What should you do if your IT systems suffer a security breach?

The Cyber Security Breaches Survey 2023, published by the Department for Science, Innovation and Technology last week, found that 24% of charities have been victims of cyber breaches or attacks in the last 12 months – See more at: https://www.civilsociety.co.uk/news/quarter-of-charities-experienced-cyber-attacks-last-year-say-government-figures.html

What is a Data/Cyber Breach?

There are many types of data breaches or cyber attacks. Some of the most common include:

  • Phishing is a type of social engineering scam that attempts to obtain sensitive information using email fraudulently.
  • Ransomware is malicious software designed to block access to a computer system until a sum of money (or ransom) is paid or some other action is completed.
  • Baiting is a cyber attack that infects a computer with malware after tricking someone into downloading free music or movies.

What should I do if I suspect my systems have been compromised?

Firstly don’t panic!

It’s important to remain calm in such a scenario and think logically about your next best steps.

Step 1Assess the breach

Without assessing the breach and finding out what has been affected and impacted you won’t properly know how to respond. If it’s simply a case of 1 email address being hacked then your response will be very different, than if you have been attacked with ransomeware on your systems. You may be able to pinpoint how the breach was initiated by checking your security data logs through your firewall or email providers, your antivirus program, or your Intrusion Detection System. If you have difficulty determining the source and scope of the breach, consider hiring a qualified cyber investigator – it may be worth the investment to help protect yourself moving forward.

You’ll also need to find out who may have been affected by the breach, including employees, customers, and third-party vendors. Assess how severe the data breach was by determining what information was accessed or targeted, such as birthdays, mailing addresses, email accounts and credit card numbers.

Step 2 – Contain the breach

While you may be tempted to delete everything after a data breach occurs, preserving evidence is critical to assessing how the breach happened and who was responsible. The first step you should take after a data breach is to determine which servers have been compromised and contain them as quickly as possible to ensure that other servers or devices won’t also be infected.

Here are a few immediate things you can do to attempt to contain a data breach.

  • Disconnect your internet
  • Disable remote access
  • Maintain your firewall settings
  • Install any pending security updates or patches
  • Change passwords

You should change all affected or vulnerable passwords immediately. Create new, strong passwords for each account, and refrain from reusing the same passwords on multiple accounts. That way, if a data breach happens again in the future, the damage may be limited.

Step 3 – Implement your disaster recovery plan

If the incident is serious then implement your disaster recovery plan with immediate effect. This will help inform your next actions and get all the key personnel around the table to discuss next steps. If you don’t have a formal disaster recovery plan (and we recommend you do) then get those key personnel together including Chief Executives, Senior managers, IT staff and HR Personnel as quickly as possible to get a plan of action together.

Step 4 – Inform your trustees or board

Your board or trustees will need to be kept informed so inform them at the earliest opportunity. This will give reassurance to them that everything is in hand.

Step 5 – Contact your insurance provider

Without knowing you may have Cyber Insurance already on your policy. If you do (and we recommend you do) then they may be able to provide technical expertise alongside financial assistance to help you get on your feet. Make sure you do this as soon as is faesible – delaying it any longer may invalidate any claim!

Step 6 – Notify Customers

Communication can be key to maintaining positive, professional relationships with your members, customers and stakeholders. Be open and transparent where you can and if their data has been impacted be up front with them. You may also need to make them aware of how it might impact the services you provide them.

Step 7 – Fix the problem

This one goes without saying but step 3 of this may already have started the process of getting you back on two feet again. It may seem a long while from step 1 to get to this point but actually those initial steps may only take a few hours.

Step 8 – Contact the relevant authorities

Report the incidient to the National Cyber Security Centre & you may also need to report it as a data breach to the Information Commissioners Office if personal data has been impacted. If (and only if) it is likely there will be “a risk to people’s rights and freedoms” then your charity is obliged to report the breach to the Information Commissioner’s Office (ICO). This should be done without undue delay, and in any case within 72 hours of discovery.

You may even have to consider contacting your bank if payment systems were affected.

Step 9 – Learn & Implement Improvements

Having had a serious breach, the last bring you’d want to do is go through this again. We recommend having formal de-briefs and discussions with your Disaster Recovery Plan group so that you can put a plan in place to plug any holes you may have found.

Other Info

If you are any type of organisation, but especially charities then please check out the National Cyber Security Centre’s guide at https://www.ncsc.gov.uk/files/Cyber_threat_report-UK-charity-sector.pdf. This provides all sorts of advice on how you should be approaching Cyber Security within your organisation.