Get the playbook on cyberattack response best practices…and how to keep chaos from turning into costly damage.
Did you know that 49% of businesses are preparing for cybersecurity incidents by developing and testing a response framework, according to IBM’s 2025 Data Breach Report?
Before getting started on today’s agenda (how to create a cybersecurity incident response plan), it’s worth understanding why preparation is key.
For most businesses now, it’s really not a question of if an attack will occur; it’s more a matter of when.
And once you accept that, the next logical step is to ensure you have a reliable incident response playbook for cyber threats, so you can react appropriately and limit the damage, be it financial, reputational, or otherwise.
Make no mistake: If the worst hits, the clock starts ticking immediately. Speed is everything…and the quicker you respond, the smaller the fallout.
Having a plan enables you to react much faster than if you were trying to work out what to do on the fly.
(Plus, it ensures your team knows all security incident escalation procedures and who to contact.)
There’s also a good chance you’ll need to report to your cyber insurers and relevant governing bodies. For instance, if you’re subject to the FTC Safeguards Rule, you must report any breach involving at least 500 customers to the Federal Trade Commission (FTC) within 30 days.
A cybersecurity incident response plan also ensures you make all your disclosures on time.
Incident Response Plan Phases
Here’s your cyber incident response checklist:
#1. Defining The Scope
Start by defining what you consider a cyber incident to be, so people know when to start implementing the plan.
A cybersecurity incident doesn’t necessarily have to be an attack from outside. It could be something that happens inside your business.
Examples of incidents to include in the scope include:
- Loss of confidentiality of information.
- Compromise of the integrity of information.
- Unauthorized access to systems and data.
- Misuse of systems or information.
- Theft and damage to systems.
- Computer viruses.
- Phishing and targeted emailing.
Once you’ve defined the scope, you need to decide what information you’ll collect in the event of a cyber incident.
#2. Collecting Information
For most businesses, the typical information to collect includes:
- Date of the incident.
- Name of the person reporting the incident.
- Location of the incident.
- Type of incident.
- Description of the incident.
You also have to decide how you’re going to collect this and include it in your plan. (Online forms like Microsoft Forms or spreadsheets can work well.)
Something to remember, however, is that the incident may prevent you from using your computers. A good example is a ransomware attack. Therefore, you should provide a paper-based alternative that people can use.
You also need to document what to do with the information once it’s recorded. In other words, who should it be sent to and how?
Remember that email might not always be available, so consider alternative methods of communication, such as scanning the document and using WhatsApp.
Finally, the people receiving the information need to be responsible for communicating it to the relevant stakeholders to address the incident. That’s the next step. You should ensure there is more than one person who can do this in case your nominated person is absent.
#3. Communication
The most important step of the whole plan is communicating the details of the incident.
Create a list of all the parties you need to communicate with, along with the incident response team’s roles and responsibilities.
Examples of parties you might need to contact include your:
- I.T. provider
- Internal I.T. department (if you have one)
- The police
- Insurers
- Clients and investors
- Marketing and communications department
- Legal team
Essentially, your communication plan should include:
- Who to contact.
- Scenario to contact them.
- How to contact them.
- Information to provide them.
Here’s an example of a contact matrix:
| Company/Contact | Scenario to contact them | How to contact them | Information to provide them with |
|---|---|---|---|
|
Attentus Technologies |
Any incident involving the I.T. systems.
Attentus Technologies will manage the technical elements of the incident to isolate the threat and recover systems. |
Call them at (253) 455-7458 immediately you discover the issue |
|
The benefit of prompt communication is two-fold.
First, it ensures your team or I.T. provider starts working on the incident early.
On the client-facing side, communication lets people know you’re in control of the incident.
It’s far more important that they hear from you that you know it’s happening and are working to restore services, rather than hearing second or third hand, like from social media for instance…or even worse, if hackers themselves contacted your client because they’re in possession of some of their data.
#4. Incident Management
Once you’ve reported the incident to the appropriate parties, you’ll need ongoing management, and you need to record how you’ll manage it.
The typical tasks involve documenting all findings. You’re going to get lots of responses from the various parties you contact, and you need to record all that information.
Those same parties will likely want more information from you, so you need people available to respond to them.
You also need to make sure that you’re regularly communicating with your internal teams, including your staff and senior management, any investors or other interested parties in your business, and your clients as well.
If you don’t communicate, they’ll make assumptions about what’s happening, and you don’t want that to happen. As mentioned earlier, it’s really important to show that you’re in charge of this whole process.
Once the incident has been addressed, make sure everything has been documented in case you need it later.
You’ll also need to hold regular update meetings among the people involved in these activities. So you should have a record of how you’re going to do that. For instance, do you do it by phone or meet in person, and how frequently?
#5. Test Your Plan
Once you have the cybersecurity incident response plan, you must test it at least once a year, preferably twice.
A test doesn’t necessarily mean contacting the parties. You can conduct a desktop test. That’s basically coming up with a fictitious incident and working out what you would do, who you would contact, what information you’d provide them, and how you’re going to do the updates to your business.
It’s also important that everyone in your business has access to this plan, because you don’t know who will be available when an incident occurs. So, create both electronic and paper copies and ensure everyone knows where they are.
Get Expert Help Developing Your Cybersecurity Incident Response Framework
Need help developing your cyber incident recovery strategy? Attentus can help.
One of our core values is delivering exceptional results, and we can help you craft a plan tailored to your business’s risk profile to minimize the impact of a breach.
Get in touch to learn more.