< Back to Thought Leadership

The Importance of Incident Response Plans – Lessons Learned

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

“Those who fail to learn from history are doomed to repeat it.”  Sir Winston Churchill

This is our fifth and final article in our five-part series on the importance of incident response planning as part of your cybersecurity program.

As a reminder, the concept of Incident Response is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are in a non-stressed mindset. The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Ransomware Incident Response Plan – Lessons Learned Session

A lessons learned session takes place after the containment, eradication, and then recovery from a serious security incident. It involves examining the incident and understanding how the incident happened to begin with. In other words, this step is about getting to the root of how and why it happened.

It also is a time to examine how well your incident response plan was executed in response to the incident (what are the positives and negatives of the response; evaluating how well your incident response plan worked to resolve the issue). Finally, what are the elements of the plan that need to be improved and then incorporating those improvements.

Identifying How and Why

The first aspect of learning lessons from the incident is to understand how and why this incident occurred in the first place. This will undoubtedly help you identify controls that need to be enhanced in your cybersecurity prevention or detection programs.

As an example, did someone click on a link or attachment in an email that caused the incident? Perhaps additional training is necessary.

Identifying Areas of Strength and Weakness in your Incident Response Plan

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was.

For example, did your team know exactly what to do, or did they struggle to remember their training?

Questions like these will highlight areas that need to be improved for next time. Don’t just focus on the negative or what went wrong, but also examine what worked well. Taking the time to identify successful elements of your response can help to robust future security practices, while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

As we have discussed in the past, incident response plans should be tested annually. While your tests should not go so far as to inject an actual security incident into your network, the use of tabletop exercises are an effective means to remind everyone of their responsibilities at the time of a serious security incident. Additionally, these tabletop exercises should include a formal lesson learned session. It will lead to improvements in your incident response plan, and it will train your teams in how to do effective analysis.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, our Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

2023 E/M Coding Changes You Need to Know from the Physician Fee Schedule Final Ruling

New rules for reporting evaluation and management (E/M) services in most places of service took effect January 1, 2023. The coding and documentation revisions, adopted by the American Medical Association’s CPT Editorial Panel and approved by the Centers for Medicare and Medicaid Services (CMS), substantially simplify code selection and documentation. Effective January 1st, E/M services […]

Learn More

Consolidated Appropriations Act of 2023 Changes Impacting Rural Health Clinics

The Consolidated Appropriations Act of 2023, also known as the “Omnibus” package, was signed into law by President Biden on December 29, 2022. Rural Health Clinics (RHCs) need to be aware of some of the changes that will impact them including new grant opportunities and behavioral health provisions. Opportunities for Rural Health Clinics from the […]

Learn More
someone handing car keys to another person personal use of auto

The Importance of Personal vs. Business Use of Auto

By Pam Swartout, Manager and Jacoby Shade, Staff Accountant at Blue & Co. Many business owners provide a company vehicle to their employees as part of their employment. This is a company benefit that has tax implications and is extremely important for both the employer and employee to understand these implications. Employers can deduct only […]

Learn More