Cyber incident grab bag: Delivering your services

Clear communication of critical information

The JESIP framework is well established for use in emergency planning and multi-agency responses to serious incidents, providing a people-centric approach to response and recovery.

Consider how you can use JESIP and the M/ETHANE reporting model which is part of the framework to provide clear, structured and focused communication to support your organisation’s emergency response and collaborative response with partners.

Doing this will help facilitate an effective response, decision making and partnership working.

Role of IT

IT should escalate the suspicion of a cyber-attack at the earliest possible stage to the EP/BC lead officer on duty, giving an update on:

What has happened: what is known so far, and if possible, when the incident may have occurred
Actions taken and planned: what has been done to date and what is planned next
Who has been informed: including any external parties
Impact assessment: likely short and medium term impacts on IT services, based on the information available now.

Role of the emergency duty officer

Decide if the council’s Emergency Response structures should be activated.
The thresholds for this will vary. However, the duty officer should consider:
- the council’s processes and expectations in this area
- the likely impact on council services
- whether the matter is likely to be resolved ‘as routine’ by IT technical services, or whether disruption is likely to occur.
The duty officer should seek clarity on any areas in which they are uncertain, to help in making their decision.

Action should be taken quickly, to avoid unnecessary delay.

Note, that as cyber attacks often occur ‘out of hours’, organisations may need to take critical decisions outside of their standard operating hours to minimise disruption and maximise their changes of successfully maintaining service delivery.

Convene the core team

It is likely you will have an existing process to convene the emergency response team, through which you will make decisions on what to do. However, depending on your existing plans, you may need to be innovative. Cyber attacks do not respect plans which solely rely on your usual everyday systems such as Microsoft Teams.
Ensure you maintain records – you may need to identify someone who is responsible for logging and bringing them into the core team. As not everyone may be present, it’s important to have a good record of what was discussed.

Inform, but note the consequences

Review which third parties need to be notified, including National Cyber Security Centre (NCSC), Information Commissioner’s Office (ICO), Police, National Crime Agency (NCA) and Report Fraud and take appropriate action (the ‘coordinating with central government and law enforcement’ section has more detail on how and when to do this).
Agree how to notify in a timely manner other organisations with whom you work to deliver services. However, note that for a suspected cyber attack, those organisations may need to ‘disconnect’ from you to protect their systems. Take steps to move quickly and advise those partners how they can communicate safely with your council (either through assurance that your normal channels are secure or providing alternative secure channels).

(Re)assess impact and prioritise

It is likely that your existing continuity plans will contain an assessment of impact to services if IT functionality becomes unavailable, and a chain of ‘priority’ actions based on risk to the council and residents. However, this will have been developed at a point in time, based on assumptions that may no longer hold.
The team should validate that these assumptions still stand in the current circumstances. Priorities may need to change, and proposed actions may no longer stand up. If there is a reliance on ‘backup’ or ‘Disaster Recovery (DR)’ IT solutions, note that these may not be available during a cyber incident.
It is down to the emergency response team to determine where the council places its efforts in ensuring ongoing, or reduced service delivery. As such, service area leads should state their position, plans, requirements, and needs clearly to that group.

For more detailed guidance on managing impacts in specific service areas, see the service-specific sections on adult social care, children’s services and finance.

You will need to make sure you are covering the key tasks below, but these are not meant to be an exhaustive list of actions in your response plan.

Take action

Agree communications to the community and staff as to what services will and will not be available, and how they should be consumed. FAQs have proven beneficial in the past, ensuring users are informed, and know where to go for help. Do this through the emergency response team.
Where services cannot be delivered, this should be escalated to the emergency response team. It may be that this is acceptable, or that plans may need to change.
Implement planned workarounds and/or alternate mechanisms of service delivery. Be as clear as possible on how long those workarounds can operate for without additional support, as this will inform the whole council response. But remember that it is more helpful to communicate uncertainty than false confidence.

Maintain your response rhythm

Ensure that council leadership maintains the ‘big picture’ through having clear, regular reports of the situation
Identify the ongoing communications needs for the community and staff
Ensure that council resources are directed appropriately to areas of greatest need.

Be realistic about timelines and clear about exit criteria

Discuss and understand the likely timelines for how long you may be without your ‘standard services’ during a cyber incident, recognising that these will evolve as the situation develops
Agree exit criteria (minimum criteria that must be met for a service to be considered ‘safe’ and a return to ‘normal’).

Recovery opportunities to get back to ‘as was’ will usually be discussed through working with the emergency team. However, recovery may also create opportunities to do things differently. These may arise through:

alternative options offered by partners
new ways of working identified through the response
not all councils recover their services to an ‘as was’ state.

Recovery may occur at any time during the cyber incident, where:

appropriate resources are available
it is safe to do so – including the risks of further attack being managed
it is agreed by the emergency planning team.

Establish priorities for recovery to ensure that council resource is directed to the correct work. Principles for this should take account of key factors including the risk of harm, the reliability (and liabilities from) existing work arounds, and staff welfare.

Once recovery priorities have been determined, this should be managed through an effective plan – which can be assisted via reviewing the ‘Safely and Securely Restoring Technology Systems’ section.

You should note that recovery includes:

the technical restoration, in part or fully, of services by your own organisation or supplier
the re-linking, or re-connecting of related services by partners
validation and verification, by the relevant service, that systems are operating correctly, and finally
the handling of data accumulated through workarounds (if required).

As such, recovery should be managed as a project, rather than considered as a single, simple task.

Each service owner must agree when a service is ‘recovered’, ‘safe’ and suitable for a return to normal working.

Cyber incident grab bag: Delivering your services

Your key strategic actions

Key contacts

Useful resources and case studies

Cyber incident grab bag: Delivering your services

Your key strategic actions

Key contacts

Useful resources and case studies

Highlighted pages

Cyber incident grab bag for local authorities

Cyber incident grab bag: Healthy teaming

Cyber incident grab bag: Coordinating with central government and law enforcement

Cyber incident grab bag: Informing and supporting

Cyber incident grab bag: Safely restoring technology and systems

Cyber incident grab bag: Protecting data

Cyber incident grab bag: Working with elected members

Cyber incident grab bag: Ensuring your incident response reflects reality

Cyber incident grab bag: Service and situational guidance