A suspected data breach can be stressful, however it’s important that you don’t panic. Taking the right steps, particularly in the first 72 hours after suspecting that a breach has taken place, is critical. With the right resources, expertise and process in place, you can limit the damage and ensure you comply with any legal duties. In this blog post we are going to take a look at who to call first in the event of a suspected cyber security incident.
Has a cyber incident taken place?
Firstly, it’s important to ascertain if a breach actually happened, because from a legal perspective the clock starts ticking from when you actually discover the breach.
If you suspect a breach, start keeping a log of the timeline of events
- Start a log to record what happened, who is involved and what you’re doing about it.
- The likelihood is that an external cyber resource, or an internal team member responsible for cyber security, alerted the business to a possible incident. If they didn’t, then contact them as a first priority so they can put your incident response plan into motion.
- Start an investigation asap to ascertain if a breach has happened.
- Instigate your incident response plan to ensure containment and damage limitation, undertake a risk assessment to identify the probability of further impacts through your network.
- Ensure the log is updated regularly with a clear timeline of all activity. Include all facts about the incident as you uncover them – what happened and why, how many people were involved, details of actions you’ve taken.
If there has been a security incident, is it reportable to the ICO?
Once you have established if a breach has taken place, next you will need to determine if it is notifiable to the Information Commissioner’s Office (ICO).
Reportable Data Breaches:
- Data breaches only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”.
- If the breach has taken place, and is deemed reportable, by law, you’ve got to report a personal data breach to the ICO without undue delay and within 72 hours of when you discovered it.
- When reporting you will need a description of the nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned.
- The categories and approximate number of personal data records concerned.
- The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained.
- A description of the likely consequences of the personal data breach.
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Recordable Data Breaches:
- Even if you are not required to report a data breach to the ICO, the GDPR mandates that you make and keep a full record of it.
Do you have cyber Insurance in place? Make sure you know the terms of your cover
Do you have cyber insurance in place? If so it’s understandable that your instinct might be to call them first. However this isn’t always necessary.
We recommend that you take a detailed look at your policy conditions at the point of sign up/renewal, not leaving it to the last minute of when you might need help.
Some policies may provide cyber support and assistance in the event of a breach and stipulate a set process to be followed.
Other policies may simply outline how you notify your insurer and in how many hours/days this must be undertaken. This may give you a window of opportunity to conduct your own investigation using your inhouse resources, or external cyber specialists.
Either way, check the terms and conditions of any policy at the point sign up/renewal and include details in your cyber incident response planning.
What about informing The Police?
A natural reaction might be to immediately call The Police or notify Action Fraud. However there is no legal requirement for organisations to report a security breach to The Police. We advise that you investigate the situation, gather all the facts and evidence, undertake containment and damage limitation, and then report to the authorities, once again checking any conditions of an insurance policy.
Have an expert ready to act on your behalf, they can advise who to call first in the event of an incident
The first 72 hours after a suspected breach are critical. This is a short window of opportunity to do the right things when you suspect an cyber incident, including who to call first.
All organisations should have a detailed and well rehearsed cyber incident response plan in place. Our cyber consultants can work with you to optimise your incident response plan, to reduce the impact, and cost, of an attack.
We appreciate that it can be extremely hard to find the right experts, especially during chaotic and confusing times when you really need an expert. Don’t leave it to chance.
If you are not confident in your organisations ability to react effectively when responding to a breach, then we advocate employing a Managed Security Services Provider (MSSP) to provide an end-to-end managed cyber incident response service on your behalf.
Don’t wait to find an expert until you need one
We cannot emphasise it enough, being prepared is essential, including who to call first in the event of a cyber incident.
If you are not 100% confident of the steps your organisation would take in the event of a suspected breach, now is the time for you to shore up your cyber defences, rehearse your incident response plans and put in place specialist cyber support for your organisation.
For expert advice, get in touch with our team of cyber security consultants, we are here to help.