Post Incident Review: Analysing What Happened & Strengthening Your Defences

Published on 01/06/2022

As we mentioned in a previous post, statistics are indicating that it’s now about when rather than if your organisation will become the victim of a cyber attack. With this in mind, many firms, including SES have shared plenty of advice and guidance on the measures you can take to either prevent an attack or the steps you need to take once an attack has taken place. But what happens next? 

Information regarding what to do once a cyber incident has been remediated is a lot harder to come by. Ideally, at this stage SES would recommend you take the opportunity to perform a post incident review. Analysing exactly what led to the cyber incident occurring and strengthen your defences accordingly. 

Post Incident Review 

Analysing performance to identify where things went wrong is essential in all aspects of working life, but especially important when it comes to strengthening your security. Malicious individuals are always probing for weaknesses to exploit, so regular reviews of where your weaknesses lie will help you to patch your vulnerabilities before they can be exploited. 

Your review should be structured around answering the following questions and should involve an experienced Incident Responder. This will provide context on how the weakness was exploited and your key technical and non-technical stakeholders to analyse how processes and policies can be amended to strengthen your security position. 

  • What went wrong?
  • Why did it go wrong?
  • What was meant to stop it from going wrong, and why didn’t it work?
  • What other controls should/could have prevented this?
  • How has it been fixed and how has this solution been demonstrated to work?
  • Is this a symptom of a wider problem?

Incident Response Exercises 

Reassess Risks 

Digital risks are constantly evolving as new exploits are developed. Post incident, it is important to assess your businesses key assets and the risks that could impact your operation. We recommend the following questions should be used to begin this assessment. 

  • What are our key assets? Have they changed since the previous review? 
  • How would our organisation be affected if we lost access to key business critical assets or suppliers?
  • What are we doing to protect our assets? Should we be doing more? 

The final question is often the most difficult to answer, but there are a number of options for strengthening your security after a cyber incident. 

Review Your Security Testing 

Post incident, reassessing your security testing is important. Do you test regularly? Whilst conducting a single Penetration Test will give you a snapshot of the vulnerabilities on your organisations systems and networks on the day the test was completed. SES recommend that you perform regular Vulnerability Assessments and Penetration Testing once a year or after each major version change enables you to review your systems and networks for vulnerabilities an attacker could exploit.

An organisation with a strong security posture will have a security auditing/testing programme in place that delivers an ongoing assessment of network resilience. It will help align your organisation with the speed of technological changes and threat actors’ increasingly sophisticated approaches. Each report will be looked at individually to assess current problems but will also be given context by comparing it with other reports to discover trends and pre-empt problematic weak spots.

Even regular Penetration Testing doesn’t make your organisation invulnerable to attack. It’s important to review your Penetration Testing programme after an attack to understand whether it should have identified vulnerabilities before they became an opportunity to exploit and limit the impact of future incidents. 

How Will You Deal With Your Supply Chain Post Incident? 

Your supply chain is a two way relationship, your suppliers are a risk to you as you are to them. Information sharing about your incident experiences, and mutual explanations of your plans and intended response allows you to understand the risk presented by the other party. For especially significant suppliers, you may wish to audit their security posture in order to have assurance that they don’t represent a weak link in your security chain.

Training & Staff Development 

Human error can undermine the best technical security posture. How good is the basic level of cyber security hygiene in your organisation? Depending on the confidentiality of the data involved, it’s worth considering briefing your staff on the incident and why it occurred, especially if human error was a factor.

If you think you have been the victim of a cyber attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch to speak to one of our specialists.

This article was published in partnership with our cyber security partners PGI.

© SES Secure Limited and ses-escrow.co.uk, 2022. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content
 

Find out how SES can help your business
Contact us

Contact us

If you would like further information, discuss your requirements, get a free no obligation quotation or just a friendly chat on how we could possibly help please fill in the details below and one of our team will get back to you as soon as possible.
Tick the box to receive regular updates and industry insights