Welcome to ITS! Learn more about our strategic partnership with Digital Seattle!

Mark Sheldon Villanueva

By: Mark Sheldon Villanueva on October 20th, 2021

Print/Save as PDF

What is an Incident Response Plan?

disaster recovery | Cybersecurity

Cyber attacks are increasing, and so are their severity and the length of time required to resolve them. An effective incident response plan can help mitigate these problems. Find out what an incident response plan is and why you need one.

What would you do if you were hit with a cyber attack? If you're not sure of your answer, then you might want to seriously consider creating a plan of action. That's because your business could be at risk regardless of its size.

The Federal Bureau of Investigation reported that cybercrime rose by 300% in 2020 alone, and almost half of those attacks were aimed at small businesses.

The number of cyberattacks hitting US organizations isn't the only thing that's been on the rise recently. Sadly, the severity of the attacks and the length of time needed to address them have also been growing.


In a study conducted by IBM, 65% of business leaders said attack severity is increasing, with 57% reporting it's taking longer to resolve cyber incidents. So what's happening there?

While it's true that cyberattacks have grown more sophisticated through the years, that is only part of it. A key driver for these alarming numbers may be the result of how businesses fail to respond to cyber threats effectively. In the same study, IBM found that a large majority (77%) of US businesses don't have a consistent cybersecurity response plan.

At ITS, we've helped hundreds of businesses improve their cybersecurity efforts. In our experience, having a plan to effectively respond to cyber incidents is vital in today's threat landscape.

In this article, we'll teach you the basics of an incident response plan to help you set one up for your business. To do that, we'll have to dive into the following:

  • What is an incident response plan?
  • Why do you need an incident response plan?
  • 6 steps of an incident response plan

What Is an Incident Response Plan

Team coming up with an Incident Response Plan

An incident response plan is a written plan to help IT professionals identify, eliminate and recover from cybersecurity threats. It's designed to help your organization respond quickly and uniformly against any form of cyber attack.

If properly managed and updated, an incident response plan can help you minimize the damage caused by attacks like data loss, abuse of resources, and the loss of customer trust.

Why Do You Need an Incident Response Plan?

Cybercriminals want to confuse your team during an attack. It's beneficial for them. Your inability to respond appropriately can buy them the time they need to get what they want, whether it's your data or your hard-earned money. A well-thought-out plan can help reduce that confusion and give your team the right mindset to deal with any cyber incidents effectively.

Why Do You Need an Incident Response Plan

Here are some of the most common advantages you can gain with an incident response plan:

Speeds Up Your Team's Response Time to Threats

When it comes to cyberattacks, time is essential. It helps minimize the damage that a malicious actor can inflict on your business.

Having a consistent incident response plan allows your team to respond immediately when an incident occurs. Relevant members of your team will also have a clear roadmap to help them identify and react to an external attack, potentially buying you the time you need to resolve the situation.

Protects Your Data

Your data is expensive. In IBM's annual Cost of a Data Breach Report this 2021, they found that data breaches cost businesses a total of $4.24 million per incident on average. That is a 10% increase over last year's total.

Data and system protection are at the core of incident response plans. When a breach occurs, your plan should immediately kick in and enable your team to respond quickly. That way, they can secure backups and deploy patches to vulnerabilities in a timely manner to help protect your data.

Reinforces Your Organization's Reputation

How a company responds to incidents is very revealing. An effective and timely response shows that your organization is committed to security and privacy. On the other hand, failing to stop an attack promptly may cast doubt on your entire operation. Customers and shareholders may even choose to do business elsewhere. Having a reliable incident response plan is critical in preventing that outcome.

Limits Damage of Breach

In many cases, attackers can attempt to disrupt your operations by encrypting your data and holding it for ransom for an indefinite period of time. The result is unplanned downtime that can seriously hurt your bottom line. According to Gartner, downtime at the low end can cost as much as $140,000 per hour, $300,000 per hour on average, and as much as $540,000 per hour at the higher end.

Having an incident response plan can limit the damage and costs of a breach by enabling your team to respond to one quickly and effectively. The faster you are able to resolve the issue, the less damage your organization is bound to incur.

4 Steps of an Incident Response Plan

An effective incident response plan can be broken down into four steps, and it's essential to create structured procedures for each one.

The four steps include:

1. Preparation

Employees Preparing for an Incident

Perhaps the most vital and work-intensive step is at the preparation stage. This phase is where you will document, outline and explain your response team's roles and responsibilities. That includes establishing the underlying security policies which will guide the development of your incident response plan.

It is at this time where you can perform risk assessments to determine whether your team can handle an attack or if you would need the help of a third party. This is also the stage where you need to determine the location, sensitivity, and relative value of all your data and assets. That will help you identify critical security incidents you should focus on.

Lastly, this step is also where you assign roles for members of your response team, including a chain of command which involves your IT and corporate leadership. Ensure that they have access to relevant systems and tools so that they can respond to incidents effectively.

2. Identification

Team monitoring cyberattacks

The identification stage involves the monitoring, detecting, alerting, and reporting of security events. The primary objective for this stage is identifying known and unknown threats and suspicious activity that seem malicious in nature. In this phase, the collection of log data is critical to identify how the incident occurred, its root cause, and the systems and data affected.

You need to develop a proactive detection strategy like Security Information and Event Management (SIEM) processes. That will enable your team to conduct deep analysis and forensics that can help you gather critical information regarding a security incident.

3. Response

Technician removing an infected software

Once a breach has been detected, containment should be your next priority to ensure that infection does not spread. Isolating compromised systems, networks, data stores, and devices can minimize the damage after an incident.

After removing adversary access, your response team should then determine the extent of damage and the potential risks it poses to your business. That should be followed by the analysis of forensic artifacts, eradication of infected files, and patching of the breach.

In this stage, your team should also ensure that data regarding the incident is logged and documented properly to help with investigations.

New call-to-action

4. Recovery and Review

This stage is where your team can begin to analyze all relevant information regarding the incident.

Technicians analyzing past incidents

Post-incident activities include:

  • Reviewing and reporting on what happened.
  • Updating your cybersecurity program with new information about what worked and what to improve.
  • Updating your IR plan with lessons learned.

Your team should also perform a thorough cybersecurity assessment to verify your environment is truly clear of threats.

Ready to Set Up your Own Incident Response Plan?

An incident response plan is a necessity in today's current threat landscape. Make sure you develop one that provides actionable steps that can guide your team in dealing with incidents more effectively.

Want to find out where your cybersecurity measures stand? At ITS, we can help assess your environment so you can have a better idea of what you need to bolster your security efforts. Fill out our form for a free security assessment!

Shift Happens: IT is Changing the Landscape