Small Business Cyber Security Response and Recovery. Part VI – Learn from the incident
Part 6 – Learn from the incident
Once the incident has been resolved it is important to review what has happened, learn from any mistakes, and update key information, controls & processes. It is also a good time to strengthen staff awareness through trainings & workshops in order to develop your staff’s security culture.
Review actions taken during response
Gather and analyse the actions you took while dealing with the incident. Comprise a list of things that went well and things that could be improved in the response stage. Questions you might want to ask as part of the review process can include:
1. Did the staff follow the procedures of the Incident Response Plan? Were the procedures adequate?
2. Was there any information that was needed sooner?
3. Did any of the actions undertaken slow down the dealing with the incident?
4. Could any unforeseen incidents have been prevented?
5. If a similar cyber incident were to occur again what could have been done differently?
6. How could information sharing during the incident with other organisations have been improved?
7. What can be done to prevent similar incidents in the future?
8. Were there any early warning signs of the incident that should be watched out for in the future as incident detection?
9. How can results be fed back into the company’s Incident Response Plan and Risk Assessment Methodology?
10. What have we learned from the incident?
Review and update your Incident Response Plan, key information, security controls and documents
Based on the results of the previous review process, make changes to the Incident Response Plan and update key information, security controls, and documents where necessary to reflect lessons learned.
In relation to security controls, research has revealed that the attack vectors causing most concern were:
- Poorly designed web application
- Misconfigured systems
- Internet downloads
- Personal devices
- Authorised third parties (customers, suppliers, business partners)
Strengthen your defenses
Reassess your risk and make any necessary changes. For example, if you were a victim of a phishing attack you may want to run awareness sessions for your staff helping them to recognize potentially dangerous emails and content and ways of dealing with them safely. If the cause of the attack were compromised login credentials you may need to create a new password policy and provide new training and physical secure storage for passwords for your staff.
Perform trend analysis
To be able to better mitigate future cyber security incidents you should review relevant cyber security incident data regularly in order to:
- Evaluate patterns and trends of cyber incidents
- Identify common factors that have influenced cyber security incidents
- Establish the effectiveness of security controls
- Understand the costs and impacts associated with cyber security incidents
Review the terms of your contracts
Depending on how effectively the incident was dealt with you may need to review your third-party contracts.
To help you with this you might want to consider the following:
- Does this incident force us to change the way we do business?
- If you outsource your cyber security solution, did their response meet your needs?
(if they didn’t meet your needs you might consider renegotiating the terms of the contract or canceling altogether and changing to a new supplier)
- Did you have the skills in-house to deal with the incident, and have no need to outsource in the future?
Do you require help with preparing for and dealing with cyber incidents?
If you have any questions or require help or advice on preparing for and dealing with cyber incidents, please contact us at SEQRED.
SEQRED specialises in all areas of cybersecurity including Critical Infrastructure Protection, Cloud Services Security, Audits or Threat Intelligence. For a full list of our services visit our website – www.seqred.pl
Stay safe rather than sorry!