Learn and Improve
Once you’ve recovered from a cyber security attack and the dust has settled it’s essential to investigate the incident thoroughly. This will help you to find out what actually happened and prevent the same or similar incident from reoccurring.
As well as the technical investigation it’s also important to review how well your staff and management responded to the incident. Questions to be answered include:
- How well did staff deal with the incident?
- Were the documented procedures followed?
- Were the procedures fit for purpose, what changes if any need to be made?
- What information was needed sooner?
- Did anything occur that might have inhibited the recovery?
- Could any unforeseen events have been prevented?
- What would be done differently the next time a similar cyber security incident occurs?
- What should be watched for in the future to detect similar incidents?
- What lessons have been learned?
A report should be produced after the incident review and presented to all relevant stakeholders to ensure lessons are learned.
Your cyber security risk management plan should be updated following a security incident to improve your incident response approach and outcome.