header image
resilience

How to handle the first 48 hours of a cyber incident
Roddy Priestley 22 November 2022
22 November 2022    Roddy Priestley

CYBER SECURITY INSIGHTS REPORT

We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance.

Download Report

In our latest research, Cyber Security Insights Report 2022, we saw a steep rise in the frequency of serious cyber incidents experienced by large organisations within the past three years – from 60% in 2021 to 75% in 2022. Evidence, if more is needed, that businesses must be prepared for a cyber-attack.

 

In our new video, The first 48 hours of a cyber incident, we share how a business under attack should respond - from the first hours when unplugging safely and getting external expert support is critical, through to remediation and recovery once the incident is contained. We hope it helps in your organisation’s cyber preparedness.

 

 

0 to 4 hours

During the initial phase unplugging safely is the first step along with contacting your insurer. Key actions include:

  • DO provide a comprehensive handover of information
  • DO insure you act on the initial advice from the technical vendor
  • DON’T be slow to act
  • DON’T delay notifying the insurer
  • DON’T ignore containment advice.

12 hours

Your legal, technical, operations and C-suite will each have internal recovery activities. But the success of a serious cyber crisis response rests on communication and the right governance of all teams. Ensure everyone knows their role and communicates effectively.

18 hours

Now the investigation is underway. The technical responders will analyse the forensic evidence, for example in a ransomware incident they’ll examine:

  • How did the threat actor get in?
  • How did data exfiltration take place, and what data has been lost?
  • What’s been seen or changed in the environment by the threat actor?

23 hours

Containment is vital and it is the monitoring team that will detect and remove malware. Don’t slow down this phase. Make sure you have a clear understanding of your network and the devices connected to it, for example the number and location of laptops and security controls around them.

48 hours

Recovery can take you well beyond 48 hours, the more prepared you are the quicker it will be, some key steps include:

  • Planning before a response
  • Prioritising during a response
  • Having a good understanding of what systems are critical

 

Contact S-RM if you would like to discuss how to improve your cyber resilience or our incident response services.

S-RM is a global risk consultancy providing intelligence, resilience and response solutions to clients worldwide. To discuss this article or other industry developments, please reach out to one of our experts.

Roddy Priestley
Roddy priestley ‪Director, Cyber Security Email Roddy

CYBER SECURITY INSIGHTS REPORT 2022

We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance.

Download Report