The National Cyber Security Centre (NCSC) has released guidance specifically for CEOs aimed at helping them manage cyber security incidents.
How to choose the best cyber security vendor for your business
According to the NCSC, resources and learning materials for executives on how to respond to a cyber attack are few and far in between, leaving many in the dark in the event of an incident.
The new guidance aims to provide detailed information on how executives can manage a cyber incident, as well as how to engage with staff and relevant authorities to remediate issues.
"If your organization is the victim of a significant cyber attack, the immediate aftermath will be challenging. You may find there is a lot of information in some areas, and none in others," the NCSC warns.
"There will be difficult risk-based decisions to make to protect your operations. Your aim will be to limit the impact on your business, clients and staff in the weeks and months which follow."
Here are seven things every CEO needs to know if their organization suffers a cyber attack.
Governance is critical
The NCSC says organizations should consider appointing a Senior Responsible Officer, or using a broader governance command structure such as the bronze, silver, and gold model to assign overall responsibility for an incident.
CEOs should make sure that there are structures in place to handle the full impact across the whole organization and make it easy for those managing the response to regularly come together to collaborate and confer on progress.
Similarly, the guidance recommended they should inform and empower senior decision-makers and work with regulators and insurers, providing updates to the board.
Bring in external resources
Organizations affected by a cyber attack often bring in third parties to help assess impact and identify key areas of focus during the remediation process, which the NCSC says is advised in most cases.
The security center says it strongly advises using a cyber incident response (CIR) company to help recovery management.
For companies that have cyber insurance in place, their insurer may have in-house experts or preferred CIR firms that organizations can work with. The NCSC has its own list of approved companies, which executives can find via the center’s website.
Communicate with those affected
ICO guidance makes it clear that notifiable breaches must be reported to them ‘without undue delay’ and not later than 72 hours after becoming aware of it. Risks to data must also be reported to the data owners.
In terms of public messaging, the NCSC says communications should be factual and clear, and the incident shouldn't be misrepresented or downplayed.
"You might need to give a different level of detail to different groups – key decision-makers and stakeholders in your organization, wider staff, your partner organizations or communications to the public," the NCSC warned.
"Make sure you know in advance who needs to be brought into your communications planning."
Think twice before paying a ransom
While it's tempting to just pay up in the event of a ransom demand, the NCSC advises against this.
As it points out, there's no guarantee that paying up will mean getting access to data or networks back. Research published by Cybereason earlier this year showed that companies who have previously paid ransoms are frequently targeted again as cyber criminals have evidence that they’re likely to comply.
The question of whether to pay a ransom has become a source of controversy across the security industry in recent months.
In January 2024, calls for an outright ban on ransom payments by a major security vendor prompted backlash from some in the community, with experts suggesting that it could risk “criminalizing victims”.
Consider team resilience and welfare
It's important to bear in mind the effect an incident can have on staff morale, with stress and uncertainty likely, according to the NCSC.
Security incidents can take months to remediate, therefore it’s important to ensure that staff aren’t exhausted.
Stress and burnout among cyber security practitioners have been a long-running issue across the industry. Research last year showed that nearly half of senior cyber security staff were considering leaving the profession altogether.
Meanwhile, alternative research on working culture in the industry found that many practitioners frequently work longer hours, with some even missing important life events and canceling vacations due to work.
Review the lessons learned
The NCSC advises holding a debrief after any cyber security incident to try and identify how it came about.
This, the guidance says, should be systemic in nature, rather than an exercise in assigning blame. Recent research specifically highlighted a ‘blame game’ culture as a leading cause of burnout and workforce discontent in the immediate wake of a cyber attack. A clear set of rules ahead of a cyber attack such as a data breach response plan can help prevent these pressures from becoming too great.
The NCSC says organizations should carry out a general cyber security review to help understand and manage vulnerabilities that could lead to further attacks. Leaders can also implement specific steps to protect against data breaches and establish a strategy for AI threats.
Report incidents
Finally, significant incidents should be reported to the NCSC and UK law enforcement who can provide support.
Fighting the ‘always on’ culture that’s savaging mental health in cyber security
The NCSC says this can be done using UK government signposting tools, which explain how organizations can notify relevant authorities based on the individual circumstances of the incident.
Law enforcement and agencies such as the Information Commissioner’s Office (ICO) and the NCSC frequently work with public and private sector organizations in the wake of a cyber attack or security incident.
