A major cybersecurity incident is an extremely high-pressure situation where rapid action is needed to control and mitigate the immediate effects. But once the dust has settled and the pressure has alleviated a little, what should organizations do to learn from the incident and improve their security posture for the future?
To this point I saw a great blog post on the UK National Cyber Security Center (NCSC) website entitled: If you have knowledge, let others light their candles in it. It talks about why sharing lessons learned from cyber security incidents and ‘near misses’ will help everyone to improve. It goes on to outline the importance of sharing intelligence such as how the attackers first gained entry and moved around the network, what they were trying to achieve, and how the attack finally ended. It also advises gathering details of all the cyber security actions taken to counter the attacks, including those that worked (and those that didn’t).