When a cyber incident or attack occurs, your incident response plan and capabilities should kick in.
Identifying what is happening
Part of the recovery plan is identifying what is happening and taking steps to mitigate the issue. The NCSC’s 10 crucial questions will help you to identified what has occurred and help you take steps to deal with the incident.
Once you have identified the issue, your Incident Response plan kicks in to action. You’ll also need to confirm that everything is functioning normally, and fix any problems.
Action your Incident Response Plan.
Depending on the incident this could involve:
- replacing or cleaning machines
- changing passwords
- restoring services through backups
- updating software
This may involve you contacting your IT team or external IT provider to help resolve the issue.
Ensure the incident is communicated appropriately, whether that be to staff, wider business, or other stakeholders as part of your Incident Response Plan. You might have to consider secure or alternative communications in the event of a sensitive incident where normal channels are unavailable due to an outage in your system. An example of a set of incident response team roles is shown on the NCSC page “Creating your Cyber Security Incident Response Team“.
Things that might indicate a cyber incident:
- Are programs or hardware not working as expected?
- Have you received a message demanding a ransom?
- Are users locked out or unable to access information?
- Is there unusual account activity?
Cyber Incident Response Helpline
Organisations looking for support and advice can call the free Cyber Incident Response Helpline.
The cyber incident response helpline is for the SME community and the third sector to help victims of cybercrime understand what support is immediately available to them and help them recover. The helpline is run by the Scottish Business Resilience Centre in partnership with the Scottish Government and Police Scotland and is available weekdays 9am-5pm.
Call the helpline on: 01786 437 472Information on the helpline
This helpline will:
- Help you identify what is happening
- Provide reporting information and advice
- Take you through the actions that you need to perform to isolate the network and preserve evidence.
- Liaise with Police Scotland to assist with reporting
- Assist in the selection of a cyber security consultant to provide additional technical support and onsite assistance if required
Reporting an incident
If you are experiencing a live incident you can call Police Scotland.
You can report Cybercrime as follows:
- By phoning 101 (non-emergency) or 999 (emergency)
- In person at any police station
More information on how to report cyber crime, suspicious emails and text messages visit our Report an incident page.
Reporting a cyber incident internally or to your IT Managed Service provider
It is important that you know who within your organisation should be notified and how to notify them if you suspect you have been duped by a suspicious email, perhaps clicking on a suspicious link or visiting a suspicious website, or if your device is operating strangely. Exploiting email and browsing remains the most common method of launching cyber attacks and gaining access to organisational networks.
These attacks are designed to both exploit and dupe you into ‘letting them in’. Anyone can fall for phishing attacks—it’s why they are the primary first choice of cyber criminals. It is essential that you don’t delay in reporting suspicious incidents. Do not just switch off the device and/ or walk away in the hope that it will all go away. Action is needed as quick as possible.
Reporting a cyber incident externally
Depending on the nature of attack you may require to report certain incidents externally whether that be to a regulator, to the Information Commissioner, the police or indeed your customer base if it is their data affected.
The ICO website provides guidance on what constitutes a notifiable breach, and on preparing and responding to .
You should know who within your organisation has this responsibility, as there should be an organisational plan in place to deal with a cyber attack.
Cyber attacks are also crimes and as such consideration should be given to reporting the attacks to Police Scotland (dial 101).
In addition, the National Cyber Security Centre (NCSC) can offer advice and guidance on handling incidents.