Responding quickly to incidents - Layer Four
Continuing with our series on cyber security and the National Cyber Security Centre’s guide to helping organisations protect themselves from cyber attacks, we’ve already covered the first 3 layers:
Layer One - ‘Making it difficult for attackers to reach your users’
Helping users identify and report suspected phishing emails - Layer Two
Protecting your organisation from the effects of undetected phishing emails - Layer Three
This final blog will look at Layer Four - Responding quickly to incidents.
Respond quickly to incidents
An article published last year (20 May 2020) in CSO, a website that provides news, analysis and research on security and risk management quotes:
“Did you know that data breaches cost less in the UK than the global average, but security budgets are also smaller? Or that the vast majority of companies in the country have suffered incidents, and usually by phishing?”
Over a 12 month period from 2019-2020, 37% of UK companies reported a data breach incident to the Information Commissioner’s Office (ICO) so it doesn’t pay to be complacent. When your organisation is a victim of a cyber attack (and unfortunately the stats suggest it’s a case of ‘when’ and not ‘if’) the speed of your response is key.
Ensure you have systems in place that will quickly inform you there’s been a breach in security and have an action plan ready to deal with it. The quicker you act dictates the degree of damage it will cause.
Inform users how to report a breach
Knowledge is power as the saying goes. People need to know how and where to report a threat before it happens and be mindful that if their device is affected, they will need another channel of communication by which to raise the alarm.
Security logging systems
The NCSC recommends the use of a security logging system that detects issues unbeknown to the user. Once this in situ, keep the system current and updated so nothing slips through the net. These monitoring tools can come in various forms:
- Inbuilt and integral to off-the-shelf services
- An in-house team
- Outsourced via a managed security monitoring service
If you don’t have the resources for this, the NCSC offers a Logging Made Easy open source project, which is suitable for almost any organisation where perhaps time and equipment is limited. Taken from the NCSC’s page on ‘Logging made easy’ this ‘is a practical way to set up basic end-to-end Windows monitoring of your IT estate’ and can:
- Tell you about software patch levels on enrolled devices
- Show where administrative commands are being run on enrolled devices
- See which users are using which machine
- In conjunction with threat reports, LME allows you to search for the presence of an attacker in the form of Tools, Techniques and Procedures (TTPs)
Prevent further harm with an incident response plan
One size doesn’t fit all so a good response plan will equip your organisation with the right response for different scenarios. Have you considered what to do if a password has been exposed and needs to be reset? Whose role is it to remove the offending malware? How is that achieved?
These questions and others should be covered off within an incident management plan. Having this in place has a number of benefits:
- Prevents further damage
- Reduces financial cost
- Limits operational impact
- Minimises harm to reputation
- Future proofs against further threats
To find out how to detect, respond to and resolve an online security threat, refer to ’10 steps to Cyber Security - Incident Management’.
The NCSC highlights the importance of practising a response plan so when a threat is detected, you’re confident that it can be dealt with effectively. Refer to the NCSC’s ‘Exercise In A Box’ which is a free online tool. In the event of a cyber attack, your organisation can test (and there’s no limit to this) in a safe environment how it will respond and feeds back your resilience to cyber threats.
If you would like to know more about how we can help your organisation defend itself against email phishing or security in general, please get in touch with our cyber security team. We’re here to safeguard both you and your staff.
Other articles in the series:
Layer One - ‘Making it difficult for attackers to reach your users’
Helping users identify and report suspected phishing emails - Layer Two
Protecting your organisation from the effects of undetected phishing emails - Layer Three
Email phishing and why your organisation should protect itself
