top of page
  • Writer's pictureSara Millis

How to create your incident response plan as a small business

When it comes to protecting your business, regardless of its size, having a well-crafted incident response plan can be the difference between a minor or a major crisis.


In this IT Soho guide, we'll explore the crucial aspects of creating and implementing an effective incident response plan tailored to your small business.


Woman presenting team with information over a meeting room desk.

What is an incident response plan?

An incident response plan is your business's playbook for addressing and mitigating security incidents effectively.


These incidents can range from data breaches and malware attacks to insider threats and system vulnerabilities.


Having a well-defined plan in place ensures that when a security incident occurs, your team knows how to respond promptly and efficiently.



The significance of an incident response plan

A detailed plan of response helps you to make sure you have accounted for the following:


  1. Downtime - It equips your team with a clear set of actions to follow during a security incident, minimising confusion and downtime.

  2. Damage control - A well-executed plan can mitigate the impact of a security incident, potentially saving your business from extensive financial and reputational damage.

  3. Legal and regulatory compliance - Many industries and jurisdictions require companies to have incident response plans to comply with data protection laws. In the UK, we have ICO procedures for reporting breaches and ISO/IEC 27001 for data handling guidelines.

  4. Trust rebuilding - Demonstrating a commitment to safeguarding customer data through a robust incident response plan can enhance trust and credibility. It can also regain confidence quickly if your response is swift and successful.


Let's have a look at what your policy needs to cover.



What your policy needs to cover: the 7 phases of an incident response plan

As you create your small business's incident response plan, it's essential to understand the seven distinct phases that guide the process. These phases provide a structured approach to handling security incidents effectively.


Phase 1: Planning and policy development

In the first phase of your policy creation, you'll establish the foundational elements of your incident response plan. You need to include defining the scope, objectives, and key policies that govern how your team will respond to incidents.


During your work on this phase, ensure you have all stakeholders' points of view (including your IT support providers). They will understand your systems, software, workflows and team tasks intimately, which means they can also spot potential vulnerabilities. Combining this information makes the initial assessment (phase two) far less chaotic.


Phase 2: Initial assessment

When an incident occurs, the initial assessment phase involves a quick evaluation to determine the nature and severity of the incident. You will want to decide if it's a genuine security incident and proceed accordingly.


As a small business, your IT support provider (hey, that's us!) will be your first responder. Ensure that your policy includes your agreement and understanding of how they will deal with assessments while notifying you and your team, the ICO and third parties (suppliers and customers) if required.


Phase 3: Detection and analysis

The detection and analysis phase involves a more in-depth investigation to understand the incident's scope, impact, and the methods employed by the attacker. This phase is crucial for making informed decisions.


Again, your IT service provider will be on hand with this. Still, it is essential to note which in-house team members have responsibilities to work alongside service providers and in what capacity.


Phase 4: Response

The response phase is where your IT team takes immediate action to mitigate the incident. You should isolate affected systems, block suspicious network traffic, or implement security patches.


Outline in your incident response plan what happens in this system downtime, and ensure your staff know what they can and cannot do within this time frame.


Phase 5: Containment

In the containment phase, you'll focus on preventing the incident from spreading further. You will want to ensure this includes measures to stop the attacker's access and actions.


Phase 6: Eradication and recovery

Once the incident is contained, the eradication and recovery phase comes into play. Here, you'll work on removing the root cause and restoring your affected systems to their normal state.


How you have approached backups will be imperative here, as you will want to restore to the last save before the threat occurred. In this case, it's also wise to include in your policy what your team needs to do to check system backups versus last use state. In other words, how will your staff check if the backup has all the information they last worked with? And what are their next steps?


Phase 7: Lessons learned

The lessons-learned phase is essential for continuous improvement. You'll analyse the incident's response and outcomes, identifying areas for enhancement in your incident response plan and strategy.


Ensure that in your policy, you provide details on who is responsible for assisting this phase so that all departments are not just better secured but also better equipped for any future incidents.



Customising the plan for your small businesses

Yes, you can get a template online to help you get started, but it's how you customise your plan for your specific business that counts when an incident occurs.


Think about how and where in your business incidents of breaches and data theft might occur. Start by combing through your systems, software, devices and network access rules. Then, look into all of your customer touchpoints and online connections. Consider every angle and then consider it with your IT team.


It's also worth considering how you mitigate the transfer or spread of attack to third parties, such as suppliers and customers. Your IT team should have a tight handle on this to ensure trust.



How to implement your plan effectively

Ultimately, if you have been following along, your IT support providers and team leads will have already been involved in the process, so much so that they have a basic understanding. Now, it's time to invest in stakeholder training as your primary implementation stage.


Being clear at this stage allows your IT team to help set up or strengthen any systems that track and notify you about possible incidents. It also allows team leads to promote your new policy with staff on the ground and carry out necessary training.


The second phase is to test your response plan. Again, your IT team should be able to help you do this while identifying challenges and solving them.


Finally, you will need to set protocols to review your response plan. Doing this will help you establish your plan's fit for purpose when you;

  • implement new software, hardware and system differences

  • change the way you do business

  • implement changes to compliance policies

  • and have significant changes in your threat landscape


We recommend annual reviews, but there might be times when you need ad hoc reviews in line with what's happening in your business or industry.



So, what's next in creating your incident response plan?

In writing this post, we've outlined some best practice tips; now, it's over to you to tackle policy creation with your team.


If your business is in central London, contact Eric today to learn how our services can help you with policy creation and delivery.

bottom of page