It's 9pm on a Tuesday. Your IT manager calls — ransomware has encrypted your file server. Customer data may be compromised. You have no idea who to call, what to do first, or what your legal obligations are.
This scenario plays out in small businesses every day. And in almost every case, the damage is significantly worse because there was no plan in place before the incident happened.
An incident response plan (IRP) is your organisation's playbook for exactly this situation. This guide explains what it is, what it needs to cover, and how to build one without a dedicated security team.
What Is an Incident Response Plan?
An incident response plan is a documented set of procedures that defines how your organisation detects, responds to, and recovers from cybersecurity incidents. It covers everything from who gets notified first, to how evidence is preserved, to when you're legally required to notify regulators or customers.
A good IRP doesn't just tell you what to do — it tells you who does it, in what order, and how to communicate throughout the process.
Why Small Businesses Need One
The assumption that incident response is only for large enterprises is dangerously wrong. Small businesses are frequently targeted precisely because attackers know they're less likely to have detection and response capabilities.
Without a plan, the typical SME response to a cyberattack involves:
- Wasted hours figuring out who's responsible for what
- Evidence destroyed by well-meaning staff trying to "fix" things
- Delayed notification to customers and regulators — increasing legal liability
- No clear path to recovery, extending downtime
- Reputational damage from poor communication
With a plan, the same incident becomes a managed process with defined roles, clear communication, and a faster path to recovery.
The Six Phases of Incident Response
The NIST SP 800-61r2 framework — the industry standard for incident response — defines six phases:
1. Preparation
Everything you do before an incident happens. This includes building your IRP, training your team, establishing communication channels, and ensuring you have the tools and access needed to respond effectively.
2. Detection and Analysis
Identifying that an incident has occurred and understanding its scope. This involves monitoring systems, analysing alerts, and classifying the severity of the incident.
3. Containment
Stopping the spread of the attack. Short-term containment (isolating affected systems) and long-term containment (patching, rebuilding) are both part of this phase.
4. Eradication
Removing the threat from your environment — deleting malware, closing vulnerabilities, removing compromised accounts.
5. Recovery
Restoring systems to normal operation and verifying that the threat has been fully removed before bringing systems back online.
6. Post-Incident Review
Learning from what happened. What worked? What didn't? What needs to change to prevent recurrence or improve response next time?
What Your IRP Must Include
A practical incident response plan for a small business should cover:
- Incident classification matrix — defining severity levels (P1 through P4) and the response required for each
- Roles and responsibilities — who is the incident commander, who handles communications, who handles technical response
- Contact tree — internal escalation contacts, external contacts (legal, PR, cyber insurer, law enforcement)
- Attack-specific playbooks — step-by-step procedures for the most common attack types: ransomware, data breach, phishing, business email compromise, DDoS
- Communication templates — pre-drafted internal and external communications so you're not writing from scratch under pressure
- Legal notification checklist — GDPR, HIPAA, state breach notification laws — what triggers notification and what the deadlines are
- Evidence preservation guide — how to collect and preserve forensic evidence without contaminating it
- Post-incident review template — structured format for capturing lessons learned
The Most Common Attack Types to Plan For
Ransomware
Ransomware is the most disruptive attack type for SMEs. Your playbook needs to cover immediate isolation procedures, backup verification, ransom payment decision framework, and recovery sequencing.
Data Breach
Whether through hacking, insider threat, or accidental exposure, a data breach triggers legal notification obligations. Your plan needs to define what constitutes a reportable breach and what the notification timelines are.
Phishing and Business Email Compromise
BEC attacks — where attackers impersonate executives or vendors to redirect payments — are among the most financially damaging attacks on SMEs. Your plan needs to cover how to verify suspicious requests and how to respond when a fraudulent transfer has already occurred.
Testing Your Plan
A plan that's never been tested is a plan that will fail when you need it most. At minimum, run a tabletop exercise once a year — a structured discussion where your team walks through a simulated incident scenario and identifies gaps in your plan.
Tabletop exercises don't require technical expertise. They're essentially a facilitated conversation: "A ransomware attack has encrypted our file server. What do we do first? Who do we call? What do we tell customers?"
Getting Started
Building an incident response plan from scratch is a significant undertaking. Tektova's Incident Response Program toolkit includes a complete IRP master document, six attack-specific playbooks, communication templates, a legal notification checklist, and a tabletop exercise guide — everything you need to stand up a credible IR capability in days, not months.
Summary
Cyberattacks are not a matter of if — they're a matter of when. The difference between a manageable incident and a business-threatening crisis is almost always preparation. An incident response plan is the single most impactful thing a small business can do to reduce the damage when an attack occurs.
You don't need a dedicated security team to have a good plan. You need clear procedures, defined roles, and the discipline to test and maintain them.