How to make an incident response plan

How to make an incident response plan

What is an incident response plan?

An incident response plan is a document that aims to minimise the effects of a cyber attack, protecting a business's systems in the process. This document should clearly highlight a list of predetermined, easy-to-follow instructions that will aid employees in knowing both what to do, and how to recognise that there has been a data breach. 

Why do you need an incident response plan?

Worryingly, statistics reveal that more than 77% of businesses do not have a cyber security incident response plan in place, even though 54% of companies claimed to experience one or more attacks between 2019 and 2020. With security threats growing as we see IoT (Internet of Things) expanding, it’s never been more important for businesses - both small and large - to devise an incident response plan.

What are the benefits of an incident response plan?

So, what are the benefits? Firstly, you’ll be able to ensure that your business's data is efficiently protected, allowing your team to be proactive in constantly looking out for potential cyber security risks. Should your sensitive data end up in the hands of a hacker, this could end up being leaked, or it could be held ransom, leading to seriously damaging consequences. 

Not only this, making an incident response plan will ensure that your business revenue is protected, and with the average cost of breach being £3.03 million, you’ll avoid the devastation that this could cause. 

Creating an incident response plan is also essential for upholding your business’s reputation, allowing you to maintain healthy relationships with clients and customers alike. A data breach is likely to affect them too, so they will want to have full confidence that you’re handling the situation efficiently. 

How to make an incident response plan

Your incident response plan will include a number of phases, which will inform employees on how to act in the event of a cyber attack: 


Phase one of your incident response plan will be preparation, ensuring that your employees are equipped with the resources and knowledge to act in the event of an attack. You’ll need to provide regular training sessions for new and long-term members of staff alike, particularly if there have been any recent business updates or restructures. From receiving funding for security focused hardware and software, to planning a prioritisation of incidents based on how severely each will impact the business, staff should be fully aware of how to act and who to contact. To test this knowledge and evaluate the effectiveness of your current incident response plan, drills should occur every so often. 


The detection phase involves gaining an understanding of key signs to look out for, should a data breach occur. Employees must be able to distinguish unusual behaviour from regular business operations. 

So, how is a breach recognised? It should be discovered internally (after employees are aware of exactly what to look out for), with suspicious new files, strange login attempts, or alerts from malware detection software being some of the main signs. It should be questioned when the event took place, what the source could be, which areas have been affected, and the extent of the situation should be analysed. 


After a data breach has been detected, it’s vital that employees act with urgency, aiming to contain the attack as quickly as possible. Although it’s inevitable that an attack will bring feelings of panic, it’s vital to stay calm in these situations to make a proper evaluation. Once you’ve gathered all information needed about the attack, which can then be passed onto forensic investigators, you’ll need to isolate the infected machine from the network, remembering to back up any sensitive data. This, in turn, will prevent the attack from spreading onto other devices, subsequently minimising the potential risk to your business. Once you’ve managed to contain the attack, you should revise your incident response plan accordingly to prevent any future risks. 


The next phase is to eradicate the attack, evaluating what exactly led to the breach to ensure it doesn’t happen again; this could’ve been through carelessness, insufficient security measures, or through inadequate policies. Depending on the cause, you may need to update your systems, provide further staff training, and keep an eye out for even the slightest trace of malware that remains. 


So, what should you do after a cyber attack? The recovery stage of your incident response plan is essential for getting your business back on track, so ensure that this is clearly defined. This will involve careful processes of returning once affected systems back to regular operation, making sure that they’re been through a strict testing procedure with additional security measures put in place. 

Review and adapt

After a cyber attack has taken place, you’ll need to review current procedures with the Incident Response Team, considering how successfully they were able to solve the problem. It’s vital to fill out any gaps, ensuring that all aspects of your workplace security is enhanced to prevent an attack from happening again. After learning from the scenario, communicate any new processes or policies with the wider team, making sure they’re clear on how to steer clear of a data breach.

If you’re looking to optimise your workplace’s security, our team of professionals are here to help. From industrial gates to CCTV systems, we have everything you need to protect your premises. Get in touch with us today to see how we can help your business.