Incident Response Plan. It sounds like something for a government agency or big business. Yes, they have them, but small and medium businesses (SMBs) should have incident response plans, too.

This post explains what an incident response plan is, why you need one, and how to create it.

What is an incident response plan?

An incident response plan is a set of written protocols that guide an organization in recovering from a serious, unexpected problem. Ransomware and data breaches are top of mind these days, and cyberattacks should be the center of most incident response plans. However, these

are not the only incidents an organization needs to plan for. Other problems, such as natural disasters, disease outbreaks, fires and physical intrusions should be included as well depending on the organization.

An SMB incident response plan does not need to be lengthy or complicated, but it needs to be clear, logical, and fit for purpose. It also needs to be available even during an incident, i.e., not frozen on a compromised computer or destroyed in a flood!

Why does an SMB need an incident response plan?

There are at least five good reasons for an SMB to have an incident response plan:

  1. SMBs are attacked all the time. In an interconnected, Internet-driven world everyone is vulnerable. There is no protection or anonymity from being on the smaller side.
  2. Preparation is key to prevention.The act of creating and maintaining a plan help prevent problems in the first place. For example, are all computers running the latest software? Are fire extinguishers in accessible locations?
  3. Panic is the alternative to planning. Cyberattacks and other incidents can be tough, even when you’ve prepared. But if you haven’t prepared you’re likely to panic and do the wrong thing, leading to further damage, higher costs and delays in recovery. And you’ll burn out your staff, too.
  4. You may be legally required to have one. For example, the General Data Protection Regulation (GDPR) requires organizations –including SMBs— to report data breaches within 72 hours. You need a plan to make that happen.
  5. You may be contractually obligated. Larger companies and government agencies are increasingly requiring suppliers of all sizes to have incident response plans in order to do business with them. Having a robust plan helps an SMB stand out in bids and contract negotiations.

How does an SMB create an incident response plan?

An incident response plan needs to be tailored to the specific circumstances of each SMB, but there’s no need to reinvent the wheel. SMBs can leverage tools they already pay for, such as Microsoft Compliance Manager, which includes risk assessments for various industries and geographies, and guidance on developing a plan. The downside is that it can be complex for non-technical staff to comprehend.

Another approach is to engage a consultant or an incident response vendor. Costs vary but are usually reasonable. And for many SMBs, the bulk of the incident response plan may be to collect basic information about the incident and contact the incident response vendor for help.

Fundamental Cyber includes basic incident response plan templates in its Funda software. Visit fundamentalcyber.com for more information.

Now what?

Once the plan is in place, it should be reviewed and updated regularly. For many SMBs an annual review is sufficient. If big, new threats emerge during the year –like ransomware or physical violence—parts of the plan may require more frequent revision.

A plan is only good if employees know about it and practice using it. That means providing awareness, employee training and holding the occasional ‘fire drill’ to make sure the organization is ready.

Software tools can help. Funda from Fundamental Cyber includes an incident reporting feature, training modules, and tools to scan files for GDPR compliance and conduct a system health check.

Did you find this post useful? Is there more you’d like to know? Drop us a line at info@fundamentalcyber.com

Leave a comment

Your email address will not be published. Required fields are marked *