The SMB Owner’s Guide to Incident Response Plans

A chicken-with-its-head-cut-off response just won’t do when you’re defending against cyberattacks. An effective incident response plan could save your small business from disaster.

If we learned one thing from 2020, it’s that you can never be prepared for every possibility. Still, as a small business owner, it’s essential to plan ahead. And as unpleasant as it can be, thinking about how you’ll handle unexpected obstacles can make the difference between long-term success and sudden implosion.

One of those possible -- and, in truth, probable -- issues is a cyberattack, the likelihood of which grows every day. Whether through phishing, malware, ransomware, or advanced persistent threat, there’s a good chance your business will experience a nefarious cyber event at some point in the future. The difference between hiccup and disaster, however, could be your cybersecurity incident response plan.

Overview: What is incident response?

An incident response plan details protocols you’ve put in writing for how you’ll handle unexpected disasters. These can include weather events, such as hurricanes; manufacturing mishaps, such as equipment downtime or a fire; and even workplace violence.

In today’s world, a cyberattack incident response plan is essential. Small businesses are big targets for cybercriminals, yet they often don’t have the resources to react in a timely manner to defend against the attack.

According to Nick McCourt, cybersecurity engineer at Tier One Technology Services, the plan should include responses to any malicious or non-malicious anomaly detected in your network.

“This does not mean a breach has occurred,” he says. “This means something has happened that can pose an issue to the confidentiality, integrity, or availability of the organization.”

3 benefits of an incident response plan

Simply put, an incident response plan can save your business.

The Verizon Data Breach Investigations Report found that 71% of cyberattacks target businesses with fewer than 100 employees, and the average cyber attack costs a business more than $200,000. Such a loss could be devastating to a small company.

“Having an incident response plan is the best way to protect your company,” says Dennis Bell, founder and CEO of Byblos Coffee. “An incident response plan helps me in mitigating the risk of a breach or an attack. It gives me the confidence to face a security threat. There's no need to worry about such issues damaging my business activities because I know I have an incident response plan to use. It is an excellent way to maintain public trust whenever I face a difficult situation.”

Why do you need an incident response plan?

1. Better prepare yourself

Putting your defense plan in writing requires you to think through potential threats and the steps you will take when they are detected. This allows you to hit the ground running rather than aimlessly wondering what to do next. If you haven’t identified the actions to mitigate or prevent a cyberattack, you leave yourself at the attacker’s mercy.

“Many business owners go into panic mode when hits their base of operations,” says Michael Curtis, president of The Response Team Inc. “Having a plan in place allows for the business owners to use a tool to help weed through that chaos and take care of the people, the incident (if possible), their property, and other priorities.”

2. Temper your stress response

If your threat-hunting efforts suddenly uncover a ransomware attack, you probably won’t be thinking clearly as you consider paying a hacker tens of thousands of dollars for your data or control of your network.

If you pull out your incident response plan, however, you can rest assured you won’t forget any important actions, saving crucial moments that could spare many of your assets.

“When you are in the midst of a security incident, your stress levels are heightened, and time is against you,” notes Eugene Wright, managing director of Stratus Security Consulting. “You need to be able to respond quickly and methodically as any misstep could cause significant damage to your business's reputation and bottom line.

“An incident response plan allows you to think ahead and streamline your actions effectively,” he adds. “The plan will ensure you’ve accounted for the nuances of your business operations; comply with local, state, and federal reporting requirements; and have a solid strategy for keeping your customer informed, saving you lots of unnecessary headaches.”

3. Protect your reputation

While potential financial losses can directly cripple a business, loss of reputation can have a long-lasting negative impact that could cost you current and future customers. If a breach exposes your customers’ credit card information, for example, they may choose to do business elsewhere in the future rather than take a risk on you.

“In my organization, having an incident response plan is critical to my brand's reputation,” Bell says. “As the owner, I have to effectively manage the incident to limit the damage it may cause to my business. A cyberattack and data breaches can do a lot of damage to your business. You can lose your partners, customers, and investors.”

How to create an incident response plan for your business

While creating an incident response plan may seem overwhelming, there are practical, logical steps every business owner can take to start the process.

The hardest part is forcing yourself to sit down and think it through, but once you do, your innate knowledge of your business and the external world will lead you through most of what you need to know. You don’t need to plan for every possible scenario; just start with the most likely events and plan from there.

The National Institute of Standards and Technology has defined the phases of a cyberattack and offers a helpful framework for developing your incident response plan. It includes:

• Prepare
• Identify
• Contain
• Eradicate
• Recover
• Review

The organization also provides tons of research and reports that will educate you on where your greatest cyber threats lie and how you can protect against them.

