The Five Critical Components Your Cybersecurity Incident Response Plan Must Have

What Is a Cyber Incident Response Plan?

According to the National Institute of Standards and Technology (NIST) , a government agency that supports and promotes the use of technology to solve human problems, a cyber incident response plan consists of “the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious attacks against an organization’s systems.”  More simply put, creating a cyber incident response plan means formalizing the exact steps you’ll take as soon as you discover that a cyber incident has taken place.

Having a robust cyber incident response plan in place can save your business time and money, and it can help preserve your business’s reputation if you’re victimized by cybercriminals. Advance planning can boost your organization’s cyber resilience, and increase your peace of mind in the face of today’s most formidable threats.

How can you create the cyber incident response plan that’s right for your business’s size and your IT infrastructure’s degree of complexity? Your plan doesn’t have to be elaborate; it just has to be solidly built so you’ll know what to do in a time of crisis.


Cyberattacks can happen to anyone. Be prepared by creating a solid Cybersecurity Incident Response Plan.

No matter whether your business is large or small, no matter what industry you’re in, or where your offices are located, cybercrime poses grave risks to your financial well-being today, and your chances of survival and healthy growth in the years to come. Global losses caused by cyberattacks are predicted to exceed $6 trillion by 2021, putting more money in criminals’ pockets than the trade of all major illegal drugs combined.

Leaders of small and medium-sized businesses may be tempted to believe that they face fewer risks from cybercrime than large enterprises because their profiles—and revenues—are lower, but the latest research shows that they are in fact more likely to be targeted for attack. According to the 2019 Verizon Data Breach Investigations Report, nearly half of all breach victims were categorized as small businesses. The Better Business Bureau reports that as many as 20 percent of smaller organizations will fall victim to cyberattacks in any given year, with average losses totaling nearly $80,000 per incident.

To help you get prepared, we have created a FREE Cybersecurity Incident Response Plan template that you can implement in to your business, which you can find at the end of this post.

Given these nerve-wracking statistics, which remind us that cyberattacks aren’t just possible but are almost inevitable, it’s important to make a plan. Drawing up a comprehensive risk assessment, laying out the specific steps you’ll take in the moment of crisis, and delineating key responsibilities can help you feel more prepared, but it’ll also enable a speedier response. And the faster you can contain the incident and manage its consequences, the lower your overall costs are likely to be.


The Five Essential Ingredients

#1: Formalize and Document the Policies and Procedures

In case of disaster, you can’t just wing it. Every aspect of your cyber incident response plan should be concrete, written, and well-tested. Though you’ll want to include detailed steps and procedures to follow, you’ll also want to spell them out simply.

Keep in mind that stakeholders across the entire organization may have roles to play in identifying, containing, and responding to the incident, even those whose typical job responsibilities don’t have anything to do with IT, and that incident response team members are likely to be under a great deal of stress. Documentation should be clear, brief, and very specific, so that steps are easy to follow, even when the pressure is on.


#2: Build a Rock-Solid Team

You’ll want to establish a computer security incident response team (CISRT) within your organization.

Team members will be responsible for technical incident response procedures (identifying that an incident has occurred, analyzing logs to figure out exactly what happened, repairing systems, and removing the means by which the attack was accomplished) as well as internal and external communications (exchanging information with employees, law enforcement, affected customers, and senior management, for instance), so you’ll want to include IT security staff and draw on resources in other departments as well.

Some team members should be skilled in marketing/public relations, human resource management, and providing legal counsel. A managed service provider can supplement your in-house expertise if your technical security team isn’t large enough to meet your incident response needs.


#3: Establish Communications Guidelines

One team member should be charged with the responsibility for authorizing when and how details about the incident are to be disclosed. It’s also a good idea to have legal counsel review any notification letters or other disclosures before they’re made public. Have a plan in place for how you’ll accomplish this, as well as a set of guidelines for what you’ll say.

Be sure you have recorded the contact information for anyone you might need to communicate in a place that’s separate from any systems that might be affected by a breach. This could include contacts at regulatory bodies whose requirements you must meet, as well as all members—both internal and external—of your incident response team.


#4: Outline Concrete Technical Steps

From incident discovery and classification to containment and recovery, you’ll need a playbook detailing specific steps within incident response protocols that you expect your security team members to follow.

You’ll want to collect all relevant log data so that it can be audited, and review all alerts generated by the security tools in your network environment. You’ll also need to elaborate the testing and validation procedures you’ll rely on after forensic analysis is complete to certify that all systems have been restored to secure operational status.


#5: Practice Makes Perfect

Technologies are constantly changing, as are attackers’ strategies and techniques. At a bare minimum, your team should revisit your cyber incident response plan once a year. Update it to reflect your current IT environment, the current threat landscape, and your current risk profile. Any incidents that do take place should be examined at length. Afterwards, make technology updates or policy changes to safeguard against similar attacks in the future.

It’s also a good idea to conduct scenario-based testing exercises to make sure that your incident response plan can be relied on in times of need. These can be simple or elaborate, and offer team members the opportunity to evaluate—and improve—their preparedness without facing an actual incident or attack.

Developing a cyber incident response plan doesn’t have to be complicated. Having one can make a dramatic difference in your level of preparedness, your overall vulnerability, and your peace of mind. A managed IT service provider with cybersecurity-specific experience will have a great deal of practical knowledge in cyber incident response procedures, and can guide you in building the very best plan to meet your business’s needs, from the ground up.


Download Your Free Incident Response Plan