< Back to Thought Leadership

The Importance of Incident Response Plans – Lessons Learned

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

“Those who fail to learn from history are doomed to repeat it.”  Sir Winston Churchill

This is our fifth and final article in our five-part series on the importance of incident response planning as part of your cybersecurity program.

As a reminder, the concept of Incident Response is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are in a non-stressed mindset. The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Ransomware Incident Response Plan – Lessons Learned Session

A lessons learned session takes place after the containment, eradication, and then recovery from a serious security incident. It involves examining the incident and understanding how the incident happened to begin with. In other words, this step is about getting to the root of how and why it happened.

It also is a time to examine how well your incident response plan was executed in response to the incident (what are the positives and negatives of the response; evaluating how well your incident response plan worked to resolve the issue). Finally, what are the elements of the plan that need to be improved and then incorporating those improvements.

Identifying How and Why

The first aspect of learning lessons from the incident is to understand how and why this incident occurred in the first place. This will undoubtedly help you identify controls that need to be enhanced in your cybersecurity prevention or detection programs.

As an example, did someone click on a link or attachment in an email that caused the incident? Perhaps additional training is necessary.

Identifying Areas of Strength and Weakness in your Incident Response Plan

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was.

For example, did your team know exactly what to do, or did they struggle to remember their training?

Questions like these will highlight areas that need to be improved for next time. Don’t just focus on the negative or what went wrong, but also examine what worked well. Taking the time to identify successful elements of your response can help to robust future security practices, while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

As we have discussed in the past, incident response plans should be tested annually. While your tests should not go so far as to inject an actual security incident into your network, the use of tabletop exercises are an effective means to remind everyone of their responsibilities at the time of a serious security incident. Additionally, these tabletop exercises should include a formal lesson learned session. It will lead to improvements in your incident response plan, and it will train your teams in how to do effective analysis.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, our Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

indiana sales tax

New Indiana Sales Tax Rule for Not-For-Profits – Sales Tax Collection & Filing Threshold Increased

By Cory Schunemann, CPA, Manager at Blue & Co. Indiana’s 2023 Senate Enrolled Act (SEA) 417 made another change to the sales tax collection requirements for not-for-profits after 2022’s SEA 382. Not-for-profits with taxable retail sales in excess of $100,000 in the current or prior year are now required to collect and remit sales tax. […]

Learn More
Clipboard with paper that reads Employee Retention Credit | IRS Orders Immediate Stop to New Employee Retention Credit Processing – What You Need to Know | What You Need to Know About ERC

IRS Orders Immediate Stop to New Employee Retention Credit Processing – What You Need to Know

By Amy Sandlin, CPA, Tax Senior Manager at Blue & Co. On Thursday, Sept. 14, the IRS announced a moratorium on processing of new Employee Retention Credit (“ERC”) claims through at least December 31, 2023. This decision is in response to a flood of questionable claims and trusted tax advisors expressing a slew of concerns […]

Learn More

Changes to Medicare Bad Debt and S-10 Template Effective this Month

The new Medicare Bad Debt template (Exhibit 2A) and S-10 template (Exhibit 3B and 3C) have been finalized by Medicare and are now required for cost reporting periods ending on or after September 30, 2023. This deadline is quickly approaching, and Blue & Co. wants to be sure you are prepared. If you are feeling […]

Learn More