It's 2 AM. Your phone buzzes. "The servers are encrypted and there's a ransom note."
What do you do? Who do you call? Do you pay? Do you tell customers? Do you call the police?
If you don't have an incident response plan, you'll be figuring this out in real-time while the clock is ticking. That's not a good position to be in.
The Stats Are Not Great
- 67% of SMBs don't have an incident response plan
- Companies with a tested IR plan recover 3x faster
- The average cost of a breach for SMBs is $2.98 million (and rising)
- Companies without IR plans spend 58% more on breach recovery
An IR plan isn't just a nice-to-have. It's the difference between a controlled response and chaos.
What Is an Incident Response Plan?
An IR plan is a documented process for handling security incidents. It answers:
- What counts as an incident?
- Who's responsible for what?
- How do we contain the damage?
- Who do we notify and when?
- How do we recover?
- How do we prevent it from happening again?
It's not a 200-page document that sits in a drawer. It's a practical playbook that people can actually follow under pressure.
The 7 Phases of Incident Response
1. Preparation
Before anything happens:
- Define your IR team and their roles
- Collect emergency contact information
- Establish a secure communication channel (not corporate email, which might be compromised)
- Prepare an IR toolkit (forensic tools, evidence bags, documentation templates)
- Practice with tabletop exercises
2. Identification
Something happened โ now figure out what:
- Confirm it's actually an incident (not a false alarm)
- Assess severity: Is it ransomware? Data breach? Just malware?
- Document everything from the start (timestamps matter)
- Activate the appropriate response level
3. Containment
Stop the bleeding without destroying evidence:
- Isolate affected systems from the network
- DO NOT power off โ this destroys memory evidence
- Block malicious IPs/domains at the firewall
- Disable compromised accounts
- Preserve logs before they rotate out
4. Eradication
Remove the threat completely:
- Identify the root cause (how did they get in?)
- Remove malware and backdoors
- Close the entry point
- Reset compromised credentials
5. Recovery
Get back to normal, safely:
- Restore from clean backups
- Patch systems before reconnecting them
- Monitor closely for signs of reinfection
- Verify business operations are working
6. Post-Incident Review
Learn from what happened:
- What worked? What didn't?
- How could we have detected this sooner?
- What changes do we need to make?
- Update the IR plan based on lessons learned
7. Communication
Throughout all phases, communicate appropriately:
- Internal stakeholders (leadership, affected teams)
- External parties (customers, regulators, law enforcement)
- Legal counsel (especially before any public disclosure)
- Cyber insurance provider
Building Your IR Team
You don't need a dedicated security team. Most SMBs build an IR team from existing roles:
| Role | Usually Filled By | Responsibility |
|---|---|---|
| IR Team Lead | IT Manager / Director | Overall coordination |
| Technical Lead | Senior IT / Sysadmin | Investigation & containment |
| Executive Sponsor | CEO / COO | Business decisions, approvals |
| Legal | External counsel | Regulatory & legal guidance |
| Communications | Marketing / CEO | External messaging |
Also line up external resources before you need them:
- External IR firm (on retainer if budget allows)
- Cyber insurance provider (know your policy number and claims process)
- Law enforcement contacts (local FBI field office)
Incident Playbooks
Different incidents need different responses. Build specific playbooks for:
๐ด Ransomware
- Isolate immediately โ it spreads fast
- DO NOT pay without consulting legal and insurance first
- Check for decryptors (nomoreransom.org)
- Assume data was exfiltrated (common in modern ransomware)
๐ Data Breach
- Identify what data was accessed
- Preserve evidence of access
- Assess notification requirements (GDPR: 72 hours)
- Engage legal before any external communication
๐ก Business Email Compromise
- Disable the compromised account
- Check for email forwarding rules (attackers love these)
- Alert finance team about potential fraud
- Contact bank immediately if money was transferred
๐ต Malware
- Isolate the infected system
- Identify the malware type
- Check for lateral movement
- Clean or rebuild (rebuild is often safer)
Compliance Considerations
Your IR plan may need to address specific requirements:
- GDPR: 72-hour breach notification to supervisory authority
- NIS2: 24-hour early warning + 72-hour notification
- PCI DSS: Incident response procedures required for compliance
- HIPAA: 60-day breach notification for PHI
- Cyber Insurance: Most policies require prompt notification
Testing Your Plan
An untested plan is just a document. Test regularly:
- Tabletop exercises: Walk through scenarios with the team. "It's Tuesday morning, and accounting reports all their files are encrypted. What do we do?"
- Technical drills: Practice isolating systems, restoring from backups, activating communication channels
- Annual review: Update contacts, validate procedures, incorporate lessons learned
Need a Ready-Made IR Plan?
I've packaged my complete incident response plan template with fill-in-the-blank sections, 6 incident playbooks, and all the checklists you need.
Get the Template โStart Simple
If you have nothing today, start with:
- Contact list: Who do you call? (IR team, executives, legal, insurance, external help)
- Severity levels: What's critical vs. minor?
- Basic procedures: Isolate, document, escalate
- Communication templates: What do you tell employees? Customers?
Even a one-page plan is infinitely better than no plan. You can build on it over time.
The worst time to create an incident response plan is during an incident.