The best way to prepare is to take stock of your technology and systems, identify the most likely threats, and enlist your team of experts to help you create and implement your response plan.

1. Inventory your at-risk assets

First, you need to make a full inventory of the technology and data you need to protect. Where do you keep financial and customer information? What office devices are connected to the internet? Who has access to your network? How many employees are connecting to your network from home?

This is also a good time to review the security tools already in place, such as endpoint security software, virtual private networks (VPN), firewalls, and endpoint detection and response (EDR) tools.

Knowing which devices could compromise your endpoint security, which databases are most enticing to a hacker, and the office equipment that you can disconnect from the internet gives you a starting point. This information helps you identify potential threats and points of attack that require extra security and continuous monitoring.

2. Review consumer protection and data privacy laws

Depending on where you’re located and where you do business, there are consumer protection and privacy regulations that limit the information you can collect, store, and share. They also require you to disclose breaches publicly.

These regulations vary from state to state and country to country, so familiarize yourself with your obligations in the parts of the country and world where your business operates. Include actions for fulfilling those requirements in your incident response plan.

3. Meet regularly to identify potential risks

In a perfect world, every business would have an SOC (security operations center) staffed with security professionals well-versed in the latest threats. For most SMBs, however, that’s just not feasible.

Still, it’s important to stay up to date on the latest phishing schemes, as well as the viruses and new types of malware making the rounds. At the bare minimum, imminent threats often can be found with a simple Google search. If you have a security consultant or IT contractor, meet with them regularly to discuss how to identify and defend against the latest threats and pull in employees who are tech-savvy for those conversations.

4. Create a response matrix

The response matrix will be the guiding light of your incident management process. If drawing out a matrix seems like a lot of work, think of it as your list of priorities. You should be able to make up a list of the most dangerous and possible threats through a little online research and your own knowledge of geography, business, markets, and employees.

Kathryn Bingham, CEO of LEADistics, recommends considering the following information for each potential threat you identify:

• Incident risk: Give the risk a name and short description.
• Likelihood of occurrence: Rate it on a scale (for example, low-medium-high).
• Impact of occurrence: Rate the disruption level it could cause on a simple scale.
• Indicators: How will you know this happened?
• Notifications: Who needs to be informed, when must this happen, and who will communicate?
• Actions: What response steps will mitigate the impact and help the business recover?

5. Assign roles and responsibilities

Once you’ve inventoried the equipment and data you need to protect and you’ve made a list of potential threats, assign your response plan’s tasks to responsible employees or contractors who will take ownership of those responsibilities.

Involving others in developing incident management policies lessens the risk that the single individual charged with incident response is unavailable when an attack hits.

6. Consult experts

Cybersecurity is tricky and complex, and while some actions in your response plan can be carried out by staff, others may require knowledge of programming, technology, and more.

Even the creation of your incident response plan may benefit from the expertise of a third-party consultant. In addition, local resources may be able to offer insight and guidance.

“Free or low-cost resources for small businesses to build knowledge or skills for incident planning include the local and SCORE offices,” Bingham says. “Check with a nearby college or university to see if students in MBA programs in computer science, finance, and marketing programs need a project.

“Another idea is to see if there is a local chapter of the Institute of Internal Auditors,” he adds. “Ask if a member is willing to meet for coffee (or virtual coffee, given COVID) to help the leader identify potential risks. Some auditors specialize in IT and IS and can share risk frameworks with small business leaders.”

7. Practice drills and training

Timely action is critical in mitigating a cyberattack, so don’t wait until you’ve detected a threat to hand out copies of your incident response plan.

Review the plan early and often with employees and partners, particularly those who you’ve recruited to be part of your incident response team. You might consider setting up practice drills to walk through the steps so those involved feel more confident and prepared.

“ is a tool,” says Curtis. “If a tool is not used often enough or practiced with, it gets rusty and becomes useless. Owners need to understand that their buy-in will drive the attitude of the team. Practice drills a couple times a year!”

Prepare your cybersecurity incident response

Hackers are stealthy, and a cyberattack can occur when you least expect it. That’s no excuse for not being prepared. An incident response plan will save money, time, and anxiety, and it could help you stay in business.

“The benefits of having an incident response plan are similar to those of fire drills -- while the drills themselves can seem like an unneeded disruption, the science behind safety protocols like this have proven effective,” says Nathan Little, senior vice president of digital forensics and incident response with Tetra Defense.

“In emergencies, our faculties are no longer capable of logical decisions, but they can rely on muscle memory or ingrained training,” he adds. “An incident response plan serves as this ingrained training that can not only help an IT team regain composure during an incident but provide effective guidelines to quelling or recovering from one.”