The threat an organisation faces may vary over time. At any point, there is a need to strike a balance between the current threat, the measures needed to defend against it, the implications and cost of those defences and the overall risk this presents to the organisation.
Moving to heightened alert can:
help prioritise necessary cyber security work
offer a temporary boost to defences
give organisations the best chance of preventing a cyber attack when it may be more likely, and recovering quickly if it happens
One of the fundamental actions to take is to ensure you have an up to date incident response plan, consider the following:
Develop a policy - Outline authority and responsibilities in the Incident Response Team (IR). This might include roles to take systems offline, revoke access rights, reconfigure equipment, accessing sensitive information or conducting forensic investigations.
Communications Plan - Consider who the IR team contact in the event of an issue, how this contact should be made and messages relayed across the organisation and externally.
Define critical functions - Consider which of your systems have the highest impact if compromised and how quickly they need to be restored. Once you know this you can prioritise time, money and effort to protect them.
Define roles - Know; who will lead the incident response team, who will liaise with HR, who has understanding of legal implications, who is able to communicate internally and externally.
Rate the Incident - This helps you understand the gravity of the incident and bring an appropriate response to the table.
IT posture - Build documentation, network diagrams, recover procedures, up-to-date inventories and change control documents in order to effectively sanitise, recover or rebuild systems and operations.
Ensure network visibility - Collate logs (windows events / security logs / antivirus / firewall) and evaluate to identify and track issues across the network, consider SIEM technologies.
Business Continuity - Develop work arounds for when there is complete or partial loss of IT services. Consider how critical operations continue in the face of these difficulties.
Training - The identification and resolution of a cyber incident needs an organised response. The IR team need to react to different situations with confidence which is why it is useful to practice IR by exercising or simulation.
An organisation can deploy many preventive controls as planning and finance allows, however attacks will still slip through the net. It's the ability to detect and respond that determines how significantly the business is impacted and why it is important to have an incident response.
Further advice on incident response from the NCSC can be found here.