Responding To An Incident

If you suspect that you have been the victim of a cyber attack, it is essential that you act quickly to minimise the risk and impact. Your actions will be critical to damage limitation.

Call the Incident Response Helpline: 0800 1670 623

When a cyber incident or attack occurs, your incident response plan and capabilities should kick in.

Section Cyber Incident Response Helpline

Cyber Incident Response Helpline

Organisations looking for support and advice can call the free Cyber Incident Response Helpline.

The cyber incident response helpline is for the SME community and the third sector to help victims of cybercrime understand what support is immediately available to them and help them recover. The helpline is run by the Cyber and Fraud Centre – Scotland in partnership with the Scottish Government and Police Scotland and is available weekdays 9am-5pm.

Call the helpline on: 0800 1670 623

Information on the helpline

This helpline will:

  • Help you identify what is happening
  • Provide reporting information and advice
  • Take you through the actions that you need to perform to isolate the network and preserve evidence.
  • Liaise with Police Scotland to assist with reporting
  • Assist in the selection of a cyber security consultant to provide additional technical support and onsite assistance if required
Section Identifying what is happening

Identifying what is happening

Part of the recovery plan is identifying what is happening and taking steps to mitigate the issue. The NCSC’s 10 crucial questions will help you to identified what has occurred and help you take steps to deal with the incident.

Once you have identified the issue, your Incident Response plan kicks in to action. You’ll also need to confirm that everything is functioning normally, and fix any problems.

Action your Incident Response Plan.

Depending on the incident this could involve:

  • replacing or cleaning machines
  • changing passwords
  • restoring services through backups
  • updating software

This may involve you contacting your IT team or external IT provider to help resolve the issue.

Ensure the incident is communicated appropriately, whether that be to staff, wider business, or other stakeholders as part of your Incident Response Plan. You might have to consider secure or alternative communications in the event of a sensitive incident where normal channels are unavailable due to an outage in your system. An example of a set of incident response team roles is shown on the NCSC page “Creating your Cyber Security Incident Response Team“.

Things that might indicate a cyber incident:

  • Are programs or hardware not working as expected?
  • Have you received a message demanding a ransom?
  • Are users locked out or unable to access information?
  • Is there unusual account activity?
Section Reporting a cyber incident internally or to your IT Managed Service provider

Reporting a cyber incident internally or to your IT Managed Service provider

It is important that you know who within your organisation should be notified and how to notify them if you suspect you have been duped by a suspicious email, perhaps clicking on a suspicious link or visiting a suspicious website, or if your device is operating strangely.

Exploiting email and browsing remains the most common method of launching cyber attacks and gaining access to organisational networks.

These attacks are designed to both exploit and dupe you into ‘letting them in’. Anyone can fall for phishing attacks—it’s why they are the primary first choice of cyber criminals. It is essential that you don’t delay in reporting suspicious incidents. Do not just switch off the device and/ or walk away in the hope that it will all go away. Action is needed as quick as possible.

Section Effective communication following a cyber security incident

Effective communication following a cyber security incident

Clear communication will help minimise the short term impact of an incident and will assist in building trust with your customers, reducing the long term impact of an incident.

Cyber and Fraud Centre – Scotland in partnership with Clark Communications, have produced a Reputation Management Framework.

This document aims to support you in the event of a cyber security incident, by providing advice on when to disclose and ways to share the message effectively in such situations. This can improve and complement your existing practices and help to increase the resilience of your organisation if breached.

Download Reputation Management Framework
Back to top of the page