Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:
- Identify Your “Crown Jewels”: Before creating a cyber-incident response plan, companies should first identify which data, services, and infrastructure warrants the most protection. Loss of some data or services might only result in a minor disruption, which loss of others could be devastating. A good incident response plan will include appropriate risk management and prioritization.
- Have Appropriate Technology and Services in Place before an Intrusion Occurs: Companies should already have in place the technology and services it will need to respond to a cyber-incident. This could include off-site data back-up, intrusion detection capabilities, and devices for traffic filtering or scrubbing.
- Ensure Your Legal Counsel Is Familiar with Technology and Cyber-Incident Management: Cyber incidents raise a multitude of legal issues and obligations. Companies faced with a cyber-incident will need to quickly engage legal counsel to address these issues. “Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victim organization with timely, accurate advice.”
- Have a Vetted and Actionable Cyber Incident Response Plan: An incident response plan should, at minimum, include the following four steps: (1) immediately make an assessment of the nature and scope of the incident; (2) implement measures to minimize continuing harm; (3) record and collect information regarding the incident, such as imaging the affected computers and keeping logs of what occurred and the steps taken in response; and (4) notify the appreciate people within the company, as well as law enforcement and the potential victims. Consulting counsel is particularly important for the last step because a company’s notification obligations derive from on a complex patchwork of state, federal, and international laws.