Click here to get this post in PDF
Cyber-attacks are a threat to every business, not just the larger ones. Most SMEs will be subjected to a cyber incident of some sort, but it is how that attack is handled that matters.
Reputation is important to any business and often it is how you respond to an incident that determines whether your clients decide to remain with you or go elsewhere. Many clients will want to know how you will protect their personal or confidential data before appointing you.
Having a cyber incident response process is essential and, in this article, we look at what is needed to create an effective plan.
What is an Incident Response Plan?
An incident response plan is a documented set of procedures, which describe what to do when a cyber incident occurs. This can be a cyber-attack, data loss through a power outage, accidental deletion of files or any incident that requires urgent action so that staff can carry on with their daily work.
The plan will contain guidance on what to do in the event of a cyber incident with these key components:
Some incidents may have legal implications. For example, any breach of confidential or personal data will have to be reported under the General Data Protection Regulation (GDPR) to the Information Commissioner’s Office. This should be included in the incident response plan.
Incident response and disaster recovery
An incident response plan places emphasis on the protection of sensitive data whereas a disaster recovery plan focuses on business continuity after a major service disruption. There is a lot of overlap between the two and much of the information that goes into one will be used in the other. For instance, key contact details and critical data protocols will probably be the same for both.
Often, a lack of an effective incident response plan can lead to a disaster, so it is important that procedures are put in place to control and limit the impact of incidents.
What should be included in an incident response plan?
As with any process, what you include in your plan depends on your business. Every SME will have to decide what is important to them, but there are some common elements that apply to all.
- List of key contacts with phone numbers
- A process map showing when and how to escalate
- Links to regulatory requirements such as the GDPR
- Checklists and forms
Forms for documenting the incident, including action taken, are necessary for the post-incident analysis and may be required as evidence by regulators or in court if criminal activity is suspected.
Knowing when and who to escalate the incident to and the method of communicating is essential because normal IT systems may be compromised, and the usual channels may be unavailable. You need to have alternatives.
The National Cyber Security Centre has produced a guidance note on incident management and this has some useful advice for businesses looking to develop their own plan.
Levels of response
In the event of a cyber incident, the first step is to evaluate the situation. What systems are affected, the nature of the incident (e.g. cyber-attack, accidental loss or corruption of data, unauthorized access), and who needs to be informed?
The next stage is to contain the incident, which may involve taking systems offline. The incident response plan should include a matrix of actions against incidents so that those responsible know what to do in any event.
After remediating the incident, systems can then be returned to normal, but it doesn’t end there. It is important to review the incident and see if there are any lessons to be learned. Was the response successful? Was any data lost or compromised? Does the plan need amending?
Some incidents may be easily rectified by an in-house team or individual, but it should still be recorded in case it happens again or a related incident occurs indicating that a larger systemic failure may be about to happen.
Others may require a coordinated approach involving several parts of the business at various levels. The important thing is to understand quickly what is at stake, and the incident response process should include clear instructions on what to do.
Cloud backup for small business enterprises
There are many managed IT services providing cloud backup for small business enterprises. This is one way of ensuring that in the event of a cyber-incident, you can get your business back on the road quickly, with minimal impact.
Cloud backup is one way of making sure that data is available to be restored after a cyber-incident. It is relatively cheap – free up to a point – and readily available to anyone.
Can managed service providers help?
For any SME cyber security is critical to their survival and failure to plan for any form of cyber-attack could result in their demise. But detecting cyber incidents before they occur has got to be better than dealing with them as they happen.
Managed IT service providers can work with SMEs to develop an incident response process and to implement a plan that will help in recovering quickly from a cyber-attack or another incident. SME cybersecurity can be tailored to any size of the company, from a sole trader to 50+.
Having a plan in place is essential and many clients will demand this to make sure their confidential information is safe, but by monitoring systems remotely, managed service providers can help avoid cyber incidents and keep businesses online.
Cybercriminals are getting more sophisticated, and your in-house IT experts might not be aware of the latest scams, whereas a managed service provider will have all the information on hand and will be able to defend against malware or ransomware attack, phishing, or unauthorized access to the network.
As well as a disaster recovery plan, every business needs a cyber-incident response process to ensure that it can protect sensitive data and deal with the incident in the most expedient way. The process must include instructions for containment and remediation.
Learning from the incident is also important, as this can help prevent further similar incidents and possibly detect a greater threat.
About the Author
Darren King is the CEO of Cygnet IT Services, a UK based community Interest Company which provides IT support in Croydon and surrounding areas. Darren has over 20 years working in Information Technology working closely with supporting charities, businesses and schools.
You may also like: What is Cybersecurity: Everything You Need to Keep Your Company Secure