Response and Recovery Guidance for SMEs
Cyber-incidents, unauthorised access (or attempted access) to an organisation's IT systems, are a threat to companies of all sizes, whether accidental, such as damage from fire/flood/theft or malicious. Often these incidents are treated as a mere IT issue but in reality their ramifications are felt firm-wide and can be fatal to businesses.
Many of the larger organisations have the resources to respond effectively and promptly, whether through internal teams dedicated to pre-empting and defending incidents before they have occurred or through financial capability to reach out instantaneously. For the small/medium sized businesses that have neither of these resources at their disposal, response and resolution is more difficult.
In order to assist SME's in protecting themselves from cyber incidents, the National Cyber Security Centre (NCSC) has prepared a five step procedure to follow in the event of a cyber incident. If the incidence is live, NCSC recommend calling Action Fraud immediately on 0300 123 2040 and pressing extension 9 which will ensure your incident is prioritised. Action Fraud will pass the incident on to National Fraud Intelligence Bureau (NFIB) to review the report and conduct enquiries. If an incident has occurred the following steps are encouraged to effectively respond and resolve any future incident(s).
Step 1: Prepare for incidents
Companies can prepare by identifying which processes, systems and electronic information are fundamental to the day to day running of the business, for example, emails, calendars, contact details, the website where orders are placed and record whether the information is stored on a remote server or the cloud. Once these have been established, the company should make a daily/weekly back up of essential information and ensure tests are undertaken regularly to guarantee that they are working and assign an individual responsible for this task. It is important to have colleagues who are also aware of this information and can cover if the individual responsible is not around. In addition, it is important to consider how to avoid reputational damage and which key partners (customers, suppliers and third parties) you need to contact if an incident does occur.
It will be helpful to prioritise what needs most protection and what happens if your business no longer has access to key information and systems. An incident plan is essential to minimise any potential cyber damage, for example, ensuring several people in the company know how to restore back up in the event of data loss. If each individual is responsible for a particular recovery action then any issue can be diffused quickly, for example, one person is responsible for the list of external people that need to be contacted, and another is responsible for shutting down the website if it has been corrupted. This way everything can be done simultaneously ensuring all bases are covered.
Step 2: Identifying what's happening
Organisations must learn how to identify if an incidence has happened or is happening in order to appropriately respond, for example, by running an antivirus programme to complete a full scan of the system. If software security is installed, antivirus alerts should regularly appear. There are various indications of a cyber incident including, computers running slowly, users being locked out of their accounts or being unable to access documents, messages demanding a ransom for release of files, redirected internet searches, requests for unauthorised payments and unusual account activity. The guidance lists 10 crucial questions to help SMEs identify what has happened in order to correctly inform the IT team and prepare a 'lessons learnt' report.
Step 3: Resolve the incident
Whether the SME's IT is managed internally or externally, the right people need to be contacted immediately to do one or all of the following, replace infected hardware, restore services through backups, patching software, cleaning infected machines and/or changing passwords.
Step 4: Report the incident to wider stakeholders
Following a cyber incident, it is important for the company to formally report the incident internally and externally. Certain incidents are legally required to be reported to the Information Commissioner's Office. Cyber-attack is a crime and therefore should be reported to Action Fraud or the police. Furthermore, organisations should take legal advice particularly if there has been a significant impact on the business and/or customers as there may be several avenues for recourse. Additionally if the organisation has a cyber insurance policy, lawyers will be able to provide advice on making a claim under the insurance policy.
Step 5: Learn from the incident
Preparing a report on the incident will highlight the areas of security weaknesses in the company's cyber security software. By collating and reviewing the actions taken and preparing a list of what went well or could be improved will strengthen the company's response plan for any future incidents, for example, if the IT team is outsourced, did their response meet the company's needs, if not, either the terms of the contract could be renegotiated or a new IT team contracted.
The cyber security guidance prepared by the NCSC offers a low cost, thorough, easily implemented and hopefully effective step by step plan for SME's to adopt in the event of an attack or accident. We would encourage all SME's to be live to the consequences of cyber incidents and make good use of the guidance provided. It cannot be emphasised enough how devastating the effects can be for small businesses unprepared for such events.