June 16, 2015 Article

Department of Justice Best Practices on Cybersecurity: Guidance for Smaller Organizations

Protecting your business from cyber breaches can be a daunting task. This is especially so with limited budgets and personnel. Most know of the horror stories, some think "it will not happen to my company", "we’re too small to care about", "we’re not vital to the industry", "we have adequate security". . . . Even so, many executives still worry about the business interruption, customer data loss, company reputation, the cost of protecting cyber information and possible litigation.

The U.S. Department of Justice has recently issued a cybersecurity “best practice” guidance document written for smaller organizations which provides helpful, cost efficient practices. It was drafted with smaller, less resourced organizations in mind; but, even larger organizations with more experience in handling cyber incidents may benefit from it.

What is important about the DOJ cybersecurity guidance for smaller organizations is that, if followed, it may well serve to help mitigate litigation expense while providing a cost effective means to enhance your organization’s cybersecurity program.

We understand that many smaller energy organizations may have in place hardware and software to protect their corporate computer systems. We also understand that many smaller organizations may have some systems in place to address data security and client data protection.

Nevertheless, we have learned that prudence dictates that all organizations have in place cybersecurity “programs”, not just protection hardware and software, but written cybersecurity “programs” that meet some recognized standard for their corporate computer systems and computer systems that may contain client information. The DOJ cybersecurity “best practices” for smaller organizations may well serve as a recognized standard and thus help protect your organization and mitigate expensive litigation.

Highlights from the DOJ Cybersecurity “Best Practices” Document – Version 1.0 (2015)


Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs.

This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.

U.S. Department of Justice – Cyber Incident Preparedness Checklist

Before a Cyber Attack or Intrusion

  • Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
  • Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cyber security Framework.
  • Create an actionable incident response plan.  
    • Test plan with exercises.
    • Keep plan up-to-date to reflect changes in personnel and structure.
  • Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
  • Have procedures in place that will permit lawful network monitoring.
  • Have legal counsel that is familiar with legal issues associated with cyber incidents.
  • Align other policies (e.g., human resources and personnel policies) with your incident response plan.
  • Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cyber security firms that you may require in the event of an incident.

During a Cyber Attack or Intrusion

  • Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch.
  • Minimize continuing damage consistent with your cyber incident response plan.
  • Collect and preserve data related to the incident.  
    • “Image” the network.
    • Keep all logs, notes, and other records.
    • Keep records of ongoing attacks.
  • Consistent with your incident response plan, notify—  
    • Appropriate management and personnel within the victim organization.
    • Law enforcement.
    • Other possible victims.
    • Department of Homeland Security.
  • Do not—  
    • Use compromised systems to communicate.
    • “Hack back” or intrude upon another network.

After Recovering from a Cyber Attack or Intrusion

  • Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network.
  • Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan.

  • Preti Flaherty assists organizations of all sizes develop and implement cybersecurity programs for their corporate and operations computer systems. For the full 15-page DOJ cybersecurity “best practices” document, or for additional information, please contact William Roberts at [email protected] or call 617.226.3800.

    Firm Highlights


    Maine Workers’ Compensation New Year Update 2023

    The new year brings proposed legislation, an update to the Medical Fee Schedule, and two recent decisions from the Appellate Division. Proposed Legislation Workers’ compensation bill LD 53 (HP 28) would amend 39-A M.R.S.A...


    FY2024 H-1B Registration Fact Sheet for Employers

    Registration Process To file H-1B petitions subject to the FY2024 cap for an employee, you must first electronically register and pay a $10 fee for each electronic registration. The electronic registration includes basic information about...


    Jeff Talbert to Moderate Panel on PFAS Regulatory Action at ABA Toxic Torts & Environmental Law Conference

    Jeff Talbert, Chair of Preti Flaherty's Environmental Law Group, will moderate "Regulatory Action: History & Horizon" at the ABA Toxic Torts & Environmental Law Conference. This panel will discuss the 2016 EPA health advisory, the...


    Attorney Jeffrey Thaler Named to 2023 Lawdragon Green 500: Leaders in Energy Law

    For the second time, Preti Flaherty attorney Jeffrey Thaler has been recognized by the esteemed legal publication Lawdragon as an elite practitioner in the field of energy law. Jeff is the only Maine-base lawyer...


    Maine Lawyers and Judges Once Again Show Overwhelming Support of Campaign for Justice

    2022 proved to be another challenging year for Mainers. Skyrocketing inflation, an uncertain economic future, an ongoing housing crisis and more factors continue to push more at-risk individuals into a tight spot. Maine’s civil...


    Enforcers Make It Easy to Report Cartels

    This article was originally published in the American Bar Association  Antitrust Newsletter  on February 8, 2023.  Did you know that global competition enforcers have easy-to-find websites to encourage reporting of anticompetitive conduct? Not only...

    Press Coverage

    Authorities Refuse to Release Records for Maine School Shooter Hoax Calls

    On November 15, 2022, multiple law enforcement agencies in Maine received false calls alerting police to active shooter situations at several high schools throughout the state. In the wake of this widespread hoax, the Kennebec...


    Bodie Colwell will be a Featured Panelist at ABI Annual Spring Meeting

    Bodie Colwell will be a featured panelist on "Danger Ahead! Avoiding and Addressing Ethical Landmines in Attorney Engagement and Compensation" at the American Bankruptcy Institute's Annual Spring Meeting. The panel focuses on disputes regarding engagement...


    Benchmark Litigation Names Preti Flaherty 2023 “Maine Firm of the Year”

    Benchmark Litigation has named Preti Flaherty as 2023 Litigation Firm of the Year in the State of Maine. The Benchmark Awards honor distinguished litigators and law firms in all 50 states and 10 practice...

    Press Coverage

    What’s Inside Maine Freight Trains? Public Can Only Hazard a Guess

    Due to an exemption from the state's Freedom of Access Act, Maine residents are prevented from reviewing information regarding the transportation through their communities via freight trains of potentially hazardous materials. Rail industry officials...