How To Guide: Setting Up An Incident Response Plan for SMBs

For SMBs, the thought of being a target for threat actors (i.e., hackers) may seem small but in reality SMBs are prime targets. You may be asking yourself why that is. Threat actors know that SMBs do not necessarily have the resources to implement and actively monitor on a continuous basis, security tools and processes. This makes SMBs a prime target. While the amount of data they consume and/or store as part of their business model may be small, it is still attractive to threat actors that want to steal identities, intellectual property, and more.

An Incident Response Plan (IRP) is a crucial step for small to medium-sized businesses (SMBs) to effectively respond to cybersecurity incidents such as data breaches, malware infections, or phishing attacks. This guide will walk you through the steps to set up a comprehensive and effective Incident Response Plan for your business.

Whether you're just starting to think about incident response or are looking to refine your existing plan, this blog provides practical, actionable advice to safeguard your business. Implementing an Incident Response Plan doesn't have to be complex or costly. With the right approach, even SMBs with limited resources can establish an effective plan that minimizes the impact of cyber incidents.

Step 1: Establish an Incident Response Team (IRT)

What to Do:

• Identify Key Members: Assemble a team of individuals from various departments, including IT, legal, HR, and communications, to handle different aspects of the incident. Don’t have those functions? Then think about who you would call in case of an operational emergency. Perhaps you have a Jack/Jill of all trades who knows your system set up because they helped to establish your network. Or maybe you used a particular marketing company in the past to craft customer facing messages and could use their help in creating crisis communication templates. Not all response team members need to be full-time employees, they just need to be able to help when you need it.

• Assign Roles and Responsibilities: Clearly define each team member’s role in the incident response process. Roles may include Incident Coordinator, IT Lead, Communication Officer, and Legal Advisor. Being a SMB, some people may wear multiple hats, and that is ok. Just document the function needed and who is filling in that role.

• Provide Training: Ensure all team members are trained in cybersecurity best practices and understand their responsibilities during an incident.

Step 2: Identify and Classify Potential Incidents

What to Do:

• List Potential Incidents: Identify the types of incidents that could affect your business, such as data breaches, ransomware attacks, phishing, or insider threats. The list does not have to be too comprehensive; try to make it as realistic as possible. Not sure where to start? Use a search engine to look up your business/industry/customer type and the types of cybersecurity threats they face.

• Classify Incidents by Severity: Categorize incidents based on their potential impact on the business, ranging from low (minimal impact) to high (severe impact on operations or reputation). Try to air on the side of caution - being conservative in the impact rating can help emphasize the importance of a timely response.

• Define Response Procedures for Each Incident: For each type of incident, outline the specific steps that should be taken, including containment, eradication, and recovery.

Step 3: Develop Incident Detection and Reporting Mechanisms

What to Do:

• Implement Monitoring Tools: Use security software and monitoring tools to detect suspicious activity or potential breaches in real-time. If you don’t have the resources to hire a Security Operations Center (SOC) team there are other options available such as using a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) to outsource the function.

• Establish Reporting Procedures: Create a