Is your Incident Response Plan Ready for Prime Time?

In the previous post, we discussed how an incident response plan, not security tools, will ultimately determine the impact of a cybersecurity breach. Losses can be staggering in terms of data, intellectual property, non-compliance penalties, revenue, lawsuits, and the confidence of customers and business partners. More than an IT issue, incident response planning must be a coordinated effort across key departments within an organization, including legal.

Cybersecurity issues are not governed by a single piece of legislation. Instead, organizations have to wade through industry-specific legislation, state regulations and federal statutes, all of which directly or indirectly address cybersecurity. There is also the growing threat of private lawsuits.

Suppose your company is hacked and sensitive customer information is compromised. Depending upon your industry, a government agency or regulatory body could find your company liable if they determine you didn’t do enough to prevent a breach. An attorney with both technical and regulatory knowledge is needed to interpret relevant laws that may affect how an incident response plan is structured and executed.

The only way to determine whether your incident response plan will work is to conduct an incident response readiness assessment. This involves a review of any documentation associated with baselines, escalation procedures, and company policies for protecting sensitive data.

How and where is data being stored? How is data being backed up? What is your business continuity plan? How long will it take to recover data and applications? What is your process for notifying internal and external parties in case of a breach? Do the answers to all of these questions satisfy regulatory requirements?

A top-to-bottom review of IT security is an essential component of your incident response readiness assessment. What software is being used? Is it up to date? Who manages IT security? Is data being encrypted? How is access to data being controlled and monitored? What process is followed when suspicious activity is detected?

The last step is to test your plan. Many organizations will simply have their incident response team walk through a hypothetical scenario. However, a more realistic test of your technology and processes involves “infecting” a network system with harmless malware, which will enable you to gauge the effectiveness of your incident response plan and ensure that all legal and regulatory requirements are met.

Organizations with no in-house counsel should think twice about leaving incident response planning to the IT department. Even organizations that do have in-house counsel should consider bringing in outside counsel to navigate the complexities of cybersecurity. When it comes to incident response, a strategic plan is far more effective and less risky than a knee-jerk reaction.

In the next post, we’ll discuss recent changes to Florida laws related to cybersecurity and data breaches.