Digital Threat Digest Insights Careers Let's talk

The role of an Incident Response team when an organisation is under attack


Cyber security is now such a threat that, in the early part of 2022, the Government launched a nationwide Cyber Security Strategy. The strategy outlines a way for the country to protect itself in the event of a cyber-attack through dedicated cybercrime units, advanced technology, and industry partnerships.

But what about Britain’s businesses and organisations? How should they plan their cyber Incident Response and recovery?

The most effective approach is to have an incident response plan, a team to carry it out, and plenty of practice runs to be at your most ready for an attack.

What is incident response in cyber security?

Incident Response in cybersecurity is the way in which an organisation:

  • Handles a cyber-attack, data breach, or widespread systems failure
  • Manages the consequences
  • Recovers so that it can resume normal operation again

Why do you need an incident response plan?

A cyber attack or data breach can severely impact the operations of a business or organisation. In particular, the vast quantities of personal and commercially sensitive and confidential data stored on your computers and networks become prone to theft.

The quicker and more effective an organisation’s response to a breach, the less likely they are to lose customers’ trust in them.

In addition, a well-handled response can greatly limit exposure to legal consequences as a result of the attack and the more understanding the Information Commissioner’s Office is likely to be if they become involved.

What does an Incident Response team do?

The role of an Incident Response team is to carry out the Incident Response plan during and after a cybersecurity attack is underway.

Who should be on an incident response team?

An Incident Manager

If an organisation has no CISO to lead the response, the best person would likely be Operations Manager or Director as they have the broadest knowledge of what your business needs to function. They should be appointed the ‘incident manager‘.

Their first role will be to find out which systems have been compromised and then evaluate how critical those systems are to the overall running of the business. They are likely to work closely with the technical lead / incident specialist.

The incident manager should work closely with the most senior person/people within the affected department(s) to better understand what they need to be able to return to operation again.

A Technical Lead / Incident Specialist

This information should also be shared with the tech lead. Their role is to understand what caused the breach in the first place so that they can then safely return the system to use, even if functionality is restricted initially. They provide advice and guidance on the incident, options and technical implications to the incident manager.

Human Resources

Human error is often the cause of a successful cyber-attack. Sometimes, a bad actor within the ranks of your staff may be responsible. Whether through negligence or intent, your HR department should be involved particularly as decisions taken as a result of the breach may relate to staff and therefore require adherence to relevant employment law.

A legal representative

Likewise, a legal specialist with knowledge of the ramifications of a cyber attack should be available to communicate their legal opinions to the incident manager and others on the team.

A communications expert

You should attempt to manage news of a significant breach by taking the lead. Someone internal or external who has experience in getting a clear, concise, non-technical version of your story out will be particularly valuable. So may using a social media expert to help manage users’ concerns on Facebook, Twitter, and other networks.

Incident Coordinator

Someone will need to record the steps taken within your company for protection against future legal threats or action by the Information Commissioner’s Office. You may also wish to appoint this person to:

  • Coordinate the spread of information between the managers of the incident security team and the people working for them to speed recovery.
  • Inform the incident manager when they believe that an individual or department may be falling behind schedule.
  • Filter incoming communications from within the organization to prevent the team from becoming overwhelmed.

How should the Incident Response team prepare for an incident?

Preparation is key to the successful performance of an incident management team.

By running ‘drills’, the incident manager and all those on their team will have practice making the decisions they have responsibility for and they’ll have a better understanding of the resources available to them in a incident.

You should be sure that you provide the facilities needed for every team member to do the work required.

If you use third parties for incident response, service level agreements (SLAs) should be worked out in advance so they know what you expect from them.

They should be a prep visit of your premises by involved parties – if you have multiple premises, they need to know which one to come to and be familiar with it. Will they know where to park? Do they know which entrance to go through? Have you provided them with an access card, or provision for this to take place during an incident?

When an incident does happen, is there enough room for internal and external staff to use their laptops, projectors, and other equipment? Will there be enough plug sockets? If they need to stay for an extended period, are there enough bathrooms and where will they get food and drink from?

Information is key to resolving a crisis. You need to make sure that internal and external team members have access to the data they require. Unannounced drills are a way to ensure that staff responsible for gathering and presenting information are doing so as you require them to. In addition, you may discover on a drill that you need more information than you thought, giving you the chance to adjust your plan accordingly.

Incident Response post-mortem

Every cyber-attack, although damaging and unfortunate, is an opportunity to learn.

Be sure to hold a post-mortem with all team members following the resolution of the incident to better understand: What failures or oversights within the business led to the breach in the first place and improve the process involved in recovering from an attack.

Strengthen your security posture

Since 2013, PGI’s Incident Response, Security Testing and Information Assurance teams have been helping organisations strengthen their security posture and prepare for the future. We can help you understand how well your current security measures are working and what improvements you can make to limit the damage of a cyber-attack. We look at your business as whole, including your risk profile and appetite so we can help you prioritise security investments that are proportionate to your needs. No more, no less. 

Contact us to start the conversation.