Cyber Incident Response Planning & Guide

    With cyber attacks on the rise, creating a solid security plan for your business is more important than ever. An incident response plan can help you identify a breach or security issue and then stop, contain, and control it quickly. Whether or not your business has already had a security breach, at some point it will, and you’ll need to know how to handle it when the time comes. This guide will help you put an incident response plan in place so you’ll be ready if and when disaster strikes.

    This guide will cover:

    • Why you need an incident response plan
    • Types of incident response plans
    • Steps to creating an incident response plan
    • Tools that can help during an incident

    Why you need an incident response plan

    According to a June 2020 Cybint article, a hacker attack takes place every 39 seconds. Not all of these are aimed at businesses, but many of them are since businesses provide the hacker with larger rewards. In fact, the same article explains that 43% of cyber attacks actually target small businesses, which many don’t think of as high-priority targets for cyber criminals. Because small companies generally invest less on cyber security, it’s easier to get to the information within their servers. Depending on the industry, that could be just as valuable as getting into a larger company’s database.

    Not only are cyber attacks a nuisance, but they can be costly, too. A CNBC report explains that breaches of all sizes cost businesses of all sizes an average of $200,000. For small businesses, the cost of one such attack is enough to put them out of business completely. 

    If your business isn’t prepared to defend itself against cyber attacks, you could be one attack away from bankruptcy. Having an incident response plan can help you recognize and control cyber attacks quickly and with as little data loss as possible.

    Examples of incidents you may face in your business include:

    • Phishing
    • Malware
    • Stolen credentials
    • Devices being lost or stolen
    • Insider attacks
    • Ransomware

    Types of incident response plans

    There are two main types of incident response plans that you can choose from. One isn’t necessarily better than the other as they tend to approach threats similarly. You’ll have to decide for yourself which one best suits your business and your team.


    The National Institute of Standards and Technology (NIST) is a government agency that specializes in all things related to technology, including cyber security. Because of their expertise, they have become one of the two go-to sources for information on incident responses. The NIST plan includes four steps:

    1. Preparation
    2. Detection & analysis
    3. Containment, eradication, & recovery
    4. Post-incident activity


    SysAdmin, Audit, Network, and Security (SANS) is a private organization solely focused on security rather than general technology. Their plan consists of six steps:

    1. Preparation
    2. Identification
    3. Containment
    4. Eradication
    5. Recovery
    6. Lessons learned

    While seemingly longer than the NIST template, the steps are actually very similar. The main difference is that NIST combines some steps, while SANS keeps them all separate.

    Steps to creating an incident response plan

    1. Preparation

    Preparation is the actual planning phase, where you’ll create your plan and get all of your ducks in a row. This way, when a breach happens, phase two can be quick and seamless. To start preparation, create a list of all of your assets, including servers, networks, and even laptops, and then rank them in order of importance. You’ll also need to monitor traffic patterns on each device using some manner of endpoint security, so you’ll know what their baseline is and it will be easier to spot abnormalities later.

    Weather, sickness, and the occasional pandemic can keep your employees out of the office. It may also be difficult for your employees to get to the network during breaches or natural disasters. Whatever the cause, there needs to be a way for your staff to access the network remotely, so if there is a breach, they can shut it down quickly and limit as much data loss as possible. VPNs and secure web gateways can help you accomplish this and keep your data secure.

    You can’t practice an incident response plan during a crisis, so it’s important to train extensively beforehand. Only your IT team probably needs to understand the full extent of the plan, but everyone else in your organization should at least have some idea of how important it is. Full employee cooperation during a breach can help shorten it, and your employees knowing what to look out for in their day to day operations can help prevent one in the first place.

    2. Detection, analysis, and identification

    Once you get to this step, something in your system has alerted you that there’s a problem. You need to find the source of the issue and determine whether or not it’s a real threat. 

    Then, you need to start researching and find out everything you can about it. Was it a full breach? Just one server? Where did they get in? If all of your security tools are centralized with a Security Information and Event Management (SIEM) software, this process will be much easier. Once you’ve learned all you can, you’re ready to shut it down.

    3. Containment, eradication, and recovery

    This is the biggest difference between the two plan types. NIST views this as a single step, while SANS separates them. With containment, you’re trying to stop the removal of any more data than has already been taken. You take the entry point you found in the last step and seal it off from the attacker. If that’s a server, you won’t want to shut the system down completely because you could lose valuable data. Instead, disconnect from the internet and make sure any remote access is disabled.

    Then, you need to remove the threat. Depending on how many servers and systems were infiltrated, eradication can take a long time. This could mean removing malicious code from your system or repairing any damage the attack caused. You need to make sure all of the servers are cleared before you begin recovery. 

    Recovery can be as simple as getting business back to running like normal if no systems went down. If they did, you’ll need to get them running again. Keeping meticulous data backups can reduce your recovery time after an attack. Regardless, this process should be done slowly, so you don’t accidentally welcome the attacker back in after you just got them out.

    4. Post-incident activity and lessons learned

    Each incident can and should be treated like a learning experience. You won’t do everything perfectly the first time, but you can learn from your mistakes and respond better and faster the next time. While it may be tempting to simply move on from the incident and get back to business as usual, taking some time to review everything you learned will be invaluable in the long run. 

    When you find areas that were lacking, add them to your incident response documentation. You can’t plan for every scenario upfront, so taking the time afterwards can strengthen your defenses for the future.

    Tools that can help during an incident

    While most of your incident response plan is going to depend on manpower, there are software and tools you can take advantage of to make the process easier. In fact, automated monitoring tools, like Endpoint Detection and Response (EDR), speed up your response time because you don’t have to wait for a human to notice an issue.

    Generally, incident response tools are included with other security services. Vendors like Cisco, Carbon Black, IBM, and Symantec all offer incident response as part of their security offerings. 

    The main thing is to stay calm and work through your incident response plan like you’ve practiced. As long as you’ve done thorough planning, your business will be back to normal before you know it.

    Jenn Fulmer
    Jenn Fulmer
    Jenn Fulmer is a writer for TechnologyAdvice, IT Business Edge, Channel Insider, and eSecurity Planet currently based in Lexington, KY. Using detailed, research-based content, she aims to help businesses find the technology they need to maximize their success and protect their data.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles