Cyber Security Incident Response Plan: Best Practices when responding to a cyber attack

Without an Incident Response Plan, you business may end up in a Crisis

A cyber attack can be a daunting experience, especially for small business owners. It’s like a sudden storm, threatening to wash away your hard-earned progress. But just as storms can be weathered with the right preparation, so too can cybersecurity incidents.  I am going to walk you through an outline of some of the best practices and lessons learned we have used in responding to real security incidents.  Our processes are based on cybersecurity best practices and the NIST Cyber Security Framework.  Even though this article is high-level, we will be diving deep into each of the 4 key phrases of our cyber incident response plan.

Incident response plans are one of the first items we look at when performing cyber security risk assessments.

The Importance of a Cybersecurity Incident Response Plan

Imagine you’re the captain of a ship. A cybersecurity incident is akin to a breach in the hull. Without a proper response plan, your ship could sink. But with a well-crafted plan, you can patch the breach, pump out the water, and get back on course.

Creating a cybersecurity incident response plan is not just about being reactive. It’s about being proactive, anticipating potential threats, and having a roadmap to navigate through them before a data breach happens. It’s about ensuring the safety of your data, your systems, and ultimately, your business.

The NIST Guidance on Cyber security Incident Handling

Nist cybersecurity framework - set of standards, guidelines, and practices designed to help organizations manage it security risks with a cybersecurity incident response plan.
Cyber Security Incident Response Plan: Best Practices when responding to a cyber attack 4

The National Institute of Standards and Technology (NIST) provides a robust framework for handling cybersecurity incidents. It includes four key phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity.

Think of these phases as the four corners of a fortress, each playing a crucial role in defending against cyber threats.

Preparation: Building Your Cybersecurity Fortress

The first step in the incident response process when responding to a cyberattack is to prepare for it. This involves defining policies, rules, and practices to guide your security processes. It’s about developing incident response plans for every kind of incident that might target your company. It’s about having a precise communication plan: knowing who to reach internally and externally, and how to reach them.

Detection and Analysis: The Watchtowers of Your Fortress

The second phase involves detecting and identifying the incident. This is where your watchtowers come into play. You need to have systems in place that can spot potential threats and alert you to their presence. This includes identifying the incident precisely, defining the scope of the incident and its investigation, setting up monitoring, assigning incident handlers to the incident, and starting to document the case.

Containment, Eradication, and Recovery: The Walls of Your Fortress

The third phase is about containing the damage and preventing further harm. It’s about erecting walls to keep the threat at bay. This involves removing all artifacts of the incident and ensuring it cannot happen again. It’s about bringing your systems back into production after verifying patching and hardening.

Post-Incident Activity: Strengthening Your Fortress

The final phase is about learning from the incident. Every incident should be seen as an opportunity to improve your incident-handling process. It’s about discussing the incident, answering questions regarding what happened, and updating your incident response plan with any missed information during the incident.

Real-world Examples

Maersk fell victim to a widespread and devastating cyberattack perpetrated by the notpetya ransomware
Cyber Security Incident Response Plan: Best Practices when responding to a cyber attack 5

In June 2017, Maersk fell victim to a widespread and devastating cyberattack perpetrated by the NotPetya ransomware. The attack was so severe that it disrupted the company’s operations for two weeks and cost them up to $300 million, as reported by the Los Angeles Times .

The malware spread from the servers of an unassuming Ukrainian software firm to some of the largest businesses worldwide, including Maersk. The attack was so extensive that Maersk had to reinstall 4,000 servers and 45,000 PCs to recover from the incident, according to ZDNet.

Despite the scale of the attack, Maersk was able to quickly contain the attack, minimize the damage, and recover their operations within a week. This was largely due to their robust incident response plan, which included a clear communication strategy, a well-trained incident response team, and effective backup and recovery processes.

This example underscores the value of preparation and having a solid response plan in place. It also highlights the potential financial and operational impact of a cybersecurity incident, emphasizing the importance of taking proactive measures to protect your business.

For more information on the Maersk incident and how they handled it, you can refer to these articles:

I know this is not exactly a small business but the scope of what was accomplished by being prepared is amazing.  Even though the company was prepared the cost was still astronomical.  Can you imagine what the cost would have been if Maersk had not taken steps and been prepared?

Small Business Incident Response Strategy

It’s often difficult to find real-world examples of small businesses in the United States that faced cyberattacks and were able to respond effectively.

  1. Colorado Timberline: In 2018, Colorado Timberline, a small printing company, was hit by a ransomware attack. The company had a robust incident response plan in place, which allowed them to quickly isolate the affected systems and prevent the spread of the ransomware. Despite the attack, the company was able to resume operations within a few days. However, the attack highlighted the need for continuous updates to the incident response plan and the importance of regular employee training. You can read more about this incident here.

