Best Practice Guide: Navigating the Aftermath of a Cybersecurity Breach

Cybercrime is a national issue. According to government figures it costs the UK economy an estimated £27bn a year. Being on top of your cyber security is a critical part of your business operations, in the modern world. 

But if you’re running a small or medium-sized business, it’s easy to think you might not be a target. However, research shows that employees at SMEs are 350% more likely to be targeted by cybercriminals! 

So, what do you do if the worst happens? 

This guide aims to give you actionable steps for managing the aftermath of a cybersecurity breach, ensuring you're well-equipped to navigate this complex landscape.

Immediate Response

The initial moments after discovering a cybersecurity breach can be stressful, to say the least. Your actions during this critical period can significantly influence the breach's long-term impact. 

  • Activate Your Incident Response Team (IRT): This might sound like a specialised team that you need to hire, but the concept is actually pretty simple. An IRT includes relevant team members who will need to be involved in any actions you need to take.  
     
    IRT’s are usually composed of members of IT, legal, HR, and communications departments. Of course, if you’re a smaller business, this could literally be one or two people. Either way, as soon as you learn of the incident, get the team started with damage control.
     

  • Isolate Affected Systems: The first technical step is to isolate the compromised systems to prevent the breach from spreading. This isolation can be done in various ways, such as disconnecting the affected computer from the internet or taking it off your internal network. 
     
    By isolating, or "quarantining," the affected computer, you're essentially putting a barrier around it. This stops the issue from moving onto other computers, protecting your data and your operations. 
     
    The goal is to contain the problem so that your IT team or experts can step in to fix it without the risk of it affecting your entire operation. 
     

  • Document Everything: From the moment the breach is discovered, maintain a detailed log of what's happening. This will not only aid in the investigation but also serve as a record for legal and insurance purposes. 
     
    Keep a real-time, time-stamped log of when the incident was first detected, actions taken, and when those actions were executed. It's also best practice to list the names of the team members involved and the individual actions they were responsible for.  

Communication Strategy 

Communication is key in the aftermath of a cyberattack, both internally and externally. Miscommunication can exacerbate an already delicate situation. Here's how to keep everyone informed without causing undue panic: 

  • Internal Stakeholders: Your employees should be among the first to know. However, the message needs to be carefully crafted to inform without inciting panic. Outline the situation, the steps being taken, and how they can assist or protect themselves. 

  • External Communication: Prepare a public statement to inform customers, partners, and stakeholders. The key is to be transparent without compromising any ongoing investigations or revealing sensitive information. Depending on the attack itself, you may not even need to communicate externally. 
     

Legal Obligations 

Your legal obligations following a cyber-attack can vary significantly depending on the industry you are in. It’s best to familiarise yourself with your sector-specific legislation. We’ve included some general advice below: 

  • Report to Authorities: The nature of the attack often determines which authorities you need to report to. If the cyber-attack involves a data breach affecting personal data, you're legally obligated to report it to the ICO within 72 hours of becoming aware of the breach. 
     
    In many UK industries, you're legally obligated to report a data breach to regulatory bodies within a specific timeframe. For example, if you’re an FCA-regulated firm, you’ll likely need to report the incident to them. If you run a care home, it would be the CQC. 
     

  • Customer Notification: Data protection laws often require that affected individuals be informed of a breach. This is not just a legal requirement but also an ethical one.  
     
    If you can identify the specific individuals affected, you should only need to contact them directly. However, if you can’t be certain what data is affected, you will need to contact everyone who may have been compromised by the attack.

Data Assessment 

Once the immediate fires are out, you'll need to assess the damage to understand the breach's scope and impact. 

  • Identify Compromised Data: Work with your IT team to identify the types of data compromised. Was it customer data, employee records, or perhaps intellectual property? The nature of the compromised data will influence your next steps. 

  • Assess the Impact: Use the identified data to gauge the breach's impact on your operations. Will it affect your supply chain, or is it more of a reputational issue? Understanding this will help you craft your ongoing response. 
     

Security Measures 

The breach may be contained, but your work is far from over. You know need to identify how to improve your security to prevent future attacks.  

  • Patch and Update: One of the most common reasons for security vulnerabilities is outdated software. Ensure all your systems are updated with the latest security patches. 

  • Enhanced Monitoring: Implement advanced monitoring solutions that can detect unusual activity, helping you catch any future attempts before they become a full-blown breach. 

External Assistance 

There are times when in-house expertise is insufficient for the challenges at hand. Don't hesitate to seek external help. 

  • Cybersecurity Experts: Specialized cybersecurity firms can conduct a thorough investigation to identify how the breach occurred and recommend measures to prevent future incidents. 

  • Legal Advisors: Navigating the legal maze of data protection and breach notification can be complex. A specialized legal advisor can guide you through your obligations and help minimize risks. 

Employee Training 

People are often the weakest link in cybersecurity. A well-trained workforce can be your strongest defence against future breaches. 

  • Revisit Security Protocols: Use this incident as a learning opportunity. Ensure that all employees are aware of your organization's security protocols. 
     

  • Ongoing Training: Cyber threats evolve, and so should your training programs. Make cybersecurity awareness a regular part of employee training, including simulated phishing exercises and password best practices. 

The digital landscape is fraught with pitfalls, but with the right preparation and response strategy, you can navigate it more safely. There are several national bodies that you can contact for further information, just click the links below: 

The Information Commissioner's Office 

The National Cyber Security Centre 

Action Fraud 

Cyber Aware 

Previous
Previous

Understanding the UK's Workers (Predictable Terms and Conditions) Act 2023

Next
Next

Every Week is Work-Life Week: Inside Personnel Checks' Flexible Work Culture