Why Your Business Must Have a Cybersecurity Incident Response Plan

Laura Kennedy
Laura Kennedy, Managing Partner, Circle Management Group

If your organization has not yet experienced a cybersecurity event, it’s only a question of time. Size, industry, niche – none of these offer any protection from attackers today. To help reduce your risk and provide some level of protection, it’s critical to have a cybersecurity incident response plan in place.

What Is a Cybersecurity Incident Response Plan?

At its heart, a cybersecurity incident response plan is nothing more than a set of instructions designed to achieve specific things, including:

  • Help you prepare for / prevent cybersecurity incidents
  • Help you detect attacks
  • Help you respond to incidents
  • Help you recover from cybersecurity attacks

Those four areas constitute the stages of a security incident response plan.

The Stages of a Cybersecurity Response Plan

Your cybersecurity incident response plan should include:

Preparing for a Security Incident

The first stage deals with preparations for security incidents. Who is on the response team? What is their contact information? What is their role? When do team members need to be contacted?

Your response team is a critical line of defense against cyberattacks.

This stage also deals with prevention. Preventative steps should be outlined in your current information security policy but should also include conducting regular risk assessments, taking active steps to prevent malware, and more.


The next stage is detecting attacks and threats. Once an incident has occurred, your organization must determine how to respond.

Note that because threats are so vast and varied, it’s impossible to create a specific response to each type. Instead, determine your vulnerabilities and the most likely attack types you will experience.

While you may be able to detect precursors that indicate an imminent attack in some cases, that is not always true. In some instances, you will need to detect indicators that show an attack is occurring or has already occurred. In some cases, you may need to set rules that automatically notify authorities such as the local police, the FBI, or the FTC.


The next stage is your response to the threat or attack. This should be based on the type of attack, but also on whether the attack was caught before it occurred, while active, or after the attack has finished.

There are three parts to this stage – containment, eradication, and recovery:

Containment is only possible if you catch the attack before it happens or while it is occurring. Your containment strategy should include the potential damage to and theft of resources, the need to preserve evidence of the attack, maintaining service availability, the resources (including time) required to deal with the attack, and how long it will take for the solution to be implemented.

Eradication steps will vary based on the type of attack and other factors. The goal here is to stop the attack by closing vulnerabilities, removing malware, and other steps.

After eradication, Recovery can begin, which will include updating your security plan, recovering damaged/lost data, informing stakeholders, and more.

Be Prepared — What to Do Now

Without a cybersecurity incident response plan, your organization may be caught unprepared. It’s not a question of if you’ll experience an attack, but when.

Being prepared can save time and resources while preserving your reputation. Talk to me about a Technology Analysis for your practice or firm, and contact WCA Technologies about a Cyber Security Response Plan now. Preparing for an attack is much less costly than responding to one!