Do you know what to do when employees begin to report that their computer screens have been locked and the above ransom note discovered? When it comes to responding to a cybersecurity incident—no matter the type, whether it involves an inside bad actor, email compromise, ransomware attack, or traditional hack—preparation always pays. Attempting to mount a response "on the fly" without an organized plan of action is a recipe for failure. After all, confusion feeds chaos, which leads to inefficiencies and increased costs.

What Are Three of the Best Ways to Plan Ahead?

Create a Good Incident Response Plan
A good incident response plan strikes the fine, but important, balance between two attributes: flexibility, on the one hand, and structure, on the other. Because no two incidents are ever precisely the same, a written plan should serve as an outline on how to respond (no more than fifteen pages usually suffices in this regard), without being bogged down in procedures specifying exactly how a response must proceed in a step-by-step manner. In the world of incident response, there are very few hard-and-fast rules, and plans need to afford shot-callers (i.e., incident commanders) with discretion depending upon the particular circumstances. But on the other end of the spectrum, because the core function of a plan is ultimately to serve as a consistent reference tool across response efforts, it must also speak a language of structure. A plan lacking this sort of steady guidance is often no better than not having a plan at all.

To balance the flexibility and structure scales when putting together a plan, it is helpful for organizations to build their plan around an established framework, such as NIST SP 800-61, which contains recognized standards -- including Preparation, Detection and Analysis Containment, Eradication, Recovery and Post Incident Activity -- that have either been expressly adopted by regulators or tacitly incorporated into regulations. Relying upon a time-tested framework also has the added benefit of rendering a plan more defensible in the event of any potential challenge than if it were put together out of whole cloth.

Test Your Plan (often)
It’s not enough for an organization to have a plan that sits in a cabinet somewhere collecting cobwebs. Even a good plan (on paper) might not be any good if it isn’t periodically reviewed and tested to ensure it fits, and works, for the organization, as there is no such thing as a one-size-fits-all response effort. To this end, effective incident response requires buy-in from all individual members of an organization’s response team, not just IT. And in order to buy into a plan, all team members must: (1) know that they are, in fact, part of the team; and (2) fully understand their role within it. They cannot do so without becoming familiar with the plan itself.

In addition to ensuring that team members understand their roles, every plan should be tested periodically (ideally, annually) to identify strengths and potential weaknesses. Conducting a table-top exercise allows a team to follow along with their plan in a low-stress but real-world environment. Plus, a drill run by outside counsel helps cloak the mock response discussions in privilege, highlighting potential shortfalls for remediation without fear of them being turned against the company in the future.

Make Incident Response a Team Sport
Inevitably, an organization will need to leverage outside industry experts when responding to incidents, from legal to forensics to PR. A response plan should account for this reality and ensure that the right team members are tasked with engaging outside help at the right times. For legal in particular, earlier is always better for purposes of establishing and protecting privilege. Moreover, turning to a known, trusted vendor who has been vetted in advance and already knows your organization saves precious time in the wake of an incident.

Of course, it’s no help for your plan to involve outside vendors if you have an insurance policy that excludes them from coverage. To this end, when shopping around for cyber insurance policies, consider whether the carrier will allow for choice of vendor or, rather, mandate the use of certain panel providers. If there is any room to negotiate on this point, it is before the policy is written and certainly before any incident response is triggered.

Any organization dealing with an incident will tell you that it’s far better to prepare in advance than react in real-time. Indeed, meaningful preparation is essential to the development of effective incident response efforts.  Asking yourself important questions, putting in place a right-sized incident response plan, testing your plan regularly, and leveraging outside experts are just a few important steps in what should be a continually-evolving response program.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2021 Harter Secrest & Emery LLP


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.