< Back to Thought Leadership

The Importance of Incident Response Plans – Lessons Learned

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

“Those who fail to learn from history are doomed to repeat it.”  Sir Winston Churchill

This is our fifth and final article in our five-part series on the importance of incident response planning as part of your cybersecurity program.

As a reminder, the concept of Incident Response is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are in a non-stressed mindset. The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Ransomware Incident Response Plan – Lessons Learned Session

A lessons learned session takes place after the containment, eradication, and then recovery from a serious security incident. It involves examining the incident and understanding how the incident happened to begin with. In other words, this step is about getting to the root of how and why it happened.

It also is a time to examine how well your incident response plan was executed in response to the incident (what are the positives and negatives of the response; evaluating how well your incident response plan worked to resolve the issue). Finally, what are the elements of the plan that need to be improved and then incorporating those improvements.

Identifying How and Why

The first aspect of learning lessons from the incident is to understand how and why this incident occurred in the first place. This will undoubtedly help you identify controls that need to be enhanced in your cybersecurity prevention or detection programs.

As an example, did someone click on a link or attachment in an email that caused the incident? Perhaps additional training is necessary.

Identifying Areas of Strength and Weakness in your Incident Response Plan

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was.

For example, did your team know exactly what to do, or did they struggle to remember their training?

Questions like these will highlight areas that need to be improved for next time. Don’t just focus on the negative or what went wrong, but also examine what worked well. Taking the time to identify successful elements of your response can help to robust future security practices, while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

As we have discussed in the past, incident response plans should be tested annually. While your tests should not go so far as to inject an actual security incident into your network, the use of tabletop exercises are an effective means to remind everyone of their responsibilities at the time of a serious security incident. Additionally, these tabletop exercises should include a formal lesson learned session. It will lead to improvements in your incident response plan, and it will train your teams in how to do effective analysis.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, our Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

Blue Named One of Kentucky’s Best Places to Work for 2024 | Best Places to Work in Kentucky

Blue Named One of Kentucky’s Best Places to Work for 2024

CARMEL, Ind. (April 16, 2024) – Blue & Co., LLC is honored to be named among the Best Places to Work in Kentucky by the Kentucky Chamber of Commerce, the […]

Learn More
Planned Gifts

Planned Gifts: A Plan for All

By Mike Gricius, CPA, Senior Manager at Blue & Co. Planned gifts are a tool that can help not-for-profits plan ahead and secure the future for the years to come. […]

Learn More

Participate in the 2024 Dental Survey: Help Blue and the IDA Offer Better Solutions for the Dental Industry

Since 1995, Blue & Co. has partnered with private practice dentistry to give something back to the profession that our dental clients desperately needed: good data. And we aim to […]

Learn More