We provide some help and guidance in our Information and Cyber Security Best Practice Area, which also includes the checklist: document What to do immediately after a Cyber Attack (58 KB) . The NCSC have recently published a series of web pages about Cyber Incident Response. The NCSC assured Cyber Incident Response (CIR) scheme gives clients confidence in companies which meet the NCSCs rigorous standards for high quality cyber incident response.
The CIR companies help organisations which have been the victim of a cyber attack.
CIR Assured Service Providers help organisations to recover from cyber incidents and deliver a full investigation of the incident along with recommendations on how to prevent it happening again.
The NCSC recommends that all UK organisations use a CIR Assured Service Provider when dealing with cyber incidents.
Whenever you have a cyber incident, check what personal data might have been breached: spreadsheet Data Breach Assessment Matrix (5 KB) .
Article 32 of the UK GDPR states:
1. Controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, amongst other things as appropriate:
a) Pseudonymisation and encryption of personal data.
b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (Business Continuity).
c) The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident (Disaster Recovery).
d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Pen Testing, Penetration Testing).
2. Assessing risks from accidental or unlawful destruction, loss alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct.
4. Ensure that any individual acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller unless they are required to do so by domestic law.
Review the Data Breach Best Practice Area.
What to do in an attack:
Tell someone! Report to IT. Report to SLT.
Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.
If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss. Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.
Government Cyber Incident Reporting Service: https://signpost-cyber-incident.service.gov.uk/
Isolate the infected device and pass to IT
Always ensure there are backups you can restore from.
Little Guide to ACTION FRAUD
Remember – ‘Hackers don’t break in they login’!