This is a follow-up article to The Cyber Security Culture and the “after” at the end of Cyber Security the Layer Cake Approach looking at incident follow-up meetings.
After an Incident
So you read my article about creating a supportive cyber security culture in your organisation and you thought you had it sorted – but then one of your team ended up with malware on their machine. Fortunately it was not ransomware (click here for what happens if it was ransomware) and your IT support reported that the firewall stopped the malware but as a sensible precaution the infected laptop has been wiped and rebuilt and every PC in the organisation has been scanned.
But there is one more thing to do…
The After Incident Follow-up Meetings
Not recriminations.
You need a meeting to discuss and record what went right and what went wrong with your incident response plan and what the organisation could do better. I have discussed this in some depth in this article – After Ransomware – today I want to look at one possible issue from the cyber security culture article. Communications.
A copy and paste tip
So here is the template that I use when working through our “Develop a Security Awareness and Training Program That Empowers Your People” framework.
To report any incident:
- Contact [insert contact name] and they will be happy to help you
- [Insert contact info]
- Fill out [name of form] on [website]
*Outline incident-specific reporting.*
- If you have been phished, follow policy [#.#] and change your password by [method to change password]
- If you see a suspicious person or activity, contact [insert contact info] directly
- If you find a USB stick, take it to the help desk [insert location]
If you have any general questions:
- Contact [insert contact name] and they will be happy to help you
- [Insert contact info]
It is a good starting point and most clients want to tinker with it, but I always insist it remains reasonably simple so users are not put off using it.
A couple of points
- Policy #.# will probably include – isolate the suspect device
- We use a Form in Microsoft 365 accessible from a phone
- A hotline number that can be diverted to the on-call incident response manager is another idea that can support this form
Incident follow-up meetings
Your communications may have worked, but I am trying to illustrate here that whatever comes up in the meeting needs consideration, even if you or others disagree. If everyone feels part of the team dealing with the cyber security then you will be building the type of cyber security culture you need.
Let’s hope 85% of your incident response plan survives the meeting!
Follow-up on the follow-up…
But do not wait until the next incident to test the plan… read about role-playing exercises here and here.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Incident Response Training I think I have a computer virus…
Incident Response – Talk about bad timing!
Minimise the Damage – Planning and Preparation
Featured photo by cottonbro studio: