Let’s Get Down to Business: Drafting Your Incident Response Plan

At this point, if you’ve read every entry in this cybersecurity series (and kudos to you if you have!), you’ve been introduced to how we’ve been comparing legal standards for cybersecurity with the standards set by HIPAA for medical practices, and you’ve also been through our checklists walking you through an analysis of your current cybersecurity practices. If you’ve discovered that you’ve been lacking in your incident response plan as a result of the checklists or if you don’t even have an incident response plan yet, fret not! We also have a checklist for you to run through as you create or edit your plan. 

‍

When you’re drafting your incident response plan, the first step – perhaps obviously – is to think about what kinds of incidents could potentially happen. (This is a great exercise to give the pessimists on your team.) Ask yourself, what are common cybersecurity incidents that could happen to a law firm or organization of your size? For example, you’ll probably need to consider your response to a ransomware attack, or a phishing attack. 

‍

Globally, you should be thinking about: 

‍

• Is there a way you are tracking your anti-virus coverage, the number of employees who have been trained in cybersecurity measures, etc.? 
• Do you share those metrics with your senior executives? 
• Are those senior executives informed about cybersecurity and risks? 
• Do you have cyber insurance? 

For each incident on your doom list, consider the following: 

• How severe is the projected impact if this incident happens? (For example, if the risk severity level is low, you may want to prioritize other risks in your training, though it will still be worth covering.)
• Which senior executives should be notified if this incident happens? How will they be notified? 
• Do you need to notify any of the stakeholders or clients if this incident happens? Who? How? 
• Are there people designated as “first responders” to any incidents? Who are those people? 
• Is there a plan for what employees who suspect there is a breach should do? What is that plan (for example, after notifying the appropriate team members, should they turn their device off or disconnect it from the network?) 
• Is there a plan to contain the data breach? What does this entail? 
• Is there a plan to mitigate the effect of the data breach on your business process, your clients, and your stakeholders? What is the plan? 

‍

‍

You’ll find that, as you’re walking through each of these questions and talking them over with your senior executives, IT team, and your employees, that you’ve by and large tackled almost your entire incident response plan. You can then wrap up your plan by discussing next steps for your organization in the case of an incident. This will be the recovery section of the incident response plan, which, if an incident or data breach does occur, will help put your organization back on the right path to move forward. 

‍

Here are some things you’ll want to consider when drafting the recovery part of your incident response plan: 

‍

• Do you have regularly stored backups to restore data to a previous session of your system? 
• Is your backup system completely separate from your regular production environment?
• Can you replace compromised files with clean versions if necessary? When will it be necessary? 
• Can you rebuild systems if necessary? When will it be necessary? 
• Is there a plan to shore up your defenses by changing your passwords, tightening security protocols, and installing patches? Will that be necessary? 
• Do you have a system to monitor the network in case another attack happens?

The purpose of these checklists and any of the checklists in our previous blogposts is not to scare or intimidate you or your team members, but to empower you to take steps to protect your organization before any harm to your system, your network, your organization, and your clients occurs. You might feel like these checklists are very intense – they’re supposed to be! In the best case scenario, you’ll never have to use this incident response plan, but if the worst comes to happen, you don’t want to be left scrambling. That's why we've compiled a packet of printable versions of all the checklists in this series to help you assess your organization’s cybersecurity status and come up with a comprehensive set of policies to set your organization up for success.

This blog post is part of a 4 Part Series on Cybersecurity. You can also read Part 1, Part 2, and Part 3 for a more comprehensive overview on best practices.