The Plain English Version
Incident response is your plan for what to do when something goes wrong - a cyber attack, data breach, or security incident. It is the difference between panic and a coordinated, effective response.
Think of it like a fire drill. You hope you never need it, but when you do, everyone needs to know exactly what to do, who to call, and how to contain the damage.
The Six Phases
1. Preparation - Plans, training, tools ready before anything happens
2. Identification - Detecting that an incident has occurred
3. Containment - Stopping the incident from spreading
4. Eradication - Removing the threat from your systems
5. Recovery - Restoring systems to normal operation
6. Lessons Learned - What happened and how to prevent it
Why Most SMEs Are Unprepared
When a ransomware attack hits at 3am on a Saturday, you do not want to be figuring out who to call. Yet most small businesses have no documented incident response plan, no retainer with an IR provider, and no tested procedures.
The result? Decisions made in panic, evidence destroyed accidentally, and recovery taking far longer than necessary.
Building Your IR Capability
- Document the plan - Who does what, contact numbers, decision trees
- Define roles - Incident commander, communications lead, technical lead
- Establish relationships - IR provider, legal counsel, cyber insurance
- Test regularly - Tabletop exercises to practice scenarios
- Know your obligations - GDPR 72-hour notification requirement
The First Hour Matters
Actions in the first hour of an incident can determine whether you recover in days or months. Preserve evidence, contain the threat, and activate your plan. Do not start wiping systems or paying ransoms without expert guidance.