Department of Justice Best Practices on Cybersecurity: Guidance for Smaller Organizations

Protecting your business from cyber breaches can be a daunting task. This is especially so with limited budgets and personnel. Most know of the horror stories, some think "it will not happen to my company", "we’re too small to care about", "we’re not vital to the industry", "we have adequate security". . . . Even so, many executives still worry about the business interruption, customer data loss, company reputation, the cost of protecting cyber information and possible litigation.

The U.S. Department of Justice has recently issued a cybersecurity “best practice” guidance document written for smaller organizations which provides helpful, cost efficient practices. It was drafted with smaller, less resourced organizations in mind; but, even larger organizations with more experience in handling cyber incidents may benefit from it.

What is important about the DOJ cybersecurity guidance for smaller organizations is that, if followed, it may well serve to help mitigate litigation expense while providing a cost effective means to enhance your organization’s cybersecurity program.

We understand that many smaller energy organizations may have in place hardware and software to protect their corporate computer systems. We also understand that many smaller organizations may have some systems in place to address data security and client data protection.

Nevertheless, we have learned that prudence dictates that all organizations have in place cybersecurity “programs”, not just protection hardware and software, but written cybersecurity “programs” that meet some recognized standard for their corporate computer systems and computer systems that may contain client information. The DOJ cybersecurity “best practices” for smaller organizations may well serve as a recognized standard and thus help protect your organization and mitigate expensive litigation.

Highlights from the DOJ Cybersecurity “Best Practices” Document – Version 1.0 (2015)


Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs.

This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.

U.S. Department of Justice – Cyber Incident Preparedness Checklist

Before a Cyber Attack or Intrusion

  • Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
  • Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cyber security Framework.
  • Create an actionable incident response plan.  
    • Test plan with exercises.
    • Keep plan up-to-date to reflect changes in personnel and structure.
  • Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
  • Have procedures in place that will permit lawful network monitoring.
  • Have legal counsel that is familiar with legal issues associated with cyber incidents.
  • Align other policies (e.g., human resources and personnel policies) with your incident response plan.
  • Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cyber security firms that you may require in the event of an incident.

During a Cyber Attack or Intrusion

  • Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch.
  • Minimize continuing damage consistent with your cyber incident response plan.
  • Collect and preserve data related to the incident.  
    • “Image” the network.
    • Keep all logs, notes, and other records.
    • Keep records of ongoing attacks.
  • Consistent with your incident response plan, notify—  
    • Appropriate management and personnel within the victim organization.
    • Law enforcement.
    • Other possible victims.
    • Department of Homeland Security.
  • Do not—  
    • Use compromised systems to communicate.
    • “Hack back” or intrude upon another network.

After Recovering from a Cyber Attack or Intrusion

  • Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network.
  • Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan.

  • Preti Flaherty assists organizations of all sizes develop and implement cybersecurity programs for their corporate and operations computer systems. For the full 15-page DOJ cybersecurity “best practices” document, or for additional information, please contact William Roberts at [email protected] or call 617.226.3800.