Cyber Security Incident Follow-up Meetings

by
after the party

This is a follow-up article to The Cyber Security Culture and the “after” at the end of Cyber Security the Layer Cake Approach looking at incident follow-up meetings.

After an Incident

So you read my article about creating a supportive cyber security culture in your organisation and you thought you had it sorted – but then one of your team ended up with malware on their machine. Fortunately it was not ransomware (click here for what happens if it was ransomware) and your IT support reported that the firewall stopped the malware but as a sensible precaution the infected laptop has been wiped and rebuilt and every PC in the organisation has been scanned.

But there is one more thing to do…

The After Incident Follow-up Meetings

Not recriminations.

You need a meeting to discuss and record what went right and what went wrong with your incident response plan and what the organisation could do better. I have discussed this in some depth in this article – After Ransomware – today I want to look at one possible issue from the cyber security culture article. Communications.

A copy and paste tip

So here is the template that I use when working through our “Develop a Security Awareness and Training Program That Empowers Your People” framework.

To report any incident:

  • Contact [insert contact name] and they will be happy to help you
  • [Insert contact info]
  • Fill out [name of form] on [website]

*Outline incident-specific reporting.*

  • If you have been phished, follow policy [#.#] and change your password by [method to change password]
  • If you see a suspicious person or activity, contact [insert contact info] directly
  • If you find a USB stick, take it to the help desk [insert location]

If you have any general questions:

  • Contact [insert contact name] and they will be happy to help you
  • [Insert contact info]

It is a good starting point and most clients want to tinker with it, but I always insist it remains reasonably simple so users are not put off using it.

A couple of points

  • Policy #.# will probably include – isolate the suspect device
  • We use a Form in Microsoft 365 accessible from a phone
  • A hotline number that can be diverted to the on-call incident response manager is another idea that can support this form
Cyber Security Incident Follow-up Meetings Cyber Awake
Bring everything to the meeting

Incident follow-up meetings

Your communications may have worked, but I am trying to illustrate here that whatever comes up in the meeting needs consideration, even if you or others disagree. If everyone feels part of the team dealing with the cyber security then you will be building the type of cyber security culture you need.

Let’s hope 85% of your incident response plan survives the meeting!

Follow-up on the follow-up…

But do not wait until the next incident to test the plan… read about role-playing exercises here and here.


Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

Incident Response Training I think I have a computer virus…

Incident Response – Talk about bad timing!

Ransomware – A Primer

Minimise the Damage – Planning and Preparation

Featured photo by cottonbro studio:

Contact us for consultation

Wake up to cyber threats..

Cyber Security Incident Follow-up Meetings Cyber Awake
HQ Based between Newark and Lincoln

Get in touch

CyberAwake
Unit 2 Kingsley Court
Kingsley Road
Lincoln
LN6 3TA
United Kingdom

01522 508089

useful links

Website Cookies Icon

This website uses cookies to ensure you get the best experience on our website. Click for more information.

accept & Close