Most small businesses don’t have an incident response plan. If a breach happens, they improvise. Improvised responses to security incidents are almost always slower, more expensive, and more damaging than planned ones. Here’s how to build a basic IR plan that works.
The Six Phases of Incident Response
NIST’s incident response lifecycle provides the standard framework: Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity. Your IR plan should address each phase.
Preparation: Do This Before an Incident
Document your critical assets and who owns them. Establish an incident response team with defined roles (incident commander, communications lead, technical lead). Secure an external IR retainer — a cybersecurity firm on standby to assist with major incidents. Document contact information for your cyber insurer, legal counsel, and law enforcement contacts. Test your backups. Run a tabletop exercise annually.
Detection and Containment: The First Hours Matter Most
Speed in the first hours of an incident limits damage. When a potential incident is detected, document everything you observe with timestamps. Isolate affected systems from the network immediately — disconnect from the internet but don’t power off (you want to preserve forensic evidence in memory). Notify your IR team and engage your IR retainer if the incident is significant.
Communication During an Incident
Define who communicates what to whom during an incident. Internal communication: who gets notified and when. External communication: customers, vendors, regulators (data breach notification requirements vary by state and industry). Legal should review all external communications before they go out. Establish an out-of-band communication channel (personal cell phones, Signal) in case your primary communication systems are compromised.