In the event that a breach or other cyber incident has been detected the plan needs to be utilised. In this article we will look at the key items that we should complete whilst we deal with this incident.
Record the incident start time, remember you may need to report this event to the authorities such as the ICO and in this case there is a 72 hour window to evaluate the problem and prepare an initial report. Utilise a pre-prepared table to record your actions and key points as you go along. We use Excel and SharePoint for customers to record this information in a structured way.
Record everything in the time-line and ensure that it is in the correct order for future analysis. Information will flow in rapidly and having one member of the team assigned to recording the key actions and activities is essential.
Add key points in the time-line as you find them for both pre and post incident actions as you resolve the problem. The pre-incident items are the items that lead up to the breach or incident such as when phishing emails were received, forwarding rules, files deleted etc.
Collect and record as much information as possible during the investigation with the aim of answering the following:
The first step is to determine the nature of the incident and the immediate remediation to protect the systems and any data. If the system cannot be secured, then consider a temporary shutdown for user access and delay or stop the propagation of the incident whilst investigating.
In the event of data loss having a well practiced data recovery plan will speed up the recovery process. It is recommended that data recovery systems are proactively tested every month and a DR process practiced annually.
In the event of a breach, the method of access and where possible any identifying features such as the attacking network addresses should be used to detect any further intrusions or attempts. This will require the ability to setup your firewalls to block and report anything from these addresses.
Be prepared for the breach to expand, the attacker will often try and compromise additional accounts so having the ability to look for additional breaches is essential. Review event logs and system alerts for signs of further compromise. This is assuming that you have enabled logging and have this capability, as we are talking about small businesses in this example then we are often limited to those logs that come as standard. Many companies use Office 365, we recommend that they implement at least some default alerts and rules.
Once the incident is under control and the systems are secured, we can move forward and consider the follow up actions.
Evaluate the risks to the business and any individuals (data subjects), under GDPR if the incident poses a risk to individuals then you need to report it. Having pre-prepared notification letters to contact affected parties and having previously reviewed the ICO reporting forms can save considerable time.
It is necessary to evaluate the incident and determine whether it must be reported, the time line will be essential in this reporting so make sure the notes are concise and accurate.
Reports can be submitted via the phone or email to the ICO, typically the first response takes about a week and is followed up by instructions for either additional information or follow up actions. The same reporting form can be used to submit follow up reports.
Complete a post incident review and consider what needs to be changed to prevent future incidents. Having adequate technical resources is a requirement for GDPR and a failure can lead to a technical fine of up to 2% of the companies global turnover.Learning from any mistakes made and developing rugged and practical policies to protect the systems and data from further compromise is key. There is nothing new in this concept and quality management systems such as ISO9001 have encouraged this approach for many years.