Do you have an incident response plan in place?

By Ollie S

Many companies think that a cyber-attack will not happen to them. Just look at; British Airways, Facebook and recently Symantec. Large companies that turnover millions of pounds are still not investing the money they should into cyber security and still think it won’t happen to them. Others have different reasons but the most common are because they are too big, they are too small, they have anti malware on their computers or they don’t need any security measures, because, who would hack their business?!

Well unfortunately it is happening every day and hackers are becoming more advanced and more ruthless – so if/when it does happen to your organisation, how would you deal with it? Do you have a plan in place of that would happen next? Who would you turn to? If you cannot answer those questions, we suggest you read our guide on the steps you should take:

Cyber Attack Preparation

The first step is to ensure you have put in place preventive measures that will assist in defending against an attack. Staff Training, Intrusion Prevention, Anti Malware installed and basic cyber security hygiene –  These basic steps should be in place before even starting an Incident recovery plan – these may be prevention enough from an attack ever happening but should they not be then the Plan will be your manual of getting your organisation secure as quickly as possible.

The Plan

This is your step by step Policy and Procedures of how to deal with the incident as quickly and efficiently as possible. You need to appoint chosen employees to carry out a specific role within the incident and they should have adequate training on their new responsibilities.

Some areas that should be included are; Appointing a First Responder, appointing an incident response team and ensuing they know their role and responsibilities, making sure secure methods of communication are in place for your Incident Response Team to communicate through. In order to help with the prevention of an another attack of a similar nature, a clear method of reporting, categorising and logging needs to be in place and documented which should also be cover in the plan of exactly how to do this.

First Responder

This is the person who should be notified first of any suspicious activity and will take charge of the situation and coordinate staff members to ensure that procedures are adhered too, should it be a cyber attack.


You will need to determine whether or not a breach or an incident has occurred and what level of priority it should be assigned. The level of the incident will depend on the data or resources affected and what impact it has on your organisation. What methods do you have in place to identify attacks? Manual Inspections, 3rd party IT Provider, Automated software, Employees, customers?


Containment of a breach is important to do quickly but efficiently. Its hard to put an exact procedure in place for your Incident response team to work exactly too as there are many scenarios of how an attack may happen. Depending on what information has been uncovered already, depends of the type of containment you may want to take. A serious breach could mean switching to a backup network and containing the attack to a dummy network to ensure no more sensitive data is discovered – but this needs to be done carefully as to not alert the attacker. It is important once the attack has been contained that evidence is collected – this will help prosecution and also post incident reports.

Data Breach

Once Confidential information has been discovered – making it secret again is impossible. What if the attack came from a competitor or the information is sold to a competitor about to launch a similar product? What if your customer’s data was discovered, bank details, passwords?  Contacting customers or having a contingency plan in place would be need to be acted on quickly, to stop bad publicity and years of hard work being ruined. Having a nominated media spokes person and a backup plan should sensitive information be leaked could be necessary depending on your what your organisation does. Now due to GDPR you have 72 hours to inform the Information Commissioner Office (ICO) of a data breach. All of this will need to be factored in when thinking about who needs to be informed in the events after.


Finding and eliminating the cause of the breach. This may be done by your own team or a 3rd party to patch where the attacker was able to gain access. A full security review should then be carried out on your organisation. You could still be losing data and you may have other weaknesses that the attacker could exploit.

Post Incident Activity

Once the attack has been eradicated, fixed and your organisation in once again secured, it is important to review what happened and how and if possible it could have been prevented? Did the plan go as expected? Did you and your employees follow procedures and does it need tweaking should another attack happen?

How North Star Cyber Security can help…

North Star Cyber works with organisations to help them create their own Incident Response Plan. We help organisations look at what they currently have in place and ensure that all aspects of an Incident Response plan have been worked out and put into a clear procedure. We can help you roll this out to your staff and even test your organisation in a simulated real live cyber attack.

For more information about our service can be found here –  get in touch with one of our dedicated team today.

Share this article