How to recover from a cyber attack

One in three UK organisations fell victim to a cyber attack in 2018, costing £17.8 billion in total.

Your first – obviously valid – thought might be that we all need to get better at preventing security incidents, but it’s not the whole story.

Cyber attacks are so widespread, and criminals’ tactics so varied, that it’s impossible to prevent breaches altogether. That organisations invest the majority of their resources into preventing attacks is the reason attacks are so costly.

The damages would be a lot less expensive if organisations prepared for the inevitability of cyber attacks and implemented an incident response plan to help them respond to and recover from incidents quickly and effectively.

What is an incident response plan?

An incident response plan is a document that outlines the steps an organisation must take following a cyber security incident.

What goes in an incident response plan?

Incident response plans can help organisations identify vulnerabilities in their networks and processes, mitigate the effects of a variety of situations and limit the damage caused by security incidents.

They also help organisations:

  • Spot when a security incident has occurred;
  • Assess the immediate damage;
  • Identify who needs to be made aware of the situation; and
  • Document the steps towards recovery.

Incident response in action

Let’s take a look at a real-life example of an organisation using an incident response plan to recover from a cyber attack.

On 19 March 2019, the aluminium producer Norsk Hydro’s systems were infected with ransomware, but instead of acquiescing to the criminals’ demands, the organisation turned to its incident response procedure.

Norsk wiped its systems and restored clean versions from backups, knowing that its cyber insurance policy would help cover the costs.

Meanwhile, employees from across the organisation were drafted in to ensure operations continued.

The incident cost Norsk about £60 million, but given the organisation’s moral stand against paying a ransom (an approach every organisation should take), it was an exemplary recovery effort.

See also:

Despite having to shut down 40 networks and 22,000 computers, Norsk was able to continue operating, all the while garnering praise from security experts and knowing that profits will bounce back in the coming months.

Let’s compare that to an organisation that had no idea what to do when it suffered a major disruption.

Response efforts found wanting at British Airways

In May 2017, British Airways was reportedly hit by a power surge that shut down its IT systems and caused the airline to ground all its flights for 48 hours. (This is a separate incident to the one that led to the recently announced £183 million fine.)

The airline struggled to respond to the disruption, with one passenger telling the Guardian that the response “felt very improvised, and not very successful at all. It was honestly the angriest place I’ve ever been […] No one knew what was going on, which is why everyone was so miserable.”

Other passengers struggled to contact the airline to reclaim their baggage, while those in Heathrow Airport at the time were told to leave without the bags and collect them later.

Hundreds of people stood around waiting for guidance. Many missed their flights over the coming days – not necessarily because of cancellations but because the airline’s online and in-terminal check-in systems were down. This caused massive queues as staff had to handle huge numbers of requests at check-in desks.

Given British Airways’s reliance on technology, an incident response plan was essential. It would have helped the airline identify the main problems and find suitable solutions.

Don’t have time to create an incident response plan?

If you suffer a data breach before you’ve had time to implement an incident response plan, don’t panic. Our cyber security incident response service provides you with the expert help you need.

With years of cyber security experience, our consultants know how to tackle any type of security incident. They’ll help you identify the source of the compromise, guide you through the response effort and ensure that you return to business as usual.

Find out more >>