Picture this, you run an accounting firm with a team of 8, handling the sensitive financial data for 100+ clients. To set the scene, you understandably don’t have any dedicated IT Staff, you’re a little lax on cybersecurity practices and you don’t have an incident response plan in place. You’re busy…no judgment.

One day, Elliot in your team clicks on a very convincing phishing link appearing to be from a client. Malware silently infects your network over the next 48 hours and on Monday morning, all computers displayed ransom demands for $50,000 in cryptocurrency. Until paid, your clients data and financial records would remain encrypted and inaccessible, at risk of being leaked to the dark web at any moment.

As a result, chaos ensues.

Business operations are completely halted for 2 weeks, which is a nightmare because it’s peak season for filing certain tax documents. In turn, your revenue loss over the next month or so will be over £30,000 and such a hit to your reputation leads to 30% of your clients moving on to a different accounting firm that they can trust to look after them. You do your best to rectify the situation by hiring external IT consultants, who, a little like locksmiths, charge a little (lot) more money than usual due to the urgent nature of the task.

Poor Elliot get’s the blame, despite receiving no training on cybersecurity measures and you kick yourself for not having dependable backups that could have hugely alleviated some of the impact from the ransomware attack. Cybersecurity insurance is also making a little more sense now too.

I hope nothing like this ever happens to your business but the truth is, we’re all at risk.

For small and medium-sized businesses (SMBs), having a well-structured incident response plan isn't just good practice—it's essential for survival. Let's break down how to create and maintain an effective incident response plan that won't break the bank or overwhelm your team.

What is an Incident Response Plan?

An incident response plan (IRP) is your playbook for detecting, responding to, and recovering from cybersecurity incidents. They may not be as dramatic as ransomware, and instead be power outages, a data leak or another type of cybercrime.

Regardless, think of it as a simple step-by step plan to refer to should the you-know-what hit the fan.

Essential Components of an Incident Response Plan: A Broad Overview

Element One: The Preparation Phase

One of my favourite things about incident response plans (beyond the sexy name) is how they encourage us to get things in order a little.

Understand the landscape: To do this we need to keep track of what it is we’re protecting, and prioritise accordingly. We can achieve this by creating a simple inventory of our assets. Beyond the physical equipment, we need to include our payment systems and software, cloud access (if we use it) and important data such as mailing lists. This doesn’t have to be particularly comprehensive, see a quick overview here. But is invaluable as not only does it help you prioritise your strategy, but allows you to analyse different cyber incident scenarios, and plan accordingly. For example the theft of your work laptop will require a different response to your mailing list being held hostage.

Establish your team: If you have a team it’s useful to assign roles in advance. This allows for a smoother and quicker response. For example, one of you might focus on communicating a breach to customers and partners, whilst another liases with the IT experts. Define roles and responsibilities clearly and communicate it to your team.

Implement basic security tools and monitoring systems: Now’s a great time to lean into the ‘prevention is better than cure’ ethos. Do so by ensuring your essential cybersecurity practices are up to date and maintained and consider further defences such as firewalls and antivirus systems.

Develop communication protocols: If something happens, one of the most important tasks is ensuring that those who need to know are aware and on guard in order to ‘stop the spread’ so to speak. Too soon? You’ll want a back up of your client and customer database in order to warn them if you think their data is at risk, as well as phone numbers on hand for IT experts and possibly a PR firm if particularly impactful. It can be really helpful in the moment to have a range of communication templates ready to go.

Element 2: Detection and Analysis

Next up, your plan should outline how you are going to identify and understand incidents as quickly as possible.

Monitoring systems for unusual activity: There are plenty of brilliant tools out there that can help you with this. One is Security Information and Event Management (SIEM): a solution that combines the majority of your cybersecurity into one system by collecting and analysing data from multiple sources, including devices, applications, and servers. It’s important you don’t depend too much on such tools though and are conscientious when it comes to tracking unusual activity in your business systems and responding to reports from your team, clients and partners.

Establishing severity levels for different types of incidents: If you like a colour code, you may wish to set up a system that allows you to classify the severity of an incident. Water damage to a backed up phone is less intense than a ransomware attack threatening to sabotage your business. Each category can help you shape the response and guide people to react appropriately in the event.

Documenting initial incident details: It may seem low priority but it’s important that the plan reminds you to keep a record of the event and the actions you have taken. This may assist you in the future should legal repercussions apply and can also help to improve future responses by acting as a tool to shape training.

Element Three: Containment Strategies

Quick containment is crucial to preventing further damage and will likely require IT expertise. Regardless, your plan should include acknowledgement of the following:

Short-term containment actions: Most incidents will require some expert help but there are basic practices you can do to contain the threat initially. Most of the time, this might mean isolating the affected devices and disconnecting them from the network, disabling affected user accounts or ramping up your firewall rules.

Long-term containment steps: On the advice of professional help, these might include implementing stronger access controls, updating security configurations, and deploying additional monitoring tools.

Element Four: Eradication and Recovery

The final key component we will look at today is the eradication and recovery phase. This part of your plan should detail how to:

Remove the threat from your systems: Again, this will highly likely require the professionals but will involve removing malware, rootkits, and other malicious software from affected systems using appropriate security tools and antivirus software

Patch vulnerabilities that were exploited: Patch and update all identified security vulnerabilities that were exploited during the incident, including software updates, security fixes, and configuration changes to prevent similar attacks. It’s also a great time to check and change those access logins to ensure multi-factor authentication is active and your password game is strong.

Restore systems from clean backups: Ensure that they are properly validated and tested before full restoration and roll out a phased recovery approach starting with critical systems first

Verify system functionality: This involves testing all of your critical business applications and confirming network connectivity and access controls. It’s also a great time to run security scans to ensure clean systems and increase the regularity of such scans moving forward.

Practical Tips for SMBs

Keep these considerations in mind:

Start Simple: Begin with basic procedures and expand as needed. Don't overcomplicate and create an overly complex plan that's difficult to follow.
Regular Updates: Review and update your plan quarterly or when significant changes occur. This includes ensuring contact information is up to date and new employees are aware of, and ideally trained on, the plan
Documentation is Key: Maintain clear, accessible documentation of all procedures and contact information. Ideally, keep a hard copy in case the incident results in the live document being inaccessible.
Test Your Plan: Conduct regular tabletop exercises to ensure everyone knows their role. You will not believe me but these can actually be quite fun and a great team building activity.

Remember that an incident response plan should be seen as quite dynamic and evolve with your business whilst adapting to new threats. Appreciating it can seem like a daunting task, the key is to start somewhere and continuously improve. Even a basic plan is better than no plan at all.

Most importantly, ensure your team knows where to find the plan and understands their roles before an incident occurs. Regular training and updates will help keep your incident response plan effective and relevant.

Comment below if you have an IRP in place already, or what your first step towards creating one will be.

Avoid ever needing the IRP by signing up to The Key: a free course in cybersecurity for small -medium businesses

Our shiny new program is designed for those who own and run small businesses, wanting to strengthen their defences but are unsure where to start.

In under 3 hours over the space of one week, the program will guide you to build in solutions to build resilience, professionalise your brand and protect your business and it’s clients.

No matter your tech level, these are the essential, bare minimum kind of defences you need to pay attention to for a successful year ahead.

Start today

Also subscribe to our newsletter in the footer below to stay current on the most digestible cybersecurity and digital wellness tips.

Featured