Incident response plan for SMBs
Create a simple incident response plan: roles, contacts, decisions, communication, evidence, and recovery.
Problem
During an incident, everyone improvises and critical decisions take too long.
Expected outcome
A short plan that says who does what in the first 60 minutes.
Define roles
An incident requires technical, legal, commercial, and executive decisions.
- Incident owner.
- Communications owner.
- Legal and insurance contact.
Preserve evidence
Logs, disk images, and screenshots help understand and prove what happened.
- Do not reinstall too quickly.
- Preserve logs.
- Document actions.
Communicate without worsening
Premature or imprecise communication can create reputational risk.
- Pre-approved messages.
- Dedicated internal channel.
- Decision on regulatory notification.
Frequently asked questions
How long should the plan be?
For an SMB, a tested 5 to 10 page plan is better than a long unused document.
When should an external expert be called?
As soon as there is encryption, possible exfiltration, critical downtime, or notification duty.
Should the plan be tested?
Yes, at least one tabletop simulation per year.
Prepare the first 60 minutes
Cybernow creates and tests your incident response plan.
Prepare my plan