With the sudden, drastic increase of distributed workforces came implementation of new practices and access solutions, which in turn created more surface area for bad actors to attack and more potential gaps for them to exploit.
A business’s Incident Response Plan is its playbook for deploying a rapid, proportional response to a potential security threat, with the goal of complying with applicable data privacy and security laws while maintaining client services. Such a plan generally lists the roles and responsibilities of staff positions as they work through phases of Detection, Analysis, Containment and Eradication, Recovery, and Reporting. The collection of key staff members is commonly understood to be the Incident Response Team (IRT) and their familiarity with the plan and preparation in advance of a potential incident are often key to successful responses.
Here are some important considerations in evaluating your current Incident Response Plan:
Communication is always key, but now it may need to be handled without face-to-face meetings or assembling the IRT in a conference room. An Incident Response Plan, similar to a Disaster Recovery Plan or Business Continuity Plan, should plainly state the methods of communication IRT members will rely on, in order of preference, in response to a potential incident. Thought should be given to what forms of communication are likely to be interrupted or compromised in an incident, and what back up communication method(s) will be relied on. With IRT members working from home, which communication methods yield lower risk of interruption, are more secure, and are available to all IRT members? Be careful of using free platforms or apps to communicate. Many are not secure, there is no expectation of privacy, and the data stored can be discoverable or subject to subpoena.
Relatedly, does the Plan identify which leaders are responsible for internal or external communications regarding an incident? For example, in an office setting business phone lines and clustering of staff could allow a team to efficiently direct all inbound questions or concerns about an incident to a VP of Communications. Pick a title not a department. Now, with cell phones serving as a primary tool of communication, does your team need a refresher of how to address communication from external parties or a reminder of professional responsibilities when confronting a potential incident? Also remember, during an incident, systems are likely not accessible because they are encrypted. So, does every member of the IRT have a printed version of the Incident Response Plan at home with everyone’s contact information?
The first phase of most Incident Response Plans revolves around detection - identifying what is happening and collecting details about a potential incident. Your Incident Response Plan might implicitly assume that IT staff or others with specialized knowledge related to identifying a security or privacy issue are on hand or available at the same location as a point of compromise. When considering your new work from home environment, it is time to consider how your IT staff will be available in the earliest moments after a potential incident is reported. Where possible, it may be time to consider end point detection and response solutions - an addition to your IT management environment that can provide remote insight and management of laptops being used by employees from their homes. Such a solution can speed the collection of important forensic details while hastening the containment and wider response.
Work from home environments may change a member of the IRT’s ability to address the role or responsibilities they were previously assigned. Often times Incident Response requires confidential conversations, privileged communication and/or discussion about sensitive data and it is important to address with members of the IRT whether they can meaningfully, and responsibly participate in incident response when working from home. There are often more competing interests in a homebound setting than in an office and when updating and reviewing an Incident Response Plan, your company has the chance to address with each member of the IRT whether they can still satisfy their role while potentially handling such competing interests. Such review can allow for updates and edits to IRT members’ roles and responsibilities in advance of a potential incident, instead of in the midst of one, saving valuable time, energy and focus.
An Incident Response Plan best serves its purpose when it is regularly reviewed as part of a tabletop exercise. Such an exercise promotes clarifying questions amongst members of an IRT and familiarizes everyone involved with their roles and expectations for others. Additionally, an Incident Response Plan rehearsal reminds all IRT members of the importance of communication and how critical legal determinations, such as what constitutes a data breach, must be considered when discussing or communicating about an incident.
Now that your IRT is working from home, how will they make use of your Incident Response Plan? The best way to find out is to schedule time to run a remote tabletop exercise. The updated exercise can provide insight into new strengths or weaknesses created by a distributed IRT. Such practice can highlight the differences created by an at-home response, such as does everyone on the IRT have a hard copy of the Incident Response Plan in the event one is not accessible online?
Updating your Incident Response Plan is key, but it should be done in coordination with improvement to other safeguards. In parallel with rolling out new work-from-home measures, companies should consider adjusting relevant policies, such as the Acceptable Use Policy, and assess how new access controls or encryption measures, such as virtual private networks, can mitigate risks to security. While employees are adjusting to an array of new norms, it may be less disruptive to add a few more, including multi-factor authorization, new password complexity standards, and other access control measures. By remaining vigilant and keeping continuous focus on the issues of security and privacy, companies stitch best practices into the cultural fabric of their team.
If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).
*Attorney Advertising. Prior results do not guarantee future outcomes.