STAGING

Recover from a cyber incident

How to recover and learn from a cyber security incident

These actions will help your organisation get back up and running as soon as possible. You must also confirm that everything is functioning normally and fix any problems. 

Follow your business continuity plan 

Ensure you always have access to a ‘grab-bag’ of key documents necessary to respond to an incident. This should include paper copies of your business continuity plan and up to date contact information for people you need to contact.  

If your IT is managed externally contact the right people to help. Work with your IT suppliers and IT support to identify the nature and scale of the issues. They can help you to prevent issues from spreading and implement measures to address the root causes. 

If you manage your own IT, put your business continuity plan into action. Depending on the type of incident you are responding to, this may involve: 

  • replacing infected hardware 
  • restoring data through backups 
  • updating software 
  • doing a factory reset on a phone or tablet 
  • remotely wiping data on a lost or stolen phone or tablet 
  • running an antivirus scan and clean up on a laptop or PC. 

Recover hacked accounts 

The National Cyber Security Centre offers advice about recovering a hacked online email, social media or bank account.  

They suggest that you can go to the account provider’s website and search their help or support pages for the account recovery process. If you can’t find what you need on the website, use a search engine query (for example, ‘How do I recover my Instagram account’) and follow the links. They also recommend that you: 

  • Check your email account to see if forwarding rules have been set up by hackers 
  • Change passwords 
  • Log all devices and apps out of your account 
  • Set up multifactor authentication (MFA) 
  • Update your devices to run the most up to date software 

Check out cyber security consultants 

If you’re considering using services from a cyber security consultant, take steps to make sure you use reputable organisations and know how their offer meets your requirements and your business type.  

View the National Cyber Security Centre assured services 

Learn from the incident 

After the incident, it’s important to review what has happened and learn from any mistakes. Not only is it important to review your technical controls after the incident, such as your anti-virus programme, it is also a great opportunity to review and implement staff awareness or training measures to help develop your staff’s data security culture.  

  • Keep a detailed record and timeline of the incident, response actions, and outcomes. 
  • Consider what you need to do differently in the future to maintain secure systems.  
  • Take action to try and reduce the likelihood of it happening again and update your business continuity plan based on the lessons learned. 
  • Carry out training to share information with colleagues about the incident and what you have learned as a result.  

Here’s an example of the learning gained by one care provider who experienced a cyber-attack: Cyber security in care: What do small providers need to know? 

Access free support 

There are several organisations that help you with cyber security issues. 

Find out more