Incident Response

Dealing with a cyber incident

Have a plan to prevent, detect, respond and recover from a cyber incident.

A fundamental aspect of cyber resilience relates to incident management, response and recovery planning. All organisations need to regard cyber risk as a business risk and put in place incident response plans that are tested regularly through exercising.

What is a cyber incident?

The NCSC defines a cyber incident as unauthorised access (or attempted access) to an organisation’s IT system/s. These may be malicious attacks such as denial of service attacks, malware infection, ransomware or more commonly phishing attacks.

An accidental action by an employee could also cause a security incident for example when a member of staff clicks on a phishing link within an email or downloading a seemingly legitimate piece of software as part of day to day work which contains a virus or malicious software.

Things that might indicate a cyber incident include:

  • computers running slowly
  • users being locked out of their accounts
  • users being unable to access documents
  • messages demanding a ransom for the release of your files
  • people informing you of strange emails coming out of your domain
  • redirected internet searches
  • requests for unauthorised payments
  • unusual account activity

Have a plan to prevent, detect, respond and recover

It is good practice to have a Cyber Incident Response Plan in place that sets out the steps your organisation should take to prevent, detect, respond and recover from cyber attacks. Your plan does not have to be complex but it should be clear on the roles and responsibilities of key individuals who can take action. This should not sit in isolation and should be woven into the wider resilience, business and service continuity / disaster recovery planning.

Back to top of the page