In the fourth article for Cybersecurity Awareness Month covering the government’s cybersecurity breaches survey, SC UK is looking at Chapter Five: Dealing with Breaches or Attacks.

Specifically, this covers what incident response steps are taken; measures put in place; who you need to report an incident to externally; whether you need to report a breach or incident at all; and what is being done to prevent future breaches.

What incident response steps are taken

Having an incident response plan in place is considered essential by most experts. However, formal incident response plans are relatively rare. According to the survey, 22 percent of businesses and 19 percent of charities have one in place.

This is a concerning statistic. “It indicates that the majority of organisations lack a repeatable approach to effectively handle incidents,” says Lewis Duke, secops and threat intelligence lead at Trend Micro. 

Worse, only 15 percent of businesses have an external communication and public engagement plan. “These are key to effectively dealing with a cyber-attack,” says Adam Pilton, senior cybersecurity consultant at CyberSmart.

“Without an incident response plan in place, you won't be working consistently; your resources won't be pulling in the same direction and senior leaders who may not have any technical knowledge won’t understand where they are in the journey of responding to and recovering from the attack.”

The qualitative interviews included in the survey highlighted several challenges organisations face when dealing with cyber incidents. In smaller organisations, there was a heavy reliance on external resources for incident response, such as IT providers and cloud storage providers.

Smaller firms found it harder to develop incident response plans, because of a lack of in-house expertise or capacity. “The challenges in planning for cybersecurity incidents is the unknown. We are a support organisation, and we don’t have an IT infrastructure,” said one director of a small business.

Measures put in place

When an attack does occur, by far the top response was to inform senior management. The most common processes, mentioned by around a third of businesses and charities, was having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting.

Larger organisations are more likely than average to have incident response plans and measures to react following an attack. 73 percent of large businesses and 50 percent of high-income charities said they have a formal incident response plan. However, even among large businesses, under half (48 percent) have a communications plan in place.

It varies across sectors. Highly-regulated finance and insurance businesses are more likely to have an incident response plan (51 percent, vs. 22 percent overall). Health, social care and social work businesses are also more likely to have one (53 percent).

Some medium and large organisations are performing simulation exercises and scenario tests to identify any weak spots in their staff training and preparedness. However, these aren’t always done regularly, with staff reluctant to dedicate the time and effort required.

Who you need to report an incident to externally

External reporting of breaches remains uncommon among organisations. Among those identifying breaches or attacks, a third of businesses (34 percent) and almost two-fifths of charities (37 percent) reported their most disruptive breach outside their organisation.

Reporting doesn’t always involve regulators. Many of these cases saw organisations reporting breaches to their external cybersecurity or IT providers only. When excluding these, a quarter of the businesses (25 percent) and three in ten of the charities (29 percent) identified breaches or attacks, and reported them externally.

Breach reporting depends on the industry your company works in and the nature of the data affected. For example, if customer data was on systems that were accessed, you may have to report the attack under the EU update to general data protection regulation (GDPR), says Phil Skelton, eSentire director.

Do you need to report a breach or incident at all?

Among the businesses and charities that did not report their most disruptive breach or attack, the most common reason was that it was not considered significant enough (for 68 percent of both businesses and charities).

In some cases, respondents did not know who to report to (for 13 percent of businesses and 11 percent of charities). For other firms, the breach or attack was too recent or they hadn’t had enough time to report it (for four percent and three percent respectively).

When considering the circumstances in which incidents should be reported externally, qualitative respondents said this depended on the scale or seriousness of the breach. For example, breaches involving disclosure of personal information or those with financial implications were generally seen as requiring external reporting.

Some organisations said they would simply report incidents to their cybersecurity or IT provider and rely on them to deal with the issue. In other cases, incidents would be reported to a parent company.

There is often confusion around whether reporting is necessary. “While breaches involving personal or sensitive data must be reported, incidents that do not meet regulatory thresholds might not need external notification,” says Durgan Cooper, cybersecurity expert and House of Lords adviser.

Nevertheless, he says, all incidents should be logged internally to inform future risk management and incident response planning.

What is being done to prevent future breaches

Among those that had identified any breaches or attacks, 59 percent of businesses and 70 percent of charities reported taking action to prevent further breaches. This is despite the fact the lessons learned element of an incident response procedure “is the most important section when considering the next attack you face”, says Pilton.

The most common actions taken were a mixture of additional staff training or communications and implementing new technical controls including firewalls, admin access or antivirus software.

Medium businesses (74 percent vs. 59 percent overall) and large businesses (86 percent) were more likely than smaller businesses to have taken any actions to prevent further breaches or attacks.

Cyber-attacks are a matter of fact, so learning from them and taking steps to prevent future breaches is key for all firms. Plenty of resources are available such as the government’s Cyber Essentials programme, which helps companies focus on basic cybersecurity measures, says Danny Jenkins, CEO and co-founder of ThreatLocker.

However, he says: “A large number of businesses continue to underestimate the importance of cybersecurity, leaving themselves vulnerable.”

Kate O'Flaherty Cybersecurity and privacy journalist