Cybercrime is on the rise. There’s no denying that. In the first six months of 2019, there was a 54% increase in data breaches that resulted in 4.1 billion records being exposed. That might sound like a lot, but things got worse in 2020, largely fueled by COVID-19 and the massive shift to work from home that came with it.

You can prepare for a data breach as best you can, but sometimes it’s more of a matter of when it’s going to happen, not if. That’s why one of the better things you can do is have an incident response plan ready for when something happens.

What is an incident response plan?

An incident response plan is a detailed plan that helps your IT team detect, respond to, and manage any cyber threats that your company is exposed to. These plans are basically a set of policies and procedures that your business implements to make sure that everyone does exactly what they need to be doing during each step of a security incident.

Along with being a really good idea from a business protection standpoint, incident response plans are increasingly being mandated under data protection regulations like the California Consumer Protection Act and even ISO 27001 certification requires a plan.

These requirements are becoming the norm because these attacks don’t just impact your business, they affect your clients and customers as well. Not only does it open up your customers to attack and exploitation from hackers, but you destroy their ability to trust your company. Incident response plans don’t just help keep your business safe, they protect the very people who use your services.

How to create an incident response plan

Creating an incident response plan involves having a deep understanding of your systems, where possible incidents might occur, and how you plan on mitigating the impact of anything that happens.

It is, as you’d expect, a detailed and time-consuming process, but the value of a solid incident response plan is so great that it’s worth the effort. In the end, not having a plan in place means more work than putting one together in the first place would have been.

There are four stages to an incident response plan: Preparation; Detection & Analysis; Containment, Eradication, & Recovery; and Post-Event activity.

Let’s break those down by section and take a look at what each stage means for you.


The first step involves getting ready for anything that could affect your business. These are the common attacks like dedicated denial of service attacks (DDoS) that knock your business or service offline, malware that can be used to breach your system and steal data, phishing attempts that deceive your employees into giving up the information hackers need to break in, or credential stuffing attacks that attempt to gain access to your system with a brute force approach.

This stage doesn’t just end with you identifying the various risks, though. You need to create specific plans for each of the threats that help everyone involved know their roles and responsibilities when something happens. To really help ensure that your team clearly knows what to do, running through your plans in simulated settings (like role-playing or drills) can help a lot. The more you do activities like this, the more you expose any holes in your plan or areas that you’re not prepared for, so don’t skimp on the effort in this phase.

It’s also strongly recommended you work closely with a security operations center (SOC) during this phase, as they know the current best practices for dealing with the various threats. And, they’re going to have insight into which areas of your business are going to be most susceptible to types of attacks.

Detection and analysis

The goal in the second stage is to identify the size and scope of the incident in question. Was it one infected computer or a massive breach that resulted in the data of millions of customers being exposed?

The first thing you need to do here is locate where the breach occurred (patient zero if you will). This helps you see what kind of threat you’re dealing with, the severity of the breach, and the type of attack. This information can be used to not only decide what the correct course of action is (based on the plans you drafted in step one), but it also tells you what you’re looking for in the rest of your system. This way you can track the damage through your network to learn if it was an isolated infection or if everything has been compromised (as an example).

Containment, Eradication, and Recovery

Sometimes, this stage is broken down into individual sections, but it’s not really necessary. Each of these sections is a part of the complete act of dealing with a cybersecurity incident.

The goal for containment is to lock down the infected computer or section of the network that is infected as soon as possible. The faster you react here, the less likely it is that the hacker is going to be able to do any serious damage to your system.

Even better, this step can also help highlight the importance of security features like access control, which limit how much of your network employees have access to. Solid access control can limit just how much of your system is breached and what data can be extracted by the hackers when they’re in there. Role-based access control can really help limit the impact of cybercrime because no one in your system has access to the whole network. They can only use the parts that are critical to doing their jobs. For example, the receptionist isn’t likely going to need access to your company’s payment gateway.

Once you’ve contained the threat, it’s time to eradicate it. As the name implies, this step is dedicated to removing the threat from your system completely. This could involve patching systems to fix holes, removing viruses and malware from infected computers, or disabling the parts of your network that are compromised.

In the recovery stage, you get your business back online and resume serving your customers. This is where having a solid disaster recovery plan can help your business bounce back quickly, with minimal interruption. Disaster recovery involves having a robust set of backups in place that (ideally) contain a clean version of your business data that was captured as close to the attack as possible. You want to be able to minimize the amount of loss, so be sure that not only are you making regular backups but that you’re also testing to make sure that backups are viable and your system can be restored quickly.

Post-event activity

In this final stage, you’re looking at everything that happened, assessing whether it was handled well, and looking at what you need to do to prevent it from happening again. Ideally, there will be some pretty clear lessons in terms of how to prevent a similar incident in the future, any holes that may exist in your current plan, as well as helping you learn how you can better manage the situation if it does happen again.

Creating thorough documentation of the incident should help you clearly see what was effective, what didn’t help, what backfired, and what surprises may have occurred. And, this documentation acts as a playbook for next time.

Incident Response Plan Best Practices

Each business is going to have specific needs when it comes to incident response plans, but there are some best practices that can help carry you through the process. We’ve already touched on some of these, but as far as security is concerned, you can’t repeat yourself enough.


Create highly detailed guides for each stage of every possible incident your business might encounter. You want something that helps you follow the exact steps you need to take to mitigate the incident because, if we’re being honest, things happen pretty fast during an attack and it’s easy to lose your cool. Playbooks reduce the chances of you forgetting what you’re supposed to be doing or, worse, missing a critical step that protects your business.

Training and drills

Much like we recommend running simulations to test how effective staff is at spotting phishing emails, running through your various playbooks to ensure that you’re doing everything that you need to be doing to protect your business. These simulations help expose any holes or gaps in your plan and give you an opportunity to patch them before something goes wrong.

Involve the whole company

A cyberattack isn’t just something the SOC deals with, it should involve the whole company. The more everyone knows exactly what they need to do to both prevent a cyberattack or mitigate one, the better.

Final considerations when creating an incident response plan

When you think about the fact that our workforce is more distributed than ever, the need to have an incident response plan has increased. A distributed workforce brings with it a unique set of challenges that range from laptops being stolen from coffee shops to using VPNs to make sure employees are using secure connections to access your network.

All of these scenarios need to be considered when putting together response plans, so be sure to take them into account when you’re creating your playbooks.

As you can tell, incident response plans can be a lot of work. But you can’t let that stop you from putting them together. If you need help creating or implement incident response plans, or if you don’t have a SOC to help you manage incidents, let’s talk.

We have more than 20 years of experience helping companies manage their security and mitigating incidents as they happen. Contact us today to learn more.

212-299-7673 |

The post The Anatomy of a Cybersecurity Incident Response Plan appeared first on Manhattan Tech Support.