How to Create a Cybersecurity Incident Response Plan

No matter how much businesses invest in employee training and tools and technology, there continue to be issues related to cybersecurity. Many of these are because of malware and human error. It’s important for all businesses to have an understanding of malware, incident response, and digital forensics.

With that comes the need for a cybersecurity incident response plan.

The goal is of course, to hope for the best but prepare for the worst. If you don’t have a proactive response plan in place, a cyberattack could destroy your business.


These plans aren’t just for big businesses—in fact, it’s more important than ever for small businesses to make sure they have a solidified incident response plan in place.

The Basics of Incident Response

Incident response is a structured process to deal with security breaches and cyber threats. When you have a defined response plan, you can identify threats before they cause too much damage. You can also reduce the costs and use what you learn to build a better way to prevent similar attacks in the future.

When an actual event occurs, it can be a stressful, overwhelming time.

If there’s a plan in place, then it can help everyone know what steps to take next to mitigate damage.

Along with generally mitigating damages and expenses associated with a breach, your incident response also needs to reduce recovery time.

When you have a plan in place, you can cut through the other noise that may happen if there is an incident and act decisively and with clarity.

Risk Assessment

The first thing you should do before creating the rest of your incident response plan Is to do a risk assessment.

A risk assessment will help you identify the threats unique to your business, and the likelihood of each happening.

If you’ve done a risk assessment in the past, make sure it’s not out of date for your current systems and needs.

You can use the Cyber Incident Scoring System from the Department of Homeland Security to help you do an assessment and audit.

Once you prioritize risks, you’ll be able to allocate your planning and resources to the most likely situations instead of only focusing on the worst-case-scenarios, which may be much less likely to affect your business.

Pinpoint People and Stakeholders

After you’ve done a risk assessment, think about the important people in your plan. These stakeholders are likely going to be within your business, and also outside of it.

Appoint someone who will head up your incident response, and will take on the primary responsibilities. Then, they should have other people appointed to help them each step of the way.

The person who is in charge of the incident response should be able to communicate with a decision-maker at all times if they can’t make decisions directly.

The people who are in charge of dealing with an issue are called the Security Incident Response Team or SIRT).

Detection and Analysis

The detection phase of your response means that you’re always monitoring, alerting, and reporting any events related to security that might occur.

This can include the identification of both known and unknown threats, as well as things that might be threats, but you aren’t definitive.

The detection and analysis portion of your strategy will rely on the use of tools that automatically scan systems, hosts, and servers.

The use of forensics-based capabilities can look at the health of an endpoint by looking at what’s running at any given time.

Response, Recovery, and Follow-Up

The next areas your plan needs to include are the actual response, recovery, and follow-up.

Incident response might mean that you shut down certain systems or disconnect the systems that are infected from the rest of your network.

You’ll then start to determine what the extent of the damage is, and if there is the potential any sensitive data has been stolen.

You’ll keep a log of everything that happens during this time, and you may need legal counsel to determine whether or not you could be noncompliant in any area as a result of the incident.

Finally, after you’ve eliminated the security risks, you can review and report on everything that happened. That will then allow you to have a greater understanding of the threats that your business faces, and you may also find that you update not only your cybersecurity plan but also your response plan with the new knowledge.

You’ll also make sure all key stakeholders remain informed of what’s going on throughout the process, and you’ll bring in all employees to help prevent a future situation based on the experience.