Detect incidents quickly
Knowing about an incident sooner rather than later allows you to limit the harm it can cause.
How do I do this?
Ensure users know in advance how they can report incidents. Bear in mind that they may be unable to access normal means of communication if their device is compromised.
Use a security logging system to pick up on incidents your users are not aware of. To collect this information, you can use monitoring tools built into your off-the-shelf services (such as cloud email security panels), build an in-house team, or outsource to a managed security monitoring service.
Smaller organisations that may lack dedicated logging resources may wish to try the NCSC's Logging Made Easy open source project, which provides a practical way to set up basic end-to-end Windows monitoring of your IT estate.
Once a monitoring capability has been set up, it needs to be kept up to date to ensure it remains effective.
Have an incident response plan
Once an incident is discovered, you need to know what to do to prevent any further harm as soon as possible.
How do I do this?
Ensure that your organisation knows what to do in the case of different types of incidents. For example, how will you force a password reset if a password is compromised? Who is responsible for removing malware from a device, and how will they do it? For more information, refer to the Incident Management section of 10 Steps to Cyber Security.
Incident response plans should be practised before an incident occurs. The best way to do this is through exercising. If you're new to this, the NCSC has created Exercise In A Box, an online tool which helps you to find out how resilient you are to cyberattacks, and where you can practise your response in a safe environment.
