Guide 10 min read
1. What is a cyber attack?
A cyber attack is where criminals attack your computer systems, networks and/or devices. The motivations of cyber-criminals vary, from causing disruption and reputational damage, to theft, to destroying or stealing data and extorting large sums of money. Therefore, the type and scale of attacks that businesses experience differ considerably.
Attackers are often opportunistic, so being small does not mean your business will be below their radar, and hundreds of thousands of small businesses report experiencing a cyber attack or security breach every year.
Businesses need to have effective cyber security and resilience. However, any business can be the victim of cyber criminals and hackers attacking their systems, leading to a cyber incident.
These include:
-
phishing
-
hacking
-
infected devices
-
business payment fraud
-
ransomware attacks
-
denial of service (DoS) attacks
Some attacks can be so severe they completely stop a business from trading. Some never recover. This is why it’s important to have a cyber incident response plan prepared and regularly tested.
2. Identifying a cyber attack
Often it is immediately obvious you have a problem. For example you may suddenly find:
-
most/all of your staff being locked out of their accounts
-
customers unable to access any of your services
-
demands you pay a ransom for a criminal to release your files.
However sometimes, you may begin to notice something is wrong over several hours, days or weeks:
-
individual or multiple computers running more slowly than normal
-
reports of people receiving unusual emails that are coming from your domain when you didn’t send them
-
customers struggling to access your services
-
some staff being unable to access documents or being locked out of their accounts
-
requests for payments that you have not authorised.
You may also receive early warnings of suspicious activity or potential threats if you register for them, such as National Cyber Security Centre’s (NCSC) early warning system - a free digital tool that alerts you to malware and vulnerabilities affecting your network.
3. Initial response and recovery from a cyber incident
Ideally you will have an up-to-date cyber incident plan to put into action. This will help you classify and analyse incidents to inform actions and escalation within your business. This will also save valuable time and help you stay calm so you can manage and mitigate the impacts.
The NCSC recommends that you ask key questions to establish what is happening.
The type of cyber incident will shape how you respond and recover, for example:
-
what passwords need changed
-
whether infected hardware needs cleaned or replaced
-
if software needs “patched” with the latest updates
-
if services and data need to be restored through back-ups.
You may need specific advice which can be provided by:
-
Your insurer if you have cyber insurance.
-
Cyber Fraud Centre Scotland - Incident Response Helpline - 0800 1670 623 on weekdays from 9am to 5pm. Run in collaboration with Police Scotland and the Scottish Government, they can also signpost you to experts who can provide onsite support.
-
NCSC - online advice for small businesses specific to different categories of incidents such as phishing, ransomware and denial of service attacks, as well as hacking, infected devices or business payment fraud.
Very quickly you will need to consider what information you need to communicate to your key stakeholders. The general principles of communicating during a crisis will apply. The NCSC has specific advice covering communications during a cyber incident.
4. Reporting cyber incidents
You will need to decide whether to report the incident to:
-
your bank
-
your insurer
-
the police
-
Information Commissioner’s Office (ICO)
-
National Cyber Security Centre.
Informing your bank
If you think you could have been a victim of fraud or any form of online scam, or could be at risk of fraud, notify your bank immediately.
Informing your insurer
It’s important to update your insurers if the incident may lead to you making a claim. Also, if you have dedicated cyber insurance, they may provide you with IT forensics support to help you respond and recover.
When to call the police
If you suspect the cyber incident is caused by criminal activity contact Police Scotland.
-
Non-emergency (including if you’ve lost money through fraud) - call 101
-
Emergency (threat to life or national infrastructure) - call 999
Mandatory reporting of personal data breaches
You are legally required to report breaches of users’ personal data to the ICO as soon as possible and within 72 hours of discovering the breach.
A personal data breach is an accidental or deliberate security breach leading to data being:
-
accidentally or unlawfully destroyed
-
lost or altered
-
disclosed or accessed without authorisation
The ICO provides step-by-step actions for small businesses to take as soon as a personal data breach is discovered. This includes detail on how to:
-
avoid panic
-
log key information
-
find out what’s happened
-
try to contain the breach
-
protect those affected
-
report it to the ICO if necessary.
Reporting incidents to the National Cyber Security Centre
The NCSC gathers information on cyber incidents across the UK to inform its activities. They seek reports on incidents affecting your computer firmware, software or hardware and where data on employees, customers or clients is affected.
They will not report the incident to the ICO, so you must ensure you meet any obligations to do that yourself.
5. Review and debrief
One of the most important tasks once you have recovered from a cyber incident is to carry out a debrief and properly document any lessons learned. The NCSC has advice on how to learn from the incident to improve future resilience.
This should then feed into your future approach to cyber security and updating your cyber incident response plan.