Cyber Doc logo Cyber Doc
Cybersecurity Term

What are lessons learned?

Practical improvements identified after an incident or near miss.

Incident Response Last reviewed: 2026-05-20

← Back to Learn Centre

What are lessons learned?

Lessons learned are the practical improvements identified after an incident or near miss.

Simple example

After a phishing incident, the business adds MFA, improves payment verification, and updates staff reporting steps.

Why it matters

Without lessons learned, the same weakness may lead to repeat incidents.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Schedule post-incident reviews.
  • Keep findings practical and assign owners.
  • Track improvements to completion.
  • Update procedures and training.
  • Use near misses as learning opportunities too.

Reactive steps

  • Review what happened after containment and recovery.
  • Identify what worked and what failed.
  • Separate blame from process improvement.
  • Update controls, documentation, and training.
  • Revisit progress after a set period.

Related terms

  • Root cause analysis
  • Incident response
  • Security improvement