Building an Incident Response Plan for Your Small Business
What to do when something goes wrong. A practical guide to building a response plan that actually works when you need it.
What to do when something goes wrong. A practical guide to building a response plan that actually works when you need it.
An incident response plan tells your team exactly what to do when something goes wrong. Without one, the average data breach costs small businesses $120,000 and takes 280 days to contain.
NIST SP 800-61 defines four phases: preparation, detection and analysis, containment and eradication, and recovery.
You need a documented plan, a response team with defined roles, and the tools required to execute. At minimum: a contact list, offline backups, a clean laptop for forensics, and legal counsel.
| Role | Responsibility | Backup |
|---|---|---|
| Incident Commander | Coordinates response, makes decisions | IT lead or owner |
| Technical Lead | Contains the threat, preserves evidence | IT staff or MSP contact |
| Communications Lead | Internal and external messaging | Office manager |
| Legal Contact | Legal and regulatory obligations | Outside counsel |
Common indicators: antivirus alerts, unusual network traffic, locked user accounts, ransom notes. When something looks wrong, assume it is and escalate.
Isolate affected systems. Disable compromised accounts. Block malicious IPs. Remove malware, patch vulnerabilities, rotate credentials.
Restore from clean backups. Verify data integrity. Monitor for recurrence. Communicate with customers and regulators as required.
Run a tabletop exercise every six months. Walk through a scenario with your team and identify gaps. Common gaps include unclear decision authority and backup systems that do not restore.
Start with a single page that defines roles, a 9-step response flow, and a contact list. Test it twice a year. A simple plan that gets tested is infinitely better than a complex plan that gathers dust.