  2. RecoveryPlanner: RecoveryPlanner, a small business that provides risk management solutions, was targeted by a phishing attack. Thanks to their incident response plan, they were able to quickly identify the attack, isolate the affected systems, and prevent any data breaches. The company was also able to use the incident as a learning opportunity to further improve its cybersecurity measures. More details about this incident can be found here.

While these examples highlight the importance of having an incident response plan, it’s also crucial to note that small businesses are often targeted because they are perceived as having weaker security measures. According to a report by Barracuda Networks, small businesses are three times more likely to be targeted by cybercriminals than larger companies. The report also found that CEOs and CFOs are almost twice as likely to have their accounts taken over compared to average employees (source).

These examples and statistics underscore the importance of having a robust incident response plan in place, regardless of the size of your business. It’s not just about having the plan, but also about regularly updating it and training your employees to respond effectively to incidents.

What about companies that were not prepared?

Here are some statistics and examples related to cyber security attacks on small businesses in the United States, particularly those that did not have an incident response plan:

  1. Cyberattacks against small businesses have been on the rise in recent years. Cybercriminals assume that weaker security measures will make small businesses easier to crack than larger enterprises. Small businesses are generally not financially prepared for an attack, and most lack cyber insurance. For many smaller companies, a successful cyberattack may even put them out of business source.
  2. 46% of all cyber breaches impact businesses with fewer than 1,000 employees. 61% of SMBs were the target of a Cyberattack in 2021. At 18%, malware is the most common type of cyberattack aimed at small businesses source.

  3. In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages. 95% of cybersecurity incidents at SMBs cost between $826 and $653,587 source.

  4. 47% of businesses with fewer than 50 employees have no cybersecurity budget. 51% of small businesses have no cybersecurity measures in place at all. 36% of small businesses are “not at all concerned” about cyberattacks. 59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked source.

  5. Only 17% of small businesses encrypt data. 20% of small businesses have implemented multi-factor authentication. One-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions source.

While these statistics provide a general overview of the situation, specific real-world examples of small businesses in the United States that suffered cyberattacks due to a lack of an incident response plan are not readily available in the public domain due to privacy and legal reasons.

Common Mistakes in Responding to Cyber Security Incidents

Redhead woman using laptop at home stressed, shocked with shame and surprise for causing a cyber incident.
Cyber Security Incident Response Plan: Best Practices when responding to a cyber attack 6

Some common pitfalls that businesses often stumble upon when responding to cybersecurity incidents can exacerbate the situation, leading to more significant damage and longer recovery times. By being aware of these common errors, you can better prepare your business to handle cybersecurity incidents effectively.

1. Neglecting to Have a Detailed Incident Response Plan

One of the most common mistakes is not having a detailed incident response plan in place. It’s like setting sail without a compass—you’re bound to get lost when a storm hits. An incident response plan is your roadmap, guiding you on what steps to take when a cybersecurity incident occurs. Without it, your response can be chaotic and ineffective, leading to more significant damage and longer recovery times.

2. Overlooking the Importance of Regular Testing and Updates

Having an incident response plan is one thing, but ensuring it’s up-to-date and effective is another. Regular testing and updates are crucial to ensure your plan remains relevant and effective. Cyber threats are constantly evolving, and your incident response plan needs to evolve with them. Failing to regularly test and update your plan can leave you unprepared for new types of attacks.

3. Underestimating the Importance of Training

Even the best incident response plan is useless if your team doesn’t know how to implement it. Regular training is crucial to ensure everyone knows their roles and responsibilities during a cybersecurity incident. This includes not just your IT team, but all employees, as they are often the first line of defense against cyber threats.

4. Failing to Involve All Relevant Stakeholders

Cybersecurity is not just an IT issue—it’s a business issue. Therefore, your incident response plan should involve all relevant stakeholders, including management, legal, HR, and public relations. Each of these stakeholders plays a crucial role in managing the fallout from a cybersecurity incident, from communicating with customers to dealing with legal implications.

5. Not Learning from Past Incidents

Every cybersecurity incident is a learning opportunity. By analyzing what went wrong, you can identify gaps in your defenses and improve your incident response plan. Failing to learn from past incidents can leave you vulnerable to future attacks.

Remember, the key to effective incident response is preparation. By avoiding these common mistakes, you can ensure your business is better prepared to handle cybersecurity incidents and minimize their impact.


Navigating the stormy seas of cybersecurity can be challenging, but you don’t have to do it alone. We’re here to help you set up, evaluate, maintain, and test your incident response plan. With our expertise and guidance, you can be confident that your business is prepared to weather any cybersecurity storm.

