Security Incident Response: What Happens When Things Go Wrong
Despite best efforts, security incidents can occur. How you respond determines the impact. A well-prepared incident response capability significantly reduces the damage from any breach or attack.
What Constitutes a Security Incident
- Unauthorised access to systems or data
- Data breach (personal data accessed, exfiltrated, or destroyed)
- Malware or ransomware infection
- Denial of Service attack
- Credential compromise (phishing, credential stuffing)
- Insider threat activity
The Incident Response Phases
- Preparation: Response plans, contact lists, and escalation procedures prepared before any incident occurs
- Detection & analysis: Identifying that an incident has occurred and understanding its scope
- Containment: Limiting the damage — isolating affected systems, revoking compromised credentials
- Eradication: Removing the cause — deleting malware, patching vulnerabilities, closing access vectors
- Recovery: Restoring systems from clean backups, monitoring for recurrence
- Post-incident review: Lessons learned — what happened, why, and how to prevent recurrence
GDPR Breach Notification
If a breach involves personal data, UK GDPR requires you to notify the ICO within 72 hours of becoming aware of it (if it poses a risk to individuals' rights and freedoms). Notification to affected individuals is required if the breach is likely to result in high risk to those individuals. We help you prepare breach notification documentation and support your ICO reporting process.