Under Cyber Attack: An immediate action plan for SMEs

As technology continues to evolve, so do the complexities of cyber threats. Cybersecurity incidents can wreak havoc on any organization, regardless of size or industry.

It's essential for businesses to have a comprehensive plan to deal with these challenges when they arise. In this guide, we'll discuss the key steps to take if you suspect a cybersecurity incident and the importance of being prepared.

Suspecting a Cybersecurity Incident: Words Matter 

The very first point to consider when dealing with a potential cybersecurity incident is how you articulate it. Terminology matters. It's important to avoid using terms like "breach" prematurely. "Breach" suggests an assured unauthorized access to data or systems, which you may suspect but don't yet understand for certain. A premature declaration can cause undue panic and reputational damage which is challenging to retract once announced. 

Instead, use words like "event," "incident," or "suspected attack." It's wise to include these terms in your communications plan and ensure your team members understand them, ideally via training in advance. 

Immediate Technical Actions 

Once an incident is suspected, your first line of technical defence should be to disconnect or block the internet connection. It's critical not to power off or restart any computers or servers, as preserving evidence for insurance or legal requirements is paramount. This evidence will also assist in understanding and containing the attack. 

Consider stopping internal network traffic using Endpoint Detection and Response (EDR) tools or disconnect network switches if that's not feasible. The goal is to curtail the attacker's ability to spread further into your system, a process known as "lateral movement." Bear in mind that the intruder might have been lurking in your systems for days or even months. 

Next Steps: Engage IT and Insurance Providers 

Once the technical steps are taken, your next calls should be to your IT team and insurance provider. Divide these responsibilities among your team according to your Incident Response (IR) plan, which should designate specific roles to staff members for such events. 

Notify your IT team so they can confirm and possibly extend your immediate actions. Armed with preliminary information from your IT team, contact your insurers to discuss the incident. This swift action can help protect your business financially and legally. 

Communication is Key 

Effective communication is crucial in managing a cybersecurity incident. You should have a robust communication plan that includes both internal and external stakeholders. Consider having pre-templated and board-approved emails for clients and others that can be dispatched swiftly to manage the narrative. 

As you can see, reacting to a cybersecurity incident is not the time to be figuring out your strategy. Time will be against you, and any missteps could have lasting implications. 

Proactive Preparedness 

The best time to get ready for a cybersecurity incident is before it occurs. Being proactive in your cybersecurity readiness is crucial. Start with a simple plan and improve it incrementally over time. The process should be iterative, growing and evolving as per the needs of your business. 

Being better prepared for a cybersecurity incident is not a luxury but a necessity in our digital age. If it's not already on your "must-do" list, add it now. Consider seeking professional help to streamline this process and enhance your preparedness. 

In conclusion, cyber threats are an undeniable reality of conducting business in the digital era. The difference between a catastrophic loss and a manageable incident often lies in preparedness and swift, appropriate actions. Protect your business by being ready, informed, and proactive. 

To summarize

Terminology Matters: We advised against using the word "breach" prematurely. Recommended using terms like "event," "incident," or "suspected attack." 

Immediate Technical Actions: Emphasized not to power off or restart any systems, and to block or disconnect internet connections to preserve evidence and contain the attack. 

Engaging IT and Insurance Providers: Discussed the importance of immediately contacting your IT team and insurance provider once you suspect a cybersecurity incident. 

Importance of Communication: Highlighted the need for a robust communication plan for both internal and external stakeholders. Mentioned having pre-templated emails for swift responses. 

Proactive Preparedness: Stressed the importance of preparing for a cybersecurity incident before it occurs, and the benefit of growing and evolving your cybersecurity readiness strategy over time.