If you are experiencing a cyber incident you may find the LGA’s Cyber incident grab bag helpful. It is a practical resource for responding to major cyber incidents and although written for local authorities contains a lot of transferable insight.

How do I report a cyber attack or cyber incident?

If you can access the world wide web go to NCSC’s where to report a cyber incident service, otherwise:

Step 1 

If the cyber attack is potentially life-threatening (e.g. related to health systems) call 999.

Otherwise call Report Fraud immediately on 0300 123 2040 and press 9 on your keypad.  This will allow your call to be dealt with as a priority and your live incident will be triaged over the phone.

Next your incident will be passed to the National Fraud Intelligence Bureau (NFIB) who will review your report and conduct a range of enquiries, it may be passed to the relevant police agency.  You will be kept informed of the status of your report.

If your report is passed to the relevant police force, the cyber crime team within that force may contact you to offer additional advice, guidance and talk through the free support services that are available to you.   The North East Regional Cyber Crime Unit will be able to further assist you in providing you with additional support and run through the free support services offered to businesses and organizations in the North East.

Step 2 

Alert any networks you’re connected to, e.g. JANET, PSN, PNN, HSCN / N3 (CareCERT etc.) and also your colleagues and contacts in organisations you work with, especially your suppliers and customers.

If you’re an ISNorthEast WARP member and it’s likely to have impacted other North East Public Sector organisations then notify them by email: negwarp@neict.jiglu.org.

If you have access, check WarpTalk on Slack to see if others have reported the same issues and to see if any mitigation or other advice has been posted.

Step 3 

If you experience (or suspect) a personal data breach you need to consider whether this poses a risk to people.  If it’s likely, there will be a risk then you must notify the Information Commissioner’s Office; if it’s unlikely then you don’t have to report.  The ICO has a self-assessment to help determine whether your organisation needs to report to the ICO.

What information do I need before I contact the authorities?

To help others understand the potential scale, severity and impact of the incident please provide answers to the following points:

1. Who are you?
2. What organisation are you reporting an incident for?
3. What is your role in this organisation?
4. What are your contact details?
5. A summary of your understanding of the incident, including any impact to services and/or users
6. What investigations and/or mitigations have you or a third party performed or plan to perform.
7. Please provide the output of any technical analysis.
8. Who else has been informed about this incident?
9. What are your planned next steps?

**If you’re developing resources you may find our Starter Guide for Cyber Business Continuity and template Action Cards (which include a ‘report an incident’ card and associated resources) useful**

WHAT HAPPENS WHEN I REPORT AN INCIDENT TO REPORT FRAUD?

Use in conjunction with CYBER INCIDENT action card

1. When you call Report Fraud your live incident will be triaged over the phone.

2. Your incident will be passed to the National Fraud Intelligence Bureau (NFIB) who will review your report and conduct a range of enquiries, it may be passed to the relevant police agency. You will be kept informed of the status of your report.

3. If your report is passed to the relevant police force, the cyber crime team within that force may contact you to offer additional advice, guidance and talk through the free support services that are available to you. · If you’re in the North East that would most likely be the North East Regional Cyber Crime Unit which will be able to further assist you in providing you with additional support and run through the free support services offered to businesses and organizations in the North East.

Because some forces pool resources and operate regional cyber units across a number of force areas, you may be contacted by a police office or police staff member from the regional unit based within a neighbouring force.

4. Your report may also be passed to the National Cyber Security Centre (NCSC) which is part of GCHQ. Note that it is standard practice for NCSC staff to not share their surnames.

5. Depending on the type of your organisation, the Government Cabinet Office Civil Contingencies Secretariat (CCS) may get involved.

6. You should verify the identity of anyone that contacts you.

NCSC: If a member of the NCSC contacts you or your organisation, you confirm can confirm their identity using the ‘Contact Validation Form‘. This offers added reassurance that you are speaking to a government cyber security expert.

Further sources of information

See NCSC’s where to report a cyber incident service.

The National Cyber Security Centre (NCSC) has created the Small Business Guide to Response and Recovery. It provides small to medium sized organisations with guidance about how to prepare their response, and plan their recovery to a cyber incident.

The North East Business Resilience Centre (Home Office funded, Police-led) has some resources, including links to private companies they work with here.