Most small businesses know a cyber attack could happen to them. Far fewer have a written plan for what to do when it does.
The result is predictable. When something goes wrong, whether it is a ransomware notification, a compromised email account, or unusual activity on the network, there is confusion. Who makes the call? Do you know who contacts the IT provider? Who tells customers? Decisions get made under pressure, and the wrong ones make the damage worse.
A cyber incident response plan does not require a dedicated security team or a 50-page document. It needs to answer a handful of critical questions in advance so your business can respond quickly, limit damage and recover faster. Here is how to build one.
What Counts as a Cyber Incident
Before building a plan, define what triggers it. A cyber incident is any event that threatens the confidentiality, integrity or availability of your systems or data.
Obvious examples include ransomware encryption, unauthorised access to email accounts, data breaches and phishing attacks that result in credential theft. Less obvious ones include a staff member losing an unencrypted laptop, finding unexpected admin accounts on your network, or discovering that someone has been forwarding company emails to a personal address.
Your plan does not need to cover every scenario in detail. It needs to make clear that when something looks wrong, there is a defined process to follow rather than a scramble.
The Five Steps Your Plan Should Cover
A practical incident response plan follows five stages: prepare, identify, contain, recover and learn.
1. Prepare. Assign roles before anything happens. Do you have a primary contact for your IT provider? Is it clear who has authority to shut down systems if needed? Who handles communication with customers or regulators? Write these names, phone numbers and responsibilities down. If one person is unavailable, name a backup.
2. Identify. Define how incidents get reported internally. A simple rule works: if someone sees anything suspicious, they report it to a named person immediately, no judgement. That person contacts your IT provider or internal IT lead to assess whether it is a genuine incident. Speed matters here. The average attacker dwell time inside a compromised environment is 90 to 120 days.
3. Contain. Once an incident is confirmed, the priority is stopping it from spreading. This might mean isolating an affected machine from the network, disabling a compromised account, or temporarily shutting down a system. Your IT provider should be leading this, but your plan should make clear who authorises these decisions internally.
4. Recover. Restore affected systems from clean backups. Reset credentials. Verify that the threat has been fully removed before bringing systems back online. Document what happened and when.
5. Learn. After recovery, review what went wrong, what went well and what needs to change. Update the plan based on what you learned. This step is the one most businesses skip, and it is the one that prevents the same thing happening again.
Reporting Requirements Are Tightening
Under the Cyber Security and Resilience Bill progressing through Parliament, organisations in scope will need to report cyber incidents within 24 hours, with a full report within 72 hours. Even if your business is not directly in scope, larger clients may require evidence that you have a documented incident response process as part of supply chain assurance.
Having a plan already in place puts you ahead of the curve.
Keep It Short, Test It Regularly
The best incident response plans are short enough that people actually read them. One to two pages covering roles, contact details, the five steps and any specific instructions for your IT setup.
Print a copy and keep it somewhere accessible. If your systems are encrypted by ransomware, a plan saved only on the network is useless.
Test the plan at least once a year. Run a tabletop exercise: describe a scenario and talk through who does what. You will quickly find gaps, whether that is an out-of-date phone number, an unclear decision point or a step that nobody actually knows how to execute.
You Do Not Have to Build This Alone
If you want help creating an incident response plan that fits your business, or you want to make sure your current setup can detect and contain threats quickly, speak to The Unite Group about a managed security review. We work with SMEs across the North East to build practical, proportionate security processes backed by 24/7 monitoring and rapid response tools.