< Back to Thought Leadership

The Importance of Incident Response Plans – Lessons Learned

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

“Those who fail to learn from history are doomed to repeat it.”  Sir Winston Churchill

This is our fifth and final article in our five-part series on the importance of incident response planning as part of your cybersecurity program.

As a reminder, the concept of Incident Response is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are in a non-stressed mindset. The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Ransomware Incident Response Plan – Lessons Learned Session

A lessons learned session takes place after the containment, eradication, and then recovery from a serious security incident. It involves examining the incident and understanding how the incident happened to begin with. In other words, this step is about getting to the root of how and why it happened.

It also is a time to examine how well your incident response plan was executed in response to the incident (what are the positives and negatives of the response; evaluating how well your incident response plan worked to resolve the issue). Finally, what are the elements of the plan that need to be improved and then incorporating those improvements.

Identifying How and Why

The first aspect of learning lessons from the incident is to understand how and why this incident occurred in the first place. This will undoubtedly help you identify controls that need to be enhanced in your cybersecurity prevention or detection programs.

As an example, did someone click on a link or attachment in an email that caused the incident? Perhaps additional training is necessary.

Identifying Areas of Strength and Weakness in your Response

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was.

For example, did your team know exactly what to do, or did they struggle to remember their training?

Questions like these will highlight areas that need to be improved for next time. Don’t just focus on the negative or what went wrong, but also examine what worked well. Taking the time to identify successful elements of your response can help to robust future security practices, while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

As we have discussed in the past, incident response plans should be tested annually. While your tests should not go so far as to inject an actual security incident into your network, the use of tabletop exercises are an effective means to remind everyone of their responsibilities at the time of a serious security incident. Additionally, these tabletop exercises should include a formal lesson learned session. It will lead to improvements in your incident response plan, and it will train your teams in how to do effective analysis.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, our Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

Proposed Updates to Medicare Bad Debt Listing Template

Recently there have been conversations around the potential new template from CMS that will be used for the Medicare Bad Debt listing that is filed with your organization’s cost report. As of July 2022, this new template is still in the proposed stage, and Medicare is accepting comments. You do not have to use this new […]

Learn More
Picture of disctionary defining legislation | Senate Passes Inflation Reduction Act of 2022 | New Legislation

Senate Passes Inflation Reduction Act of 2022

By Amy Sandlin, CPA, Tax Senior Manager The Inflation Reduction Act of 2022 (the Act) passed in the Senate on Sunday, August 7, 2022, and is headed to the Democrat-controlled House where it is expected to pass on Friday, August 12. Experts expect this to be on President Biden’s desk by early next week. If […]

Learn More
INSIDE Public Accounting Top 100 Firms | Blue & Co. Ranks 52 on the INSIDE Public Accounting Top 100 Firms

Blue & Co. Climbs Six Spots on INSIDE Public Accounting Top 100 Firms List

CARMEL, Ind. (August 5, 2022) – Blue & Co., LLC is honored to announce that it has achieved the recognition of being ranked number 52 by INSIDE Public Accounting (IPA), based on the 2022 annual INSIDE Public Accounting Survey and Analysis of Firms. Blue previously was ranked at 58 in 2021, and 61 in 2020. […]

Learn More