These days most organisations rely heavily on information technology. This means a cyber attack can seriously harm a business. However, the disruption caused by a cyber attack can be minimised if an organisation creates guidance documents, as well as tests and reviews a business resiliency plan (BRP).

A cyber attack response plan must form part of a BRP for organisations of any size, including small/medium-sized businesses. A key step to help reduce the impact of a cyber attack is to have an incident response team and a response plan in place. This guide will help you prepare.

The key stages to responding to a cyber incident are:

• Containment – understanding the scope of the incident and forming the appropriate response team and communication channels.
• Preservation – preservation of log or (IT) audit files that could be used later to help identify the cause of the incident. The creation of an incident log. This record of the steps taken during the incident could potentially be used later by regulators or authorities if an investigation is deemed necessary.
• Eradication – taking the necessary technical steps to resolve the cyber incident. This may include implementing temporary processes or technology to ensure business continuity. These changes need to be reviewed once the initial incident has been resolved.
• Recovery – taking the necessary steps to ensure normal operations are resumed. This may include testing of applications or systems before returning them to normal operations.
• Lessons learned – once the incident has been resolved a review team should convene to discuss any issues that were encountered during the incident. These lessons should be incorporated into the cyber attack response and business continuity plans as appropriate.

We have devised an example response plan into the key components and stages of a response plan and colour coded the suggested actions to match these components.

During a cyber attack event it is recommended that a log of all the major events and actions is maintained. This log helps to manage and coordinate the response to the incident. The log may also be used later as mitigating evidence if the incident were to be investigated by a regulator or supervisory body.

Not all cyber incidents need to be reported to the ICO but those that do will have to be reported within 72 hours of becoming aware of the breach.

For advice on how to report a data breach to the Information Commissioner’s Office (ICO), and examples of what constitutes a data breach, see ICAEW helpsheet: GDPR – Data Breaches. The ICO advice on how to report a data breach can be found here.