How to write a cyber security incident response plan for SMEs

September 4th, 2019
How to write a cyber security incident response plan for SMEs

How to write a cyber security incident response plan - blog feature image (900x300)

What is an incident response plan?

An incident response plan is a list of steps for your IT team or outsourced partner to use in case of a cyber security issue, including data breaches and loss, hacking or even system failure.

It clearly outlines what they need to do to proactively spot threats where they can or cannot do when there’s a problem and how to get the network back up and running and restore data. It’s important to keep your plan up to date and have it accessible offline to everyone who needs it.

Why do you need one?

Server outages, power failure and cyber-attacks are not always avoidable, no matter how prepared you are or how good your security systems are. In the event of something going wrong, the key is to respond as quickly as possible.

Having a clear plan documented, shared and reviewed by all the key staff means that rather than worrying about what to do first or who to contact, the IT department can get straight on with making the appropriate fixes.

What should you include?

Your incident response plan should be tailored to your specific business needs, so if you’re not certain, contact an IT support company, if you’re not working with one already, and ask them for help.

Below are some of the things you’ll need to consider:

1. Prioritise assets

Your assets are whatever is most important in your business, whether that’s customer information or essential software. Rank these in order of importance, so you know what needs to be protected at all costs.

Next is non-critical but important data, followed by things that aren’t essential or where the loss of them won’t cause major damage to the business. You may decide to order your assets by potential cost to the business if they were lost or damaged, or whether an attack could be a breach of GDPR or data protection laws.

2. Risk potential

As we’ve seen in previous blogs about being part of a supply chain, small businesses are particularly vulnerable to cyber-attacks, either because they can’t afford to invest in good security or don’t understand the significance of it.

Depending on what you do and the kinds of data you store, you may have risks unique to your industry. If your staff rely on BYOD (bring your own devices), their personal phones and computers could be exposed to compromising hacks or by clicking on inappropriate links.

Your risk potential also includes things like your email server (phishing or downloading unverified software), specialist software (accountancy, legal) hardware and infrastructure.

How to write a cyber security incident response plan - quote (900x300)

3. Identify single points of failure

This is any part of your system that, if it is compromised or fails, will cause the entire system to fail too. If that should happen, the damage to your business, revenue and future success could be significant.

When you do this step, take into consideration all parts of the business, not just the obvious hardware, software and infrastructure. For instance, are sockets clearly labelled so that they’re not switched off? If there’s a power failure, have you got a back-up supply?

Are there are any third parties that could cause a problem, such as shared electricity, public cloud storage, external suppliers or contractors? Whatever the single point of failure is, you must work to eliminate it to prevent it causing an unexpected problem.

4. Data storage

If you lose access to your data or it’s compromised by phishing or malware, you need to be able to restore it to the most recent version before the attack.

Ideally, you should store your data off-premises, whether that’s as physical tapes at a specialist facility or using some kind of cloud storage. Many IT support providers will also offer this as part of a package, and the advantage of using theirs is that it will be more secure than public storage.

Have a step in the plan which lists contact details of the facility and who is responsible for getting in touch with them. It can be helpful to refer to your disaster recovery plan here, too, so you know your recovery time objective (RTO - maximum time you can afford to take to resume normal IT service) and recovery point objective (RPO – the maximum amount of data you can afford to lose without impacting upon your business).

5. Business continuity

If you’ve spent time developing a disaster recovery plan, you should also have a business continuity plan in place so things can continue as usual. The most important aspect is ensuring as little disruption as possible.

While this is essential for your staff so they can get on with their work, it’s vital for customers. Secure their data, communicate with them if necessary so they know what’s going on, but preferably they shouldn’t even need to be aware of a problem.

Make sure your staff can communicate with each other, and that most of them do their usual, daily work. Remember – recovery from a cyber security incident should go on in the background with as few people dealing with the issues as possible. Part of establishing your RTO and RPO is about how much money you can afford to lose during downtime.

6. Staff backup

Following on from this, you need to include a step for what to do if a named person is out of the office or unavailable during a problem. Having another team member in reserve should reduce the disruption to business as usual.

The next point looks at who the named people should be.

7. Establish your incident response team

The incident response team are the staff members identified as those who will implement your incident response, data backup and business continuity plans.

Make sure everybody in the company knows who they are, who to go to in their absence and how to contact them if they’re based in a different department or office.

The core team will include a manager, who has overall responsibility for the plan and liaising with the rest of the organisation. There should also be security analysts, to look closely at the incident. They will look for potential breaches and deal with recovery.

The analysts may be supported by threat researchers, who look for any information they can gather about an incident, both within the company and externally.

The response team identify, manage and remove the cyber threats, and implement the disaster recovery plan, carry out the data restore and ensure business as usual. Of course, there will be key people elsewhere in the business who also need to be part of the team, although they won’t have an active role during an incident.

This includes the senior management team, the marketing or press department and HR if a staff member has played a part in the problem. It may also include someone from the legal department or outside law firm, depending on the nature of the breach.


If you have any questions about data backup and disaster recovery or have any IT security issues, you can give us a call or  download our FREE business continuity plan template.