Responding To An Incident

If you suspect that you have been the victim of a cyber attack, it is essential that you act quickly to minimise the risk and impact. Your actions will be critical to damage limitation.

When a cyber incident or attack occurs, your incident response plan and capabilities should kick in.

Identifying what is happening

Part of the recovery plan is identifying what is happening and taking steps to mitigate the issue. The NCSC’s 10 crucial questions will help you to identified what has occurred and help you take steps to deal with the incident.

Once you have identified the issue, your Incident Response plan kicks in to action. You’ll also need to confirm that everything is functioning normally, and fix any problems.

Action your Incident Response Plan.

Depending on the incident this could involve:

  • replacing or cleaning machines
  • changing passwords
  • restoring services through backups
  • updating software

This may involve you contacting your IT team or external IT provider to help resolve the issue.

Ensure the incident is communicated appropriately, whether that be to staff, wider business, or other stakeholders as part of your Incident Response Plan. You might have to consider secure or alternative communications in the event of a sensitive incident where normal channels are unavailable due to an outage in your system. An example of a set of incident response team roles is shown on the NCSC page “Creating your Cyber Security Incident Response Team“.

Things that might indicate a cyber incident:

  • Are programs or hardware not working as expected?
  • Have you received a message demanding a ransom?
  • Are users locked out or unable to access information?
  • Is there unusual account activity?

Cyber Incident Response Helpline

Organisations looking for support and advice can call the free Cyber Incident Response Helpline.

The cyber incident response helpline is for the SME community and the third sector to help victims of cybercrime understand what support is immediately available to them and help them recover. The helpline is run by the Scottish Business Resilience Centre in partnership with the Scottish Government and Police Scotland and is available weekdays 9am-5pm.

Call the helpline on: 01786 437 472

Information on the helpline

This helpline will:

  • Help you identify what is happening
  • Provide reporting information and advice
  • Take you through the actions that you need to perform to isolate the network and preserve evidence.
  • Liaise with Police Scotland to assist with reporting
  • Assist in the selection of a cyber security consultant to provide additional technical support and onsite assistance if required

Reporting an incident

If you are experiencing a live incident you can call Police Scotland.

You can report Cybercrime as follows:

  • By phoning 101 (non-emergency) or 999 (emergency)
  • In person at any police station

More information on how to report cyber crime, suspicious emails and text messages visit our Report an incident page.

Reporting a cyber incident internally or to your IT Managed Service provider

It is important that you know who within your organisation should be notified and how to notify them if you suspect you have been duped by a suspicious email, perhaps clicking on a suspicious link or visiting a suspicious website, or if your device is operating strangely. Exploiting email and browsing remains the most common method of launching cyber attacks and gaining access to organisational networks.

These attacks are designed to both exploit and dupe you into ‘letting them in’. Anyone can fall for phishing attacks—it’s why they are the primary first choice of cyber criminals. It is essential that you don’t delay in reporting suspicious incidents. Do not just switch off the device and/ or walk away in the hope that it will all go away. Action is needed as quick as possible.

Reporting a cyber incident externally 

Depending on the nature of attack you may require to report certain incidents externally whether that be to a regulator, to the Information Commissioner, the police or indeed your customer base if it is their data affected.

The ICO website provides guidance on what constitutes a notifiable breach, and on preparing and responding to .

You should know who within your organisation has this responsibility, as there should be an organisational plan in place to deal with a cyber attack.

Cyber attacks are also crimes and as such consideration should be given to reporting the attacks to Police Scotland (dial 101).

In addition, the National Cyber Security Centre (NCSC) can offer advice and guidance on handling incidents.

Effective communication following a cyber security incident

Clear communication will help minimise the short term impact of an incident and will assist in building trust with your customers, reducing the long term impact of an incident.

Scottish Business Resilience Centre in partnership with Clark Communications, have produced a Reputation Management Framework.

This document aims to support you in the event of a cyber security incident, by providing advice on when to disclose and ways to share the message effectively in such situations. This can improve and complement your existing practices and help to increase the resilience of your organisation if breached.

Download Reputation Management Framework
Back to top of the page