03 Apr 2024
by Andy Catley, Ruth Murray

Cyber attacks are common in the public sector, accounting for around 40% of all UK incidents.

Cyber attacks and data breaches are a real risk for public sector organisations, topping Aon’s Global Risk Management Survey. Being prepared and understanding how a cyber response service can support your organisation will help reduce this risk.

Receiving a ransom demand for a five-figure sum to get your network and data restored can be extremely distressing. Being prepared and acting quickly helps take the drama out of a cyber incident.

Although that ransom note and any shutdown or encryption of your systems is likely to be the first the organisation knows of a cyber attack, it’s often the very last act.

Cyber criminals are likely to have been in your system for months: the average time on a victim network is more than 200 days. During this time, as well as exfiltrating any data, they will have assessed the damage they can cause and how much they can demand in ransom.

Act fast

Speed is essential if your organisation suffers a cyber attack or data breach. The first 24 hours after a cyber security incident are critical. The second you realise something isn’t right, whether that’s a ransom note or something suspicious on your networks, it’s time to turn to the experts.

A cyber response team will be able to support you during this time, working independently or alongside any internal expertise. Cyber security incidents are multifaceted, requiring a variety of different skills to contain and remediate the damage caused and help an organisation build cyber resilience to reduce the risk of another incident.

Cyber incident response

Once an incident happens, the most pressing matter is to understand its nature and how it affects the organisation. To gain this insight, the response team’s digital forensics experts will analyse the organisation’s networks to understand where the cyber threat actors have been and what data they have accessed.

Alongside this, they will also undertake cyber threat hunting to determine whether the threat actors are still in the network. This provides confidence that the organisation is no longer actively compromised, which is essential before any remedial work can begin. 

At this initial stage, they may also recommend engaging a law firm to act as breach coach and deal with all the legal aspects of a cyber attack. This might include advising on data privacy laws and dealing with the regulators.  

Ransom action

The question of whether to pay the ransom will also arise. There are no hard and fast rules on this unless the demand comes from an entity on a sanctions list such as those issued by the UK FCDO or the US OFAC, where it is illegal to pay them. Often the decision is a business one, based on the nature of the data exfiltrated or how much the cyber incident is affecting the organisation’s operations. 

Where they can, a cyber response team will engage with the threat actor. This dialogue may be to negotiate the ransom, but they may also ask for ‘proof of life’ in the shape of a subset of the data that has been taken.

This activity benefits the organisation. As well as winning them time, it enables a more detailed understanding of what’s happened to be gained. This insight could inform the decision on whether to pay the ransom.

Recovery time

A cyber response service will also guide an organisation through any remediation and recovery action that is required. This could involve restoring data, cleaning systems, and rebuilding a network within a sandbox environment to ensure it isn’t infected.

At this stage, the cyber response team will also recommend the steps the organisation should take to prevent a repeat of the security incident. This might include recommendations on longer-term network and system repairs to strengthen the organisation against future attacks.

Given the detailed nature of the response required, it will usually take at least a couple of weeks (but typically four to six weeks) to get from that initial call to this point.

Be prepared

Whether or not your organisation has already experienced a cyber security incident, an important recommendation is to have an incident response plan. This details the actions the organisation needs to take if it suffers a data breach or cyber attack, helping to improve resilience and enabling a faster and more efficient response.

It’s also prudent to consider having a cyber response service on a retainer. It is possible to engage a service after the event occurs but, by having them on a retainer, you will benefit from this existing relationship. For example, at Aon, our cyber response team will get to know your systems during the onboarding process, enabling them to make recommendations for improvements but also saving time if you do experience a cyber security incident. 

Related topics