Recognise a cyber incident

How to identify if a cyber incident is taking place. 

The National Cyber Security Centre defines a cyber incident as unauthorised access (or attempted access) to an organisation’s IT systems. These may be malicious attacks by a hacker (such as being infected by a computer virus or through a ransomware attack) or could be other incidents (such as damage from fire or theft). 

The first step in dealing with a cyber incident is identifying it. How do you know one has occurred (or is still happening)?  

Be aware of indicators 

Things that might indicate a cyber incident is taking place include: 

• Your device is running unusually slowly, rebooting by itself, frequently closes programs or apps you are using, or opens those you are not. 

• You have pop-up boxes from programs/apps you don’t recognise, asking you to do unexpected things. 

• You are locked out of your IT systems or accounts or are unable to access your documents. 

• You receive messages demanding a ransom for the release of encrypted or unavailable files. 

• Someone you know tells you that they’ve received unexpected emails from you, advertising unlikely products, or perhaps asking for money or other actions that you don’t recognise. 

• There are logins or attempted logins from strange locations or at unusual times. 

• There have been changes to your security settings that you didn’t make. 

• Your internet searches are redirected to strange sites. 

• You receive requests for unauthorised payments. 

Checklist for staff 

You can download and share this checklist with staff to help them identify a cyber incident. You can add the contact details of the person in your organisation that they should contact if they suspect an incident is taking place. 

Download Cyber security checklist for care staff 

Check what has happened  

Data security and protection leads can use the ten questions below to find out what’s happened. It’s a starting point that you can use to gather vital information as soon as you suspect something has gone wrong. 

You can download this as a form and complete it yourself. 

1. What problem has been reported, and by who? 
2. What services, programs and/or hardware are affected or aren’t working? 
3. Are there any signs that data has been lost? For example, have you received ransom requests, or has your data been posted on the internet? 
4. What information (if any) has been shared with unauthorised parties, deleted or corrupted? 
5. Have your stakeholders (such as people who draw on care services or partner organisations) noticed any problems? Can they use your services? 
6. Who designed the affected system(s), and who maintains it? 
7. When did the problem occur or first come to your attention? 
8. What is the scope of the problem, what areas of the organisation are affected? 
9. Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your IT supply chain? 
10. What is the potential business impact of the incident?