Usherwood Blog | Usherwood Office Technology

Episode 3: Your Incident Response Plan: Ready or Not?

Written by Lindsay Usherwood, General Counsel | Jul 15, 2026 1:48:42 PM

Incident response isn’t an IT plan. It’s a business survival plan.

When most leaders think about cybersecurity incidents, they picture worst-case scenarios: ransomware, hacked systems, everything locked down. Then comes the scramble to fix it.

But in our conversation with compliance paralegal Theresa Pickens, one thing became clear: The biggest mistakes don’t happen during the incident. They happen before it.

To see the video version, click here

Incident Response Isn’t Just Fixing a Problem

At a high level, incident response is simply how your organization reacts when something disrupts your technology or security.

That includes:

  • system outages
  • suspicious activity
  • unauthorized access
  • confirmed data breaches

But not every incident is equal and treating them the same is where problems start.

One of the first (and most important) decisions is classification:

  • Is this an operational issue?
  • A security incident?
  • Or a confirmed breach?

That answer determines everything: who’s involved, what actions get taken, and what obligations you may trigger.

When Does an IT Problem Become a Legal Problem?

Most companies assume legal only matters after a breach is confirmed. That’s not reality.

Legal considerations often start much earlier, sometimes even before you fully understand what happened.

If sensitive data might be involved, early decisions can impact:

  • notification requirements
  • regulatory exposure
  • contract obligations
  • insurance coverage

If an incident involves confidential information, regulated data, or contractual obligations, decisions made in the first few hours can have long-term consequences.

Even the words you use matter. Calling something a “breach” too early can trigger legal obligations that may not actually apply. Incident response is as much about communication and decision-making as it is about technology.

The Biggest Mistake? Trying to Recover Too Quickly

When systems go down, speed feels like the priority.

In reality, speed is where companies get into trouble.

A common reaction goes like this:

  • restore backups
  • reset systems
  • clear alerts
  • move on

The problem? You may be destroying the exact evidence you’ll need later.

That’s why Theresa breaks incident response into two phases:

1. Containment

Stop the threat. Limit the damage.

2. Recovery

Restore systems after you understand what happened.

That short pause between the two is where better decisions happen.

Communication Will Make or Break your Response

Technology isn't the only thing that needs careful management during an incident.

Communication can have just as much impact.

Organizations need to know:

  • Who should be notified
  • What information should be shared
  • When updates should be provided
  • What language should—and shouldn't—be used

Oversharing incomplete information can create confusion.

Under sharing can create distrust.

Finding the right balance requires planning before an incident ever occurs.

Your MSP Isn't Responsible for Everything

A common assumption:
“If we have an MSP, they’ll handle everything.”

Most MSPs are responsible for:

  • detection
  • investigation
  • containment

But decisions around:

  • recovery
  • communication
  • legal involvement
  • business operations

still sit with leadership and those expectations should be clearly defined before anything goes wrong.

That's why clearly defining responsibilities at the beginning of an IT partnership is so important. Whether your relationship is fully managed or co-managed, everyone should understand their role before an emergency occurs, not during one.

Recovery Doesn't End When Systems Come Back Online

Once systems are restored, many organizations consider the incident closed.

In reality, that's when one of the most valuable parts of the process begins. Every incident should end with a lesson learned discussion.

Questions to ask include:

  • What happened?
  • Could we have prevented it?
  • Were there gaps in our technology or processes?
  • Did everyone understand their responsibilities?
  • What should change before the next incident?

These conversations often lead to stronger policies, better communication, and improved security practices.

They also highlight another important lesson from our discussion: cybersecurity is constantly evolving.

Multi-factor authentication (MFA), for example, remains one of the most effective security tools available. But attackers have adapted, using techniques like MFA fatigue, sending repeated approval requests until someone eventually clicks "Accept."

Security isn't about implementing one tool and assuming the problem is solved. It's about continuously adapting as threats change.

Hot Take: Your Incident Response Plan Is More Important Than Your Technology

Every organization invests in security tools whether that’s firewalls, endpoint protection, multi-factor authentication, backup systems, etc.

Those investments matter, but they won't replace preparation.

Things you can do to prepare are:

  • having a documented incident response plan
  • reviewing it regularly
  • assigning clear responsibilities
  • training your team
  • running tabletop exercises

Much like emergency drills, these exercises create the muscle memory teams rely on when a real crisis occurs.

Preparation isn't glamorous, but when an incident happens, it's often the difference between a controlled response and complete chaos.

The Takeaway

Cyber incidents are stressful. That part doesn’t change.

What does change is how prepared you are when they happen.

The organizations that respond best:

  • prepare ahead of time
  • involve the right people early
  • communicate clearly
  • and practice their response

Because when something goes wrong, you won’t rise to the occasion, you’ll fall back on your plan.

If you don’t have an incident response plan, or haven’t reviewed it recently, start there.

That’s the difference between controlled response and chaos.

To watch more episodes, click here.

Want to learn more about how Usherwood approaches cybersecurity and compliance? Fill out a tech evaluation to see how we can help you stay safe during a cyber-incident.