The technical director of the National Cyber Security Centre Incident Management team, advises on what to do in case of an incident and how comprehensive preparation can make recovery so much more possible.

There's a well known joke which goes something like this: A tourist in a very rural area asks a resident how to get to a local landmark. After pondering the question, they reply: ‘If I were you, I wouldn't start from here.'

How is this relevant to incident management? Well, as the tech director for the IM team at the NCSC, I am regularly asked what victims of cyber attacks should do during incidents. After suppressing the standard NCSC reply of, "it depends", my first question is to ask what preparation they've done for the situation. If the answer is that they haven't done any preparation then it's very hard not to say, "Well, don't start from here."

The right place to start from

We're releasing our new guidance on incident management in the hope that it will encourage you to consider what your organisation should have in place before an incident happens. The goal is to avoid a situation where the people valiantly dealing with the incident itself also have to scrabble around bootstrapping their
IM processes.

Assume breach

According to a DCMS survey from 2019, almost a third of companies in the UK suffered a breach in the preceding 12 months. Just let that figure sink in.

Modern IT systems are extremely complex and attackers are constantly evolving. "Assume Breach" is one cyber security motto that you, and your organisation, should heed.

This is not a call to give up trying to protect and defend your IT, but to build and operate your systems on the basis that something will go wrong at some point and you will have to deal with it.

If you have processes in place to swiftly and efficiently deal with an incident, then you can minimise the direct and indirect damage that might occur. But trying to create those processes during the incident itself is a recipe for disaster. Trust me, I've seen it tried.

Preparation is essential

In some cases there simply isn't anything you can do to fix the situation if you haven't done some preparation.

But, if there's one thing I could urge everyone to do, it would be to backup your important data. And by everyone I mean everyone, from individuals, to multinational corporations.

Once you've backed up your data, the next thing I'd advise is, back it up again, to a different location. And then, check that you can actually restore your systems from backup. With all this done, you should put in place a procedure to make sure you can check that your data is being backed up regularly.

One of the most common attacks we see at the moment is ransomware targeted at businesses. In these cases, the attackers will try to delete or disable backups. This is why making sure at least one of your backups is ‘off-line' - away from your standard IT - is very important.

If you don't have backups, in almost every case there is no way of restoring your business critical data, short of rolling the dice and gambling that paying the substantial ransom might possibly get your data back.

One thing you should do, with fingers crossed, is to check the No more ransom website to see if the ransomware you've been infected with has a publicly known decryptor. I'll be honest with you, it isn't very likely. So please, if you do nothing else, go and check your backups, now.

Calling in the professionals

If you have the resources, keeping an incident response company on retainer for when an issue occurs is an excellent idea. The NCSC certifies companies under our Certified Incident Response
(CIR) scheme. You can find a list of certified companies on our website. Please take a look.

Trying to arrange contracts and procurement during an incident is a stress that you won't need. Meanwhile, ensuring that your response company knows your staff and systems will help ensure as smooth a response as possible when an incident occurs.

Exercise is good for you

The chief information security officer (CISO) of an organisation we helped out recently observed that 80% of the incident was non-technical. That non-technical majority consisted of dealing with communication issues, regulatory issues, legal issues and so on.

Exercising to test your incident response procedures is as important as having them in the first place. It's no good having a procedure if no-one remembers what it is or you only discover that part of it simply doesn't work when you're in the middle of a real situation. There's a reason that fire drills are performed.

The NCSC's Exercising team has put together an online tool named ‘Exercise in a Box.' This is available to any UK organisation, for free. It will walk you through running tabletop exercises in response to some common cyber attack scenarios. Exercise in a Box is targeted at smaller organisations which may not be able to afford professional cyber exercising organisations, but it could be of use to any size of organisation. Feel free to sign up and take a look.

That will be all

There is a military adage known as ‘The 7 Ps.' This applies well to cyber incident response (as well as much else in life).
The 7 Ps are variously defined, but the basic gist is, "Proper Planning and Preparation Prevents Pish Poor Performance".

Please, for your own sake (and for the sake of my team - who have to help deal with cyber incidents of national significance) do some planning and preparation now. Things will go wrong, sooner or later.

Oh, and also, try to call us before 4pm on a Friday when something does go wrong. Why is it always Friday afternoon?