“Recover” is the final part of the NIST Cybersecurity Framework. It encompasses many activities, including a review of lessons learned and ongoing training to help users respond to threats more effectively during future attacks. Today, we will look specifically at identifying lessons learned after an incident occurs.
It is a fact that security incidents will happen. Nearly half of all cyberattacks 针对中小型企业, and when a threat becomes an incident, businesses need methods for recording the details about what happened, how it happened, how the SMB responded, and what the results were. That’s called a lessons learned review, or a post-incident review.
Why Review Incident Response?
Not much good comes from most cybersecurity incidents. There is often damage, both financially and to a business’s reputation, but there aren’t many ways you can find value in falling victim to cyberthreats. The lessons learned review is the one opportunity that all businesses have, to gain value from an incident.
During this process, there is a transfer of knowledge from each team member into a centralized record where it can be reviewed, 评估, and used to determine the effectiveness of the current response plan. With that knowledge available to review, SMBs can determine if the current course of action is sufficient to protect from future threats, or if changes need to be made to improve response times, add prevention methods, or update policy deficiencies to address future, similar threats.
Lessons learned information is also useful in training new and existing employees about how to prevent the specific type of attack that led to the incident. 例如, if your SMB experiences a phishing attack that leads to a malware infection, the lessons learned information can be used to illustrate how the attack happened and to raise awareness of the dangers of poor email security hygiene.
When and What to Review
Post incident security reviews should be conducted within a few days after mitigating a major security incident. Minor or less damaging incidents should also be reviewed if the time and resources are available. These lesser incidents may not be as damaging, but there are still lessons that can be learned from the success of those attacks.
所有的事件, regardless of size, should be subject to post incident review if customer or third-party data was exposed. Reviews should also take place after any incidents where there is potential for legal or public relations repercussions or if compliance audit requirements apply.
During the lessons learned review, SMBs should look at:
- The origins of the attack. Where did it come from and how did it get past your defenses?
- Was it handled according to established response plans?
- Exactly what actions were taken?
- What could have been done differently?
- What actions that were taken were different from the predetermined response plan, and why were those actions taken?
- How well did the predefined response plan work? What, if anything, needs to be changed?
- How can your company prevent this type of attack in the future?
What SMBs Can Learn from Post-Incident Reviews
The data collected can also be analyzed to learn about emerging threats that have not been previously addressed in the planning and education processes, and it can identify any areas of weakness that your organization needs to evaluate and improve. It also provides measures of success, and that information can be used to justify investments of time and money in the security tools, 人员, and procedures needed to keep your organization safe.
There is no such thing as completely secure. ballbet贝博足彩 incidents happen to businesses of all sizes. 当他们做, SMBs need to allot time to conduct post-incident reviews and build lessons learned documentation so they can improve response procedures in the future, add security tools where needed, and train employees on how to avoid the same type of attack in the future. Lessons learned is more than just an exercise. It’s a way for SMB to get better at protecting the organization from cybersecurity attacks.