How do you prepare for a cybersecurity incident?

As the use of technology increases and the number of smart phones, notebooks, and tablets grows, so does the threat of hacking, data leakage, insider theft and information manipulation, and even organised crime or state-sponsored attacks. If your organisation is connected to outside networks- even just via the internet - or uses exchange services like email for communication, then it faces an increasing level of threats and risks from cyber attacks.

Using an expensive anti-virus system and expensive firewalls provides a partial response for cyber attacks. It is far more effective to design and prepare an organisation wide systemic plan of resistance to these attacks.

What are the objectives of this preparation?

Every organisation needs to put into place a series of appropriate controls and procedures to manage cyber security incidents. These are designed to avoid or contain the impact of cyber security incidents (CSI’s) and to minimise the impacts caused upon its operations by these incidents.

The objectives of your Cyber Security Response Plan should include:

  • CSI’s are identified, classified and dealt with efficiently;

  • Adverse effects are minimised by appropriate controls;

  • Links to operational management and business continuity are established by the escalation process;

  • Lessons are learned quickly, and Post Incident Reviews increase the chances of preventing future CSI’s and improving controls.

There are five key phases of cyber security incident management (CSIM):


Plan and prepare

Effective CSIM requires appropriate management planning and preparation, including an incident management policy, information security policies, the formation of an Incident Response Team (IRT), operational tools and resources, training and awareness and regular scenario (playbook) testing.

Detection and reporting

The next phase of CSIM requires the detection, information collection and reporting of occurrences of CSI’s. It includes activation of the IRT, monitoring and logging network and system activities, detection and reporting of events or vulnerabilities, tracking, reporting, escalation and gathering evidence.

Assessment and decision

This phase requires information assessment and decisions on the classification of events as CSI’s. It includes assigning organisational responsibilities to staff for investigations and decision making, collection of information, logging and storing of all activities, results, and evidence into a secure information security data base and if required, the engagement of a third party for expert analysis, assessment and recommendations.


This phase responds in accordance to the actions determined in the previous Assessment and Decision phase. Depending upon the scenario, responses could be made immediately, staggered or in real-time responses, and some may require further investigation. It must include classification of the incident, if it is or is not under control, allocation of resources and crisis response activities including escalation, organisational communication and reporting.

Lessons learned

This phase takes place when CSI’s have been resolved, and assists the continuous improvement of the CSIM process. It includes identifying the lessons learned, improvements and changes to be made in the controls and processes, revised risk assessments, communications and reporting, and sharing the results with the senior management of the organisation.

Remember what Winston Churchill once said… “To improve is to change; to be perfect is to change often.”

And don’t forget the collection of evidence, reports, and information

All phases require the collection and secure storage of reports, logs, evidence material, emails, and so on. This requires the availability of a secure data base location which will become the repository for logging and storing any incident reporting documentation, emails and other related material.

Evidence might be in the form of a computer, laptop or mobile device which has to be disconnected from the network but not altered in any way (for example not be turned off); You need to arrange disconnection and provide secure physical storage for these items at the time of the incident.

If you would like to talk about how to prepare for cyber security incidents or about any of our information security services, please feel free to contact Doll Martin Associates at or via the button below.