By: Lindsay Usherwood, General Counsel on July 15th, 2026
Episode 3: Your Incident Response Plan: Ready or Not?
Incident response isn’t an IT plan. It’s a business survival plan.
When most leaders think about cybersecurity incidents, they picture worst-case scenarios: ransomware, hacked systems, everything locked down. Then comes the scramble to fix it.
But in our conversation with compliance paralegal Theresa Pickens, one thing became clear: The biggest mistakes don’t happen during the incident. They happen before it.
To see the video version, click here.
Incident Response Isn’t Just Fixing a Problem
At a high level, incident response is simply how your organization reacts when something disrupts your technology or security.
That includes:
- system outages
- suspicious activity
- unauthorized access
- confirmed data breaches
But not every incident is equal and treating them the same is where problems start.
One of the first (and most important) decisions is classification:
- Is this an operational issue?
- A security incident?
- Or a confirmed breach?
That answer determines everything: who’s involved, what actions get taken, and what obligations you may trigger.
When Does an IT Problem Become a Legal Problem?
Most companies assume legal only matters after a breach is confirmed. That’s not reality.
Legal considerations often start much earlier, sometimes even before you fully understand what happened.
If sensitive data might be involved, early decisions can impact:
- notification requirements
- regulatory exposure
- contract obligations
- insurance coverage
If an incident involves confidential information, regulated data, or contractual obligations, decisions made in the first few hours can have long-term consequences.
Even the words you use matter. Calling something a “breach” too early can trigger legal obligations that may not actually apply. Incident response is as much about communication and decision-making as it is about technology.
The Biggest Mistake? Trying to Recover Too Quickly
When systems go down, speed feels like the priority.
In reality, speed is where companies get into trouble.
A common reaction goes like this:
- restore backups
- reset systems
- clear alerts
- move on
The problem? You may be destroying the exact evidence you’ll need later.
That’s why Theresa breaks incident response into two phases:
1. Containment
Stop the threat. Limit the damage.
2. Recovery
Restore systems after you understand what happened.
That short pause between the two is where better decisions happen.
Communication Will Make or Break your Response
Technology isn't the only thing that needs careful management during an incident.
Communication can have just as much impact.
Organizations need to know:
- Who should be notified
- What information should be shared
- When updates should be provided
- What language should—and shouldn't—be used
Oversharing incomplete information can create confusion.
Under sharing can create distrust.
Finding the right balance requires planning before an incident ever occurs.
Your MSP Isn't Responsible for Everything
A common assumption:
“If we have an MSP, they’ll handle everything.”
Most MSPs are responsible for:
- detection
- investigation
- containment
But decisions around:
- recovery
- communication
- legal involvement
- business operations
still sit with leadership and those expectations should be clearly defined before anything goes wrong.
That's why clearly defining responsibilities at the beginning of an IT partnership is so important. Whether your relationship is fully managed or co-managed, everyone should understand their role before an emergency occurs, not during one.
Recovery Doesn't End When Systems Come Back Online
Once systems are restored, many organizations consider the incident closed.
In reality, that's when one of the most valuable parts of the process begins. Every incident should end with a lesson learned discussion.
Questions to ask include:
- What happened?
- Could we have prevented it?
- Were there gaps in our technology or processes?
- Did everyone understand their responsibilities?
- What should change before the next incident?
These conversations often lead to stronger policies, better communication, and improved security practices.
They also highlight another important lesson from our discussion: cybersecurity is constantly evolving.
Multi-factor authentication (MFA), for example, remains one of the most effective security tools available. But attackers have adapted, using techniques like MFA fatigue, sending repeated approval requests until someone eventually clicks "Accept."
Security isn't about implementing one tool and assuming the problem is solved. It's about continuously adapting as threats change.
Hot Take: Your Incident Response Plan Is More Important Than Your Technology
Every organization invests in security tools whether that’s firewalls, endpoint protection, multi-factor authentication, backup systems, etc.
Those investments matter, but they won't replace preparation.
Things you can do to prepare are:
- having a documented incident response plan
- reviewing it regularly
- assigning clear responsibilities
- training your team
- running tabletop exercises
Much like emergency drills, these exercises create the muscle memory teams rely on when a real crisis occurs.
Preparation isn't glamorous, but when an incident happens, it's often the difference between a controlled response and complete chaos.
The Takeaway
Cyber incidents are stressful. That part doesn’t change.
What does change is how prepared you are when they happen.
The organizations that respond best:
- prepare ahead of time
- involve the right people early
- communicate clearly
- and practice their response
Because when something goes wrong, you won’t rise to the occasion, you’ll fall back on your plan.
If you don’t have an incident response plan, or haven’t reviewed it recently, start there.
That’s the difference between controlled response and chaos.
To watch more episodes, click here.
Want to learn more about how Usherwood approaches cybersecurity and compliance? Fill out a tech evaluation to see how we can help you stay safe during a cyber-incident.
Read On
Episode 2: Your Security System is Watching - but is it Working?
Most people think physical security means cameras on the outside of the building and a locked front...
Protecting Your Family Business Is More Than Financial and Estate Planning
I want to roll back the title of Ask the Expert because I don’t believe anyone can be an expert...
Ask the Expert: Responsibly Integrating AI Business Solutions
Artificial intelligence (AI) is one of the hottest topics in today’s tech and office technology...
About Lindsay Usherwood, General Counsel
Lindsay Usherwood serves as Usherwood Office Technology’s General Counsel and Corporate Secretary. After graduating from law school, Lindsay dove into the family business in 2018. She developed a passion for using her legal experience to help with managed IT operations to build on and maintain customized, secure, and legally compliant IT solutions. She has 8 years of experience in law, a BS in Business Administration and a J.D. Law Degree from Syracuse University.