Whether you’re starting from scratch or looking to improve an existing plan, our team is ready to assist. We can help you understand the unique threats your business faces and develop a tailored plan to address them. We can also provide ongoing support to ensure your plan remains effective as the cybersecurity landscape evolves.

Don’t wait for a breach to happen before taking action. Proactively safeguarding your business is the best way to ensure its longevity and success. Reach out to us today to start fortifying your cybersecurity defenses.

To get started, simply give us a call at [Your Phone Number] or send us an email at [Your Email Address]. We look forward to helping you secure your business against cyber threats.

Responding to a cyber security incident is not a one-time event. It’s a continuous process of learning and improving. It’s about building a stronger fortress, one that can withstand the storms of cyber threats.

Your Cybersecurity Incident Response Checklist

To help you navigate through a cybersecurity incident, here’s a handy checklist:

Phase 1: Preparation

  • Define and document incident response policies and procedures.
  • Establish clear roles and responsibilities for the incident response team.
  • Conduct regular training and simulations for the incident response team.
  • Set up a communication plan for internal and external communication during an incident.
  • Implement security measures and controls to prevent incidents.
  • Regularly back up and encrypt sensitive data.
  • Keep all systems and software updated and patched.

Phase 2: Detection and Analysis

  • Monitor systems for signs of an incident.
  • Document all detected potential incidents.
  • Analyze and validate if a detected event is a security incident.
  • Determine the scope of the incident – systems, data, and users affected.
  • Prioritize handling of the incident based on its impact and severity.

Phase 3: Containment, Eradication, and Recovery

  • Isolate affected systems to prevent further damage.
  • Gather and document all information about the incident.
  • Identify the cause of the incident and plan for its removal.
  • Remove the cause of the incident from all affected systems.
  • Restore affected systems and data from clean backups.
  • Verify that all systems are clean and free from threats.
  • Gradually restore operations while monitoring for signs of recurrence.

Phase 4: Post-Incident Activity

  • Conduct a post-incident review to identify strengths and weaknesses in incident handling.
  • Document lessons learned from the incident and the response process.
  • Update incident response policies and procedures based on lessons learned.
  • Communicate with all relevant parties about the incident and its resolution.
  • Conduct follow-up monitoring to ensure no recurrence of the incident.

This checklist provides a step-by-step guide to handling a cybersecurity incident. However, it’s important to remember that every incident is unique and may require different approaches. Always be ready to adapt and learn from each incident.

Additional Resources

If you want to delve deeper into the world of cybersecurity incident response, here are some resources:

  1. NIST’s Guide to Incident Response
  2. Cybersecurity Incident Response Course
  3. Book: Incident Response & Computer Forensics

Remember, the key to effective cybersecurity incident response is preparation, swift action, and continuous learning.


  1. Cybersecurity Incident: An event that threatens the integrity, confidentiality, or availability of computer systems, networks, or the information they contain.
  2. Incident Response Plan: A set of instructions to help IT staff detect, respond to, and recover from network security incidents.
  3. NIST Cybersecurity Framework: A guide developed by the National Institute of Standards and Technology (NIST) that provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber incidents.
  4. Preparation Phase: The initial stage in the incident response process where policies and procedures are developed, and resources are gathered to respond to potential cybersecurity incidents.
  5. Detection and Analysis Phase: The stage in the incident response process where potential security incidents are identified, and information is gathered to determine the appropriate next steps.
  6. Containment, Eradication, and Recovery Phase: The stage in the incident response process where the immediate impact of the incident is limited, the threat is removed, and systems are restored to normal operation.
  7. Post-Incident Activity Phase: The final stage in the incident response process where information is collected from the incident to prevent future incidents and improve the incident response process.
  8. Ransomware: A type of malicious software designed to block access to a computer system until a sum of money is paid.
  9. Phishing Attack: A method of trying to gather personal information using deceptive e-mails and websites.
  10. Backup: A copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event.
  11. Encryption: The process of converting information or data into a code, especially to prevent unauthorized access.
  12. Patch: A software update comprised code inserted (or patched) into the code of an executable program.
  13. Multi-factor Authentication: A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
  14. Cyber Insurance: A product that is designed to help businesses hedge against potentially severe financial loss from cyber-related risks.
  15. Cyber Threat: The possibility of a malicious attempt to damage or disrupt a computer network or system.
  16. Data Breach: A security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

What do you think?

Leave a Reply

Related articles

Contact us

Partner with Us for Comprehensive IT

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?

We Schedule a call at your convenience 


We do a discovery and consulting meting 


We prepare a proposal 

Schedule a Free Consultation