How to Create a Small Business Incident Response Plan

BySmall Biz Security

Most Small Businesses Have No Plan for When Something Goes Wrong

Ask most small business owners what they would do if ransomware encrypted their files tomorrow and you get uncertainty. The absence of a plan is not negligence — it is a time and priority issue. But the businesses that recover from cyberattacks faster and with less damage are the ones that had a written incident response plan before the attack happened. Making decisions under pressure, with systems down and employees panicking, produces worse outcomes than following a pre-defined procedure.

An incident response plan does not need to be a 50-page corporate document. For a small business, a clear, practical 2 to 4 page document covering the key steps, the right contacts, and the decision points is sufficient — and dramatically better than no plan at all. This guide walks you through building one.

What an Incident Response Plan Covers

A small business incident response plan addresses five core phases:

  1. Preparation: What controls, tools, and contacts are in place before an incident occurs.
  2. Detection and identification: How you know an incident has happened and what type it is.
  3. Containment: Stopping the spread and limiting damage.
  4. Eradication and recovery: Removing the threat and restoring normal operations.
  5. Post-incident review: Learning from what happened to prevent recurrence.

Phase 1: Preparation (Before an Incident)

Your plan is only as good as the preparation behind it. Key preparation items to document:

  • Key contacts list: Name, phone, and email for your cyber insurer (and their 24/7 incident hotline), IT support or MSP, legal counsel, and the business owner’s personal contact. This list must be accessible without the systems that may be compromised — print it and keep it in a physical location.
  • System inventory: What systems and data does your business depend on? Where are they hosted? What are the recovery procedures? This does not need to be exhaustive — focus on your top 5 to 10 most critical systems.
  • Backup verification: Where are backups stored? When were they last tested? Who has access to restore from them?
  • Insurance documentation: Policy number, carrier name, and incident reporting hotline. Many cyber insurance policies require notification within 24 to 48 hours of a suspected incident — know this number before you need it.

Phase 2: Detection — How Will You Know?

Define what constitutes a reportable security incident for your business and who employees should notify. Common incident indicators include:

  • Files suddenly inaccessible or displaying ransom messages
  • Unusual system slowness or high CPU/disk activity
  • Accounts locked out unexpectedly
  • Unusual login alerts from cloud services
  • Customers reporting suspicious emails appearing to come from your domain
  • Missing data or unexplained changes to files
  • Antivirus or EDR alerts that cannot be explained
  • A phishing link clicked by an employee

Your plan should define: who employees report incidents to, the reporting method (phone call to the owner, dedicated security email address, Slack channel), and the expectation that incidents are reported immediately — not investigated or hidden by the employee who caused them.

Phase 3: Containment — Stop the Spread

Containment is the most time-sensitive phase. The goal is to prevent the incident from spreading to additional systems while preserving forensic evidence. Standard containment steps by incident type:

Ransomware

  1. Immediately disconnect affected devices from the network — unplug ethernet, disable Wi-Fi. Do not shut down the device if possible — running systems preserve forensic data.
  2. Identify all potentially affected systems — anything connected to the same network segment or that shared files with the infected device.
  3. Do not pay ransom without contacting your cyber insurer first — call the insurer’s incident hotline immediately.
  4. Do not attempt to decrypt files yourself — professional incident responders have tools and experience that DIY recovery efforts can destroy.

Compromised Account

  1. Revoke all active sessions for the compromised account from your cloud admin console immediately.
  2. Reset credentials for the compromised account and any accounts where the same password may have been used.
  3. Enable or verify MFA is active on the affected account.
  4. Review account activity logs to determine what was accessed during the compromise period.

Phishing Click or Malware Download

  1. Isolate the affected device from the network immediately.
  2. Do not use the device for any business activity until it has been scanned and cleared by IT support.
  3. Reset credentials for any accounts accessed from the affected device in the past 30 days.
  4. Monitor other systems for unusual activity that may indicate lateral movement from the infected device.

Phase 4: Eradication and Recovery

After containment, the focus shifts to removing the threat and restoring normal operations. This phase should involve professional support — your MSP, IT contractor, or the incident response firm your cyber insurer connects you with. Key steps:

  • Forensic analysis to determine the entry point, scope of compromise, and whether data was exfiltrated
  • Complete removal of malware or unauthorized access — do not simply restore from backup without addressing how the attacker got in
  • Restore from clean backups — verify backup integrity before restoring
  • Patch or remediate the vulnerability that enabled the incident
  • Reset all passwords organization-wide as a precaution
  • Monitor restored systems closely for recurring indicators of compromise in the first 30 days

Phase 5: Post-Incident Review

Within two weeks of resolution, conduct a post-incident review. Document:

  • What happened and how it was discovered
  • What the initial entry point was
  • What worked well in the response
  • What did not work or was not in the plan
  • What specific changes to controls, training, or procedures will be made as a result

Update your incident response plan with the lessons learned. A plan that evolves after real-world use is far more effective than a static document written once and never revisited.

Legal Obligations During an Incident

Depending on your industry and the data involved, a security incident may trigger legal notification obligations — state breach notification laws, HIPAA breach notification, PCI DSS reporting requirements. Document the incident timeline carefully and consult legal counsel before making any public statements or notifications. Your cyber insurer’s incident response team typically includes legal counsel who can guide notification decisions.

Incident Response Plan Template Outline

  • Section 1: Key contacts (insurer, IT, legal, owner)
  • Section 2: Incident classification (what constitutes an incident, severity levels)
  • Section 3: Reporting procedure (who, how, when)
  • Section 4: Containment steps by incident type
  • Section 5: Recovery procedures and backup restoration contacts
  • Section 6: Communication plan (who is notified internally and externally)
  • Section 7: Legal notification checklist
  • Section 8: Post-incident review process

Bottom Line

A small business incident response plan does not require a security consultant or a long document. It requires clear answers to: who do we call, what do we do first, and how do we recover — written down before the incident occurs. Two focused hours building this document is one of the highest-value security investments a small business can make. The cost of responding without a plan is measured in days of downtime, unrecoverable data, and decisions made badly under pressure.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *