Part of your planning should be how your firm responds if it does suffer a cyberattack. You need to consider how you can prepare for an attack and what the key steps are when a threat has been detected.
Incident report plan
Broadly, your incident response plan will include the following steps
|Identification||Verify whether an event is a security incident. A rapid triage is needed to understand what has happened and to filter out false positives.|
|Containment||Isolate affected systems to prevent further damage (it is important to note that the machine displaying the symptom (for example) may only be the tip of the iceberg). This is a critical step which is almost always dealt with incorrectly. You must understand how the different types of attack happen to know how and what to isolate.|
|Elimination||Find the source / root cause of the incident, to ensure it is removed from affected systems. You should be satisfied that the attack has ended, and that any malicious software and connections have been removed. This needs to be done by someone with the right cybersecurity experience, otherwise two serious things frequently happen. First, the criminals are still in your system and accessing your data. Second, you will lose the footprint showing where the criminals have been and what data they have taken. NB Ransom demands: if you are faced with a ransom demand, you should seek specialist help.|
|Categorisaiton and reporting||You must determine exactly what data or assets have been accessed or stolen. All breaches should be recorded. Review whether the matter should be reported to any of the following: Information Commissioner's Office, the Law Society of Scotland, your bank, the police, ActionFraud, your clients, your employees, your insurers and anyone else who may be affected. Revisit this as further information emerges.|
|Recovery||Allow the affected systems back into normal operation after ensuring no threat remains. Ensure that increased monitoring and vigilance is in place.|
|Lessons learned||Complete a post incident review to learn from the incident and improve future defences and response efforts.|
An effective response plan requires preparation. The greater the preparation the easier it will be to cope with any cyber breach when it occurs.
You need to have an understanding of all your systems that could be affected by an attack and where your data is stored.
- Identify the critical services, data locations and third parties you rely upon
- assess your vulnerabilities as regards your policies, technology, and people
- review backup and recovery procedures.
This will be the team who help steer your business through any cyberattack. The team should proportionate to the size and complexity of your firm (it may be one person, ideally with a back-up). It may include external contractors if you outsource your IT and cybersecurity. They will be responsible for coordinating damage limitation, incident investigation and communications.
- Define the roles and responsibilities of team members including authority levels for specific actions such as notifying the regulator of a breach or instructing technical response experts, external forensics or external lawyers if required
- Establish response guidelines by considering and discussing possible scenarios with employees.
- Establish an emergency contact procedure. There should be one contact list with names listed by contact priority.
- How do you define risk? You should consider and define a protocol that helps identify whether a threat is low risk, medium risk or high risk.
Identify stakeholders and when they should be informed – colleagues, clients, third party suppliers, police, Information Commissioners Office, PR agency etc
If a breach becomes public, consider who will make statements in the media. Ideally, that person should have media training and be backed up by someone with technical expertise. If you do not have those skills, consider using a PR firm. If you have suitable insurance, the insurers might provide someone.
- Train your staff - your staff need to know how to recognise what a breach looks like, what their immediate response is and who they should contact. Ideally you can set out a description process so that you can easily describe an incident in a way that everyone will understand. Your staff should also be familiar with your response teams’ plan.
You can read more about the types of threats here.
- Training for your response team - Your response team need to know that processes work and for that they need to road test the processes. This will help you identify quirks and gaps in your processes and it is by having a practice run that those issues can more easily be identified and remedied in advance of the real thing occurring. The classic example is around the location of the incident response plan: most organisations never think about it properly but if the plan is held only on the main server, how can it be accessed in the event of an incident.
Effective backups are an important ingredient of incident response and you should consider the following:
- The backups need to include data, software, and system configuration to be effective. This is the information required to re-create your business systems, not just the files and documents.
- The storage locations need to reflect the fact that the office may be out of bounds during an incident.
- Make sure your backups follow best practice in terms of frequency, protected copies, and memory capacity (as examples).
- Ensure staff understand what locations are backed up. Consider whether important information is stored on laptops that are not being backed up.
Typically, firms forget the recovery part of this process. You do not want to be recovering files and systems for the first time in a live incident. Recovery should be rehearsed annually, and improvements noted and actioned. Consider whether your backups will survive a ransomware attack and how long your firm will be out of action if you need to recover the complete system and data.
Read more about reporting personal data breaches and security in the Law Society’s GDPR Guide
There is further guidance on the National Cyber Security Centre website, including an exercise in a box and advice specific to your size of organisation
• Sole traders and self-employed
• Small to Medium-size Enterprises
• Large organisations
This section of the guide was produced by the Law Society of Scotland’s Law and Technology Committee in conjunction with the Society’s strategic partner, Mitigo.
Mitigo operate a rapid response and investigation service for firms that have suffered a cybersecurity incident. For more information you can contact Mitigo on 0131 564 1884 or email firstname.lastname@example.org