if the attack is widespread, a wider response may be required that involves the whole organisation - including it's senior management​. 

How should our cyber incident response plans assess the impact of a cyber attack? 

The major criteria for assessing the impact of a cyber attack are closely aligned to the specific nature of your organisation. The key things to focus on are getting a clear picture of scale (how big is the incident in terms of the resources it is affecting and the operational impairment it's causing) and how fast is this changing. These are the main criteria to be used when deciding whether or not to invoke your Cyber Incident Response Plans. Establishing this can depend on the nature of the attack, so it's a critical part of the plan that you have implemented facilities to establish the damage a particular type of cyber attack is causing your organisation. 

What steps should Cyber Incident Response Plans include when a major attack has been confirmed

At  this stage a major incident has been confirmed. It's now understood that the IT department can't remediate the issue promptly, the organisation can't operate effectively and there may be legal implications associated with the situation.  As a minimum cyber incident response plans should cover:

  • Data recovery - how will it take to restore data to a usable state?

  • IT infrastructure recovery - how will a trusted version of IT systems be restored (cyber attacks don't just compromise data, they compromise IT configurations)?

  • Where will the restoration activities be performed?

  • How will critical operational activities continue. Are there practical workarounds?

  • How will situation updates and communications (internally & externally) be handled, bearing in mind that normal methods of communication - such as email - may be unavailable?

Example of a Cyber Incident

When an organisation is hit by a cyber attack, it can quickly escalate into a major incident, throwing up many issues and challenges.  Unless you have been directly affected by a cyber attack it can be difficult to visualise all the things that can happen and what you will need to prepare for.  We have prepared an example of a cyber incident - based on things that have actually happened that shows some of the issues that need to be considered a cyber incident response plan

Cyber Incident Simulations

Developing a cyber incident response plan is an important step in preparing your organisation to respond to a cyber-attack - but it's not the "end-game": KNOWING that your plans are fit for purpose and will work when called upon required that they are regularly reviewed and tested - preferably by  performing cyber attack simulations

RiskCentric Logo
  • Steve Dance Managing Partner
  • Linkedin

Follow or connect with Steve,  RiskCentric's owner & founder via LinkedIn

bottom of page