Incident Response

What Is Incident Response?

Incident response (IR) is the organised approach an organisation takes when a security incident occurs — whether that's a ransomware attack, data breach, phishing compromise, or insider threat. A well-defined IR process reduces damage, shortens recovery time, and improves defences for the future.

The goal isn't to prevent every incident (that's impossible) — it's to respond effectively when one happens.

The Six Phases of Incident Response

1. Preparation: Establish policies, assign roles, maintain tool access, and train your team before an incident occurs
2. Identification: Detect and confirm that a security incident is actually happening, not a false alarm
3. Containment: Isolate affected systems to prevent the incident from spreading — short-term (stop the bleeding) and long-term (rebuild safely)
4. Eradication: Remove the threat from your environment — malware, compromised credentials, attacker persistence
5. Recovery: Restore systems and return to normal operations, verifying everything is clean before reconnecting
6. Lessons Learned: Document what happened, what worked, what didn't, and update your plan accordingly

What Belongs in an IR Plan

• Clear roles and escalation paths (who does what, who calls who)
• Contact list for legal counsel, IR retainer, insurance, key vendors
• Runbooks for the most likely scenarios (ransomware, BEC, data breach)
• Communication templates for staff, customers, and regulators
• Criteria for activating external IR support
• Evidence preservation guidelines

Why SMBs Need an IR Plan

Most SMBs assume they'll "figure it out" when something happens. In practice, incident response under pressure — with no pre-agreed process, no communication templates, and unclear ownership — results in longer downtime, higher costs, and more damage. Having a plan halves the cost of a breach on average.

Start simple: even a two-page document with roles, contacts, and basic steps is dramatically better than nothing.