In the latest article covering the government’s cybersecurity breaches survey, SC UK is looking at Chapter Five: Dealing With Cyber Breaches Or Attacks. Specifically, this examines how well businesses and charities deal with breaches or attacks, including identification, response, reporting and adaptation to prevent future cases. 

Incident response

Cyber-attacks are a matter of fact, making incident response key for every business. But budgets can be tight, making it no surprise that larger organisations are more likely to have an incident response plan: 53 percent of medium businesses and 75 percent of large businesses said they have a formal plan in place, according to the government’s survey. 

Certain sectors are more prepared than others. Incident response plans were in place more often in health, social care and social work (66 percent), finance and insurance (50 percent) and information and communications (43 percent). 

When a breach occurs, by far the top response was to inform senior management. It was far less common for organisations to say they would inform regulators, according to the survey. 

Of those that had cyber insurance, just over half of businesses (52 percent) and charities (56 percent) said they would inform their provider in the event of a breach or attack. 

The most common processes, mentioned by around a third of businesses and charities, included having specific roles and responsibilities assigned to individuals (39 percent of businesses and 34 percent of charities); having guidance on internal reporting (34 percent of businesses and 31 percent of charities; and having guidance on external reporting (32 percent of businesses and 30 percent of charities).  

Smaller organisations found it more challenging to develop incident response plans, because of a lack of in-house expertise. Meanwhile, smaller businesses admitted to infrequent testing of their plans, often conducting tests only after experiencing a breach.  

Whatever your size, not having a plan is “an accident waiting to happen”, says Phil Skelton, director, international business at eSentire. “Threat actors care about the revenue that a company makes more than how many employees they have, as this increases the potential size of any payout that they can achieve.” 

If you don’t have an incident response plan at all, getting one in place is “essential”, says Skelton. “Even if you have a plan, you should prioritise regularly testing it through table-top exercises and collaborating with your security team.” 

CISOs should prioritise reviewing and enhancing incident response plans, particularly for smaller organisations, ensuring clear roles, responsibilities and escalation pathways that include both internal and external reporting guidance, says Bharat Mistry, field CTO at Trend Micro. “Strengthening external reporting procedures through clear guidelines and staff education is crucial, alongside establishing and communicating a definitive ransomware payment policy that weighs up risks and benefits.” 

External reporting of breaches or attacks

External reporting of breaches is not widespread among organisations. This year, among those identifying breaches or attacks, around four in ten businesses (39 percent) and a third of charities (33 percent) reported their most disruptive breach outside of their organisation. 

Many of these cases simply involved organisations reporting breaches to their external cybersecurity or IT providers.  

Among the businesses and charities that did not report their most disruptive breach or attack, the most common reason was that it was not considered significant enough to warrant reporting, for 72 percent of businesses and 81 percent of charities.  

Beyond this, the next most common reasons were: Organisations did not know who to report to (11 percent of businesses and nine percent of charities); they did not think reporting would make any difference (five percent businesses and four percent charities); and they did not think reporting would lead to a benefit for their organisation (five percent businesses and four percent charities). 

While internal reporting is high, the lack of external reporting – to regulatory bodies, partners or cyber response teams – may hinder coordinated threat intelligence and containment, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.  

The EU General Data Protection Regulation (GDPR) requires reporting certain breaches within 72 hours, he points out.  

When considering the circumstances in which incidents should be reported externally, this depended on the scale or seriousness of the breach. For example, breaches that involved disclosure of personal information were generally seen as requiring external reporting.  

Reputation was also considered in the decision-making process of whether to report, with one business citing that any attack could have an impact on reputation if not reported properly. 

Actions taken to prevent future breaches or attacks 

Among those that identified breaches or attacks, 62 percent of businesses and 67 percent of charities reported taking some form of action to prevent further incidents.  

Likelihood to take some form of action to prevent future breaches increased with organisation size. Small (69 percent), medium (78 percent) and large (82 percent) businesses were all more likely than micro businesses (60 percent) to have taken some form of action. Likewise, high-income charities (84 percent) were more likely to have taken steps compared to charities overall (67 percent). 

Encryption, particularly Microsoft encryption, was a common cybersecurity method applied to combat data protection risks from cyber breaches. 

“Everything’s encrypted, 365 provides encryption and we use end-to-end encryption for most of our messaging which is now done on Microsoft Teams,” said one charity CEO. 

At the same time, multi-factor authentication is an increasingly common way of protecting data, according to the survey. 

Cyber resilience should not depend on business size, yet figures suggest there seems to be some disparity, says Curran. Frameworks such as Cyber Essentials are scalable to small and medium sized enterprises, he says.

“Regarding preventative actions, such as post-breach or post-incident, organisations should conduct root cause analysis, update controls, and perform security awareness and technical training. Training is vital, but it should be complemented by technical remediation.”

Kate O'Flaherty Cybersecurity and privacy journalist