Picture this: Your charity has just been hit by a ransomware attack. Your files are all encrypted, staff are locked out of their computers, and hackers are demanding a substantial ransom to restore everything, otherwise they will release your beneficiary data onto the internet.
As scary and unlikely as this may sound, charities are increasingly being targeted by cyber criminals as more not-for-profits define and broaden their online presence. Last year, 30% of charities reported cyber security breaches, a significant increase from 19% in 2018.
Yet alarmingly only 24% have a formal policy or process in place to manage this risk should the worst happen, according to a survey conducted by the Charity Commission.
How would your organisation respond if it was unlucky enough to be hit by ransomware? Having a clear, structured Cyber Incidence Response Process in place is crucial, and knowing who will call the shots and who will handle communications both internally and externally is essential.
In this guide we take you through a 10-step process to ensure you are prepared if the worst should happen.
10–step Cyber Incident Response Process
- Reporting & Post-Mortem
Learning from the incident is just as important as handling it well in the first place. Documenting all the decisions and the timeline – as it happens – rather than weeks later, is very sensible to ensure you don’t forget those minor details that could be improved in future. There will be incredibly valuable lessons to take from the event; some of these may be technical controls to reduce the risk of a repeat attack, others will be procedural ones like ensuring backups and SLAs are in place and tested.
- Avoid snap emotional decisions
Falling victim to a ransomware attack can be a distressing time, particularly when you are unable to continue supporting those in need at your charity. It can be very easy to make quick, snap decisions in good faith, but these can have big knock-on consequences. As obvious as it sounds, it is vital that you and your team step back and look from height. Start documenting decisions and how they were reached, as this will be important in the post-mortem.
- Form a ‘War Room’
It’s a good idea to assemble your organisation’s key stakeholders into a pre-agreed place – be that physical or virtual – to tackle the issue collaboratively, plan the response and ensure everyone is clear on what needs to happen next. Bear in mind your computers may be offline so Teams or Zoom may not be possible; old fashioned telephone conference bridges are a good backup. Agree a cadence for dialling into the war room for updates as a team, e.g., every hour.
- Information Triage: IT – Staff – Insurers
The first point of call in any cyber security breach should be your IT department. They will be able to disconnect and shut down devices and servers as soon as possible. Then, inform the rest of your staff. You will need to ensure communication channels are still in place across the organisation e.g., via phone calls, SMS etc. News of the breach should be kept completely confidential. Secondly, inform your insurers of the incident. They will often be able to assist in the recovery/post-mortem process and provide expertise to help in the response. Finally, inform the National Cyber Security Centre, for the same reasons – Report a Cyber Incident – Report a Cyber Incident – NCSC.
- Backup Assessment
It’s highly likely that the only way you will get things back online will be to restore all your data from backups. This is how most ransomware incidents get resolved. You will need to assess the backups you already have – remember that everything after the last backup will be overwritten if you need to restore encrypted files from backup. In other words, if your backups run overnight, then today’s work will be lost, so this needs to be communicated and planned appropriately with teams. This also highlights how important it is to be confident that backups not only are in place, but are working properly and tested, should you ever need to rely on them in an emergency.
- Data Analysis
This is the stage where you need to determine what has been encrypted and what hasn’t. It is likely that some but not all your data will have been encrypted. For example, your shared drives may be locked out, but data you hold in your database, CRM or web-based app may be unaffected This analysis works as an impact assessment of the damage done and helps inform your later decisions surrounding communication, as it is very important to assess the extent of the damage before wider groups of staff or stakeholders are informed.
- Restoring data (inc. costs)
Restoring data from backups takes time and costs money, so after step 5 above, you should engage with your IT or 3rd party providers to understand their recovery timelines and any associated costs before giving your approval to proceed. Most systems and IT providers stipulate a Recovery Time Objective (RTO) as part of your Service Level Agreement with them, hence this can be referred to in these discussions and the providers can be held to account if required.
- Decision: engage with Threat Actor or not
It may be surprising to see this milestone so late in the process, but assessing the extent of the attack is vital to inform your decision around engaging with the attacker or not. The general NCSC advice is not to engage with the attacker nor pay any form of ransom, as there is no guarantee of getting the data back, and this could lead to further extortion. However, this will depend on your individual situation. It is vital you consider all the above steps and seek professional advice first if you are considering making contact with the attacker.
- Communicate with stakeholders/beneficiaries
Clearly, informing people about the incident is mandatory. Ensuring transparency with your stakeholders and beneficiaries is also essential. But making sure you have all the facts and know the extent of the damage before you do this, is equally as important. The attack on NHS vendor Advanced wasn’t helped by their refusal to say if patient data was at risk. It’s also just as damaging to rush out communications to only have to back track on them later when further details of the extent of the damage emerge. Be as honest as you can and set out what you are doing to manage and mitigate the risks, the implications/expected consequences, and when you expect to provide them with another update.
- Inform the ICO and Charity Commission (if applicable)
It may come as a surprise to learn you do not necessarily need to inform the Information Commissioners Office (ICO) – it will depend on the extent of the breach, and what types of data have been affected. You will need to conclude this assessment within 72 hours. The ICO provide a tool to help with this. If this assessment confirms it should be officially reported, it is a legal obligation to report it to them within 72 hours. Bear in mind that the ICO fines charities for breaches so it is worth assessing the impact and course of action early on. If you are a registered charity, you may also consider reporting the incident to the Charity Commission. Similarly, you will need to assess the severity of the incident first and follow the latest Charity Commission guidelines.
Despite what some cyber security product salespeople may say, nobody can 100% guarantee against a cyber-attack. Being prepared and having a response plan, should the worst happen, is just as important as taking proactive steps to minimise your cyber security risks in the first place.
If you would like to discuss any of the above, or how Smartdesc can help facilitate or test your Security Incident Response Plan, please get in touch.
About the Authors
Smartdesc is an IT Service Provider, Microsoft Gold Partner and NCVO Trusted Supplier who support charities and non-profits in the UK to improve their IT systems, reduce their cyber security risk, and develop their IT Strategies. We partner with household names such as Mind, Terrence Higgins, WaterAid and the YMCA; our mission is to share best practice and innovation in the Third Sector. To find out more and to book a complimentary consultation click here.
