The National Cyber Security Center (NCSC) has published specific guidance for CEOs aimed at helping them manage cybersecurity incidents.
According to the NCSC, resources and learning materials for executives on how to respond to a cyberattack are few and far between, leaving many in the dark in the event of an incident.
The new guidance aims to provide detailed information on how executives can handle a cyber incident, as well as how to engage with relevant staff and authorities to resolve issues.
“If your organization is the victim of a major cyberattack, the immediate consequences will be challenging. You may find that there is a lot of information in some areas and none in others,” warns the NCSC.
“Difficult, risk-based decisions will need to be made to protect your operations. Your goal will be to limit the impact on your business, customers and staff in the weeks and months ahead.”
Here are seven things every CEO should know if their organization suffers a cyberattack.
Governance is essential
The NCSC says organizations should consider appointing a Senior Responsible Officeror use a broader governance command structure, such as the bronze, silver, and gold model, to assign overall responsibility for an incident.
CEOs should ensure structures are in place to manage the full impact across the organization and facilitate those managing the response to meet regularly to collaborate and discuss progress.
Similarly, the guidance recommended that they inform and empower senior decision-makers and work with regulators and insurers, providing updates to the board.
Bring in external resources
Organizations affected by a cyberattack often hire third parties to help assess the impact and identify key areas of focus during the remediation process, which the NCSC says is advisable in most cases.
The security center strongly recommends using a cyber incident response (CIR) company to assist in recovery management.
For businesses that have cyber insurance, their insurer may have in-house experts or preferred CIR firms that organizations can work with. The NCSC has its own list from approved companies, which managers can consult through the center's website.
Communicate with those affected
The ICO guidelines make clear that they must be informed of notifiable breaches “without undue delay” and no later than 72 hours after becoming aware of them. Risks to data must also be disclosed to data owners.
In terms of public messaging, the NCSC says communications should be factual and clear, and the incident should not be misrepresented or downplayed.
“You may need to provide a different level of detail to different groups: key decision makers and stakeholders in your organization, general staff, partner organizations or communications to the public,” the NCSC warned.
“Make sure you know in advance who should be included in your communications planning.”
Think twice before paying a ransom
While it is tempting to simply pay in the event of a ransom demand, the NCSC advises against doing so.
As you point out, there's no guarantee that paying will mean regaining access to data or networks. Research published by Cybereason earlier this year showed that companies that previously paid ransoms are frequently targeted again, as cybercriminals have evidence that they are likely to comply.
The question of whether a ransom should be paid has become a source of controversy throughout the security industry in recent months.
In January 2024, calls for a complete ban on ransom payments by a major security provider sparked negative reactions from some members of the community, with experts suggesting it could risk “criminalizing victims.” .
Consider team resilience and well-being
It is important to take into account the effect that an incident can have on staff morale, creating stress and uncertainty, according to the NCSC.
Security incidents can take months to resolve, so it's important to ensure staff aren't burned out.
Stress and burnout among cybersecurity professionals has been a long-standing problem across the industry. Research last year showed that almost half of senior cybersecurity staff were considering leaving the profession entirely.
Meanwhile, alternative research into work culture in the industry found that many professionals frequently work longer hours, and some even miss important life events and cancel vacations because of work.
Review lessons learned
The NCSC advises conducting a report after any cybersecurity incident to try to identify how it occurred.
This, according to the guidance, should be systemic in nature, rather than an exercise in assigning blame. Recent research specifically highlighted a “blame game” culture as a leading cause of workforce burnout and discontent immediately following a cyberattack. A clear set of rules before a cyberattack, such as a data breach response plan, can help prevent these pressures from becoming too great.
The NCSC says organizations should carry out a general cybersecurity review to help understand and manage vulnerabilities that could lead to further attacks. Leaders can also implement specific measures to protect against data breaches and establish a strategy for AI threats.
Report incidents
Finally, major incidents should be reported to the NCSC and UK law enforcement authorities who can provide support.
The NCSC says this can be done using the UK Government's signaling tools, which explain how organizations can notify the relevant authorities based on the individual circumstances of the incident.
Authorities and agencies such as the Information Commissioner's Office (ICO) and the NCSC frequently work with public and private sector organizations following a cyber attack or security incident.