You Need an Incident Response Plan Before You Need an Incident Response Plan
When a breach hits, the worst time to figure out your plan is during the breach itself. Here's how to get your IR basics sorted.
Nobody thinks they’re going to get breached. Then it happens at 2am on a Friday, half the team is unreachable, and suddenly you’re googling “what to do after ransomware attack” from your phone because your laptop is encrypted.
This isn’t a hypothetical. IBM’s 2025 Cost of a Data Breach report puts the average breach lifecycle at 241 days - that’s time to identify and contain. And companies without a formal IR plan? They pay 58% more per incident than those with tested response protocols.
Let’s not be those companies.
The “we’ll figure it out” problem
Only about a third of SMB owners have a formal incident response plan developed with a cybersecurity professional. The rest are winging it, and it shows.
Here’s what usually goes wrong when an org gets hit without a plan:
Panic-driven decisions. Someone pays the ransom within hours without consulting legal, insurance, or law enforcement. The Sophos State of Ransomware 2025 report found that 49% of attacked orgs paid up - and paying doesn’t guarantee recovery. You might get some data back. You might not. You’ve also just funded the next attack.
Evidence destruction. Well-meaning IT staff reboot servers, wipe machines, or start restoring from backups immediately. All of which can destroy volatile forensic evidence - system memory, log buffers, active connections. Without that evidence, figuring out how the attacker got in (and whether they’re still in) becomes a lot harder.
Communication chaos. No one knows who’s supposed to talk to customers, the board, regulators, or the press. Information leaks internally before facts are established. Someone emails something that waives legal privilege. 60% of organizations don’t have a clear comms plan for cyber incidents.
Delayed notification. Only 20% of orgs notify affected stakeholders within 72 hours - which happens to be the legal requirement under GDPR. Delayed notifications don’t just look bad, they increase regulatory fines by an average of $250K per incident.
The NIST framework (simplified)
NIST SP 800-61 has been the gold standard for IR since 2012. They updated it to Rev. 3 in April 2025 to align with the CSF 2.0, but the original four-phase model is still the clearest way to think about it:
- Preparation - Build the plan, train the team, establish contacts
- Detection & Analysis - Figure out what happened and how bad it is
- Containment, Eradication & Recovery - Stop the bleeding, clean up, restore
- Post-Incident Activity - Lessons learned, plan updates, regulatory reporting
Most orgs skip phase 1 entirely and try to improvise phases 2-3 during a crisis. That’s like building a fire escape while the building is on fire.
Your IR plan doesn’t need to be a novel
For an SMB, a one-page plan is better than a 50-page document nobody reads. Here’s the essentials:
Before anything happens:
- Write down who does what - who leads the response, who handles comms, who contacts legal
- Pre-identify your contacts: IT consultant or MSSP, legal counsel (ideally with cyber experience), your cyber insurance carrier’s hotline, a PR contact
- Draft template notifications for customers, partners, and employees - you’ll customize later but having a starting point saves critical time
- Keep an offline copy of the plan. If your network is encrypted, a plan on SharePoint isn’t helping anyone
- Test your backups. Actually restore from them. Regularly. Backups that don’t work aren’t backups
When it’s happening:
- Isolate affected systems from the network - but don’t power them off (you’ll lose volatile memory)
- Document everything as it happens: who, what, when, where
- Call legal early. Before you send any emails or make any statements. Privilege matters
- Contact your cyber insurance carrier per their policy requirements - most have a specific notification window
- Don’t communicate externally until you know the facts and legal has reviewed your messaging
After:
- Run a lessons-learned review within a week or two while it’s fresh
- Update the plan based on what you discovered
- Report to relevant authorities as required by your jurisdiction
Tabletop exercises: awkward but worth it
Here’s the thing about IR plans - you don’t know if they work until you test them. Tabletop exercises are basically group walkthroughs of a simulated incident. No systems involved, just your team sitting around a table (or a Zoom call) talking through “what would we do if…”
They feel a bit awkward the first time. But they consistently surface gaps that look obvious in hindsight: the contact list is outdated, nobody knows how to reach the insurance carrier after hours, two people think they’re in charge, nobody considered what happens if the breach hits during a holiday.
CISA offers free Tabletop Exercise Packages you can download and run yourself. No consultants needed to start.
Nearly 80% of IT pros who’ve done these exercises say they were valuable. The goal isn’t perfection - it’s finding the holes before an attacker does.
The numbers argument (for your boss)
If you need to justify the time investment to leadership:
- Average global breach cost: $4.44M (IBM, 2025)
- Average ransomware recovery cost (not counting the ransom itself): $1.53M (Sophos, 2025)
- Average downtime after ransomware: 24 days
- Orgs with AI-powered security tools and tested IR plans cut their breach lifecycle by 80 days and saved nearly $1.9M on average
An IR plan costs you a few hours of prep and a quarterly review. Not having one costs… a lot more.
If you’re starting from scratch and want help putting a plan together - or if you have a plan that’s been collecting dust since 2021 - we can help with that.