IMPORTANT Website terms of use and cookie statement

Areas to consider when preparing for a cyber incident

This article, provided by our technical and cybersecurity partner Mitigo, will help you increase your cybersecurity and business resilience by taking you through the steps you must take if you suffer a cyber incident.

Cybersecurity incidents

All architectural practices are prime targets for cyberattacks, with organised criminal gangs using automated means to search, indiscriminately, for vulnerabilities. This is why leaders are looking to increase their cybersecurity and business resilience.

The starting point is a proper cyber risk assessment of your vulnerabilities with regards to your policies, technology, and people. The appropriate steps must then be taken to tackle them.

Practices should make themselves aware of the type of attacks which are taking place. They should of course prepare to defend themselves against them. However, they must also prepare their emergency response arrangements to deal with a breach. This is why an incident response plan is such an important aspect of business resilience planning.

Common attacks include:

  • Credential phishing attacks on employees which, if successful, typically lead to email account takeover
  • Attempts to gain unauthorised access to computer systems via staff connecting remotely to company information
  • Virus, ransomware or other security attacks on IT equipment systems or networks
  • Insider fraud where staff have access to confidential and commercial information
  • Denial of service attacks where critical web services are taken out of action and a ransom demanded

Incident preparation and emergency response team

When you suffer an incident, you cannot afford to ‘wing it’. If you are not prepared, the potential for loss and disruption is increased.

Identify the critical services, data locations and third parties you rely upon. Consider the impact of losing them. How would you continue to operate? What would your short term ‘work arounds’ be? Speed and effectiveness of communications with the people and organisations most affected is crucial.

Create an incident response team proportionate to the size and complexity of your practice (it may be one person). They will be responsible for coordinating damage limitation and incident investigation.

The team should complete the following actions in preparation for incidents:

  1. Define the roles and responsibilities of team members
  2. Detail actions based on each type of incident such as a virus, hacker intrusion, data theft, system destruction etc...
  3. Review backup and recovery procedures
  4. Establish response guidelines by considering and discussing possible scenarios with employees

Establish an emergency contact procedure. There should be one contact list with names listed by contact priority. Test the process to ensure it is effective.

If an incident occurs, you are likely to need specialist help. Identify who that will be. The RIBA has partnered with Mitigo to provide technical and cyber security services who can assist.

Backup and recovery

Effective backups are an essential ingredient of incident response and it is crucial that they include data, software, and system configuration to be effective. Other considerations include storage locations, frequency, protected copies, information on laptops, and memory capacity (as examples).

Typically, practices forget the recovery part of this process. Consider whether your backups will survive a ransomware attack and how long your practice will be out of action if you need to recover the complete system and data.

Incident response

Please note this is not intended as a step by step user guide, you should seek specialist advice but here are some of the matters which must be addressed:

Identification: verify whether an event is a security incident. A rapid triage is needed to understand what has happened and to filter out false positives.

Containment: isolate affected systems to prevent further damage (it is important to note that the machine displaying the symptom (for example) may only be the tip of the iceberg). This is a critical step which is almost always dealt with incorrectly. You must understand how the different types of attacks happen in order to know how and what to isolate.

Elimination: find the source/root cause of the incident to ensure it is removed from affected systems. You must prove that the attack has ended and that any malicious software and connections have been removed. This needs to be done by someone with the right cybersecurity experience otherwise two serious things frequently happen. First, the criminals remainl in your system and are able to access your data. Second, you will lose the footprint showing where the criminals have been and what data they have taken.

Categorisation and reporting: you must determine exactly what data or assets have been accessed or stolen. All breaches should be recorded. Review whether the matter should be reported to any of the ICO's, your bank, the police, your clients, your employees, your insurers and anyone else who may be affected. Revisit this as further information emerges.

Recovery: allow the affected systems back into normal operation after ensuring no threat remains. Ensure that increased monitoring and vigilance is in place.

Lessons learned: complete a post incident review to learn from the incident and improve future defences and response efforts.

For more guidance on increasing your security and business resilience, or for help in the event of a breach, contact Mitigo on 0161 88 33 507 or email

keyboard_arrow_up To top