< Back to Thought Leadership

The Importance of Incident Response Plans – Lessons Learned

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

“Those who fail to learn from history are doomed to repeat it.”  Sir Winston Churchill

This is our fifth and final article in our five-part series on the importance of incident response planning as part of your cybersecurity program.

As a reminder, the concept of Incident Response is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are in a non-stressed mindset. The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Ransomware Incident Response Plan – Lessons Learned Session

A lessons learned session takes place after the containment, eradication, and then recovery from a serious security incident. It involves examining the incident and understanding how the incident happened to begin with. In other words, this step is about getting to the root of how and why it happened.

It also is a time to examine how well your incident response plan was executed in response to the incident (what are the positives and negatives of the response; evaluating how well your incident response plan worked to resolve the issue). Finally, what are the elements of the plan that need to be improved and then incorporating those improvements.

Identifying How and Why

The first aspect of learning lessons from the incident is to understand how and why this incident occurred in the first place. This will undoubtedly help you identify controls that need to be enhanced in your cybersecurity prevention or detection programs.

As an example, did someone click on a link or attachment in an email that caused the incident? Perhaps additional training is necessary.

Identifying Areas of Strength and Weakness in your Incident Response Plan

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was.

For example, did your team know exactly what to do, or did they struggle to remember their training?

Questions like these will highlight areas that need to be improved for next time. Don’t just focus on the negative or what went wrong, but also examine what worked well. Taking the time to identify successful elements of your response can help to robust future security practices, while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

As we have discussed in the past, incident response plans should be tested annually. While your tests should not go so far as to inject an actual security incident into your network, the use of tabletop exercises are an effective means to remind everyone of their responsibilities at the time of a serious security incident. Additionally, these tabletop exercises should include a formal lesson learned session. It will lead to improvements in your incident response plan, and it will train your teams in how to do effective analysis.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, our Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

IRS 501(r) Compliance: Financial Assistance Policy and Amounts Generally Billed Calculation

Non-profit hospital organizations as defined by Section 501(c)(3) must meet requirements imposed by Section 501(r) on a facility-by-facility basis to be treated as a tax-exempt organization. According to the Internal Revenue […]

Learn More

Hospital Price Transparency: What’s New in 2024 and Beyond

The Centers for Medicare & Medicaid Services (CMS) has introduced significant changes to the requirements for hospital price transparency. The aim is to enhance pricing transparency and ensure compliance with […]

Learn More
building and using insurance reserves

Building and Using Insurance Reserves for Sustainability

By Annmarie Novotney, CPA, Director at Blue & Co. Not-for-profit organizations have been dealing with changing circumstances on many fronts over the last five years. Part of this changing landscape […]

Learn More