If you suspect a security breach within your organisation the first thing to do is do NOT panic. Find someone you can trust to talk to and do not rush any decisions as you could potentially further impact the business.
Here are a few steps that we recommend following in an incident:
Build a Timeline of the incident
Start by building a timeline of the incident so that you can gather information on what occurred to lead you to this situation. You need to be able to establish the following to help you with any potential investigations, inquiries and PR:
- Establish a picture of the incident: what happened when and who was involved?
- What and who are at risk and impact to those?
- What is the impact on clients, partners and suppliers?
- What is the impact on your team and business?
- Do you need to suspend any significant parts of your business while you investigate?
Whilst developing a timeline of events it is important to remember that this is not a blame game. Mistakes happen and we need to fully understand what has happened and why so that we can reduce the likelihood of it happening again.
Talk to your team
Once you have created a timeline you need to know who to speak to. This can differ dependant on what has occurred. Managing through a major incident can often include speaking to the below groups:
- Incident Management teams
- IT support
- Cyber security support
- Senior Colleagues
- PR & Communication specialists
- Law Enforcement – Police, National Crime Agency, Action Fraud
- Support Services – Bank, Insurer
- Data Subjects
- Regulators – Information Commissioners Office (ICO), Financial Conduct Authority etc
Remember all of your staff are now PR for your business, ensure they do not answer any questions but refer to the central response team.
Once you are aware of the situation and have your team in place you can start working on the most appropriate action you need to take. Building an Action Plan does not replace your Business Continuity plan but allows you to identify critical actions to take and which actions take priority. This should include but not be limited to:
- Do we have enough information to understand the situation?
- Do we have the right people involved or do we need external support?
- Are we allocating sufficient and the right resources to this?
- Have we identified any external stakeholders and brought them into the conversation?
- Stop significant and pertinent parts of your business, suspend relevant IT services.
It is also recommended to stop any marketing and social media activity.