The UK’s National Cyber Security Centre (NCSC) has published guidance aimed at helping CEOs across the private and public sectors understand how best to manage and respond to a cyber security incident.
The guidelines, which have been designed to complement its existing Board Toolkit support package, are intended to serve as a non-technical guide to help business leaders navigate the various courses of action they will need to take while their IT and security teams are hard at work.
“If your organisation is victim of a significant cyber attack, the immediate aftermath will be challenging,” said the NCSC. “You may find there is a lot of information in some areas, and none in others. There will be difficult risk-based decisions to make to protect your operations. Your aim will be to limit the impact on your business, clients and staff in the weeks and months which follow.”
Given incident response encompasses far more than just security, bringing together business continuity practices, internal and external communications, and potentially financial and legal teams, it’s more and more important for organisations to have proportionate and effective governance in place, said the NCSC.
The first step, therefore, should be to appoint a dedicated senior responsible officer (SRO) or implement a more broad governance command structure – many choose to adapt the well-known three-tier bronze-silver-gold command structure used in the UK’s emergency services.
CEOs should also oversee the implementation of structures to help their teams make effective decisions, accounting for the full impact of the incident across all parts of the organisation, facilitating collaboration between those managing the response, and better empowering senior decision-makers by making it clearer how and why the more technical aspects of a cyber incident will affect them in practice.
Finally, they must not be afraid to allow a robust response to the various demands of an incident, covering aspects such as communications with the board, customers or users, media outlets, and other stakeholders such as regulators and insurance companies.
External support a must
Being able to quickly draw on external resources for guidance and support throughout a cyber incident is also a must, so these structures should be put in place while the sun still shines. CEOs should surround their teams with third-party cyber expertise; individuals who are able to step back and think about things objectively can drastically improve the quality of decision-making during the darkest hours and days of an incident, and help victims better manage legal, technical, operational and communications considerations.
The NCSC itself recommends and assures that a number of cyber incident response companies can be drawn on, but the guidance also notes that cyber insurance providers may wish to deploy their own in-house or preferred incident responders, so should be kept informed.
Ransomware demands
In ransomware attacks, business leaders will also need to consider the risks of making a payment to recover their data and systems. Cyber criminals will often set tight deadlines, act aggressively and lie to extract money from their victims, so it’s important to be prepared to deal with their tactics.
There’s currently no provision in law that stops a private sector organisation in the UK from paying a ransom – although pressure is mounting for this to change – but the NCSC nor UK law enforcement encourage, endorse or condone the payment of ransom demands. There is no guarantee the cyber criminals will act in your interests once paid, and paying extortionate demands has been proven to make it more likely you will get hit again.
Mental health
CEOs should also make sure to put the morale and welfare of their employees as a high priority during a cyber attack – stress and uncertainty at such times can be hugely detrimental to incident response.
The NCSC advises that this will need to be an ongoing process – beyond an initial flurry of activity, cyber incidents often have a very, very long tail, with impacts lasting for months – even years – if regulators become involved. Teams will need to make important decisions throughout these processes, so good wellbeing practice is essential to support them through this, and may also help retain staff in the long run.
Beyond resolution
Once the “headless chicken” phase of a cyber attack has passed, victim organisations will often face outstanding questions – many of them very daunting – about risks to customer and staff data, so it’s vital that the impact of any such breach is properly communicated, both to those affected and to law enforcement, incident responders, insurers, regulators and so on.
Wider guidance on this is as ever available from the Information Commissioner’s Office, covering aspects such as the 72-hour reporting framework for notifiable breaches.
At the same time, effective and transparent external public relations will reassure both employees and help protect the organisation’s wider reputation. Such messaging should be factual and clear, and at pains to never misrepresent or downplay the incident – doing so may create difficulties and damage trust further down the line. These communications plans, and what detail is given to whom, are things that should be worked out ahead of time.
The strategy of complete transparency may of course not be for everyone – but the example of the British Library, which earlier in March 2024 published an in-depth report that laid out its experience of a ransomware attack, sets a gold standard for good practice in incident communications.
Finally, said the NCSC, CEOs should take pains to review the lessons learned from an incident, conducting debriefing sessions with those involved, asking what went right, what went wrong, and what could have been done differently or better. For this approach to be effective, there needs to be a genuine desire to learn from the experience and understand what led to it, so these reviews should be systemic in their nature – and, critically, not pin down one root cause or blame one person.
The aim throughout this step is not to punish, but to prevent and prepare, so everyone involved needs to understand the various factors around the incident and how they relate to one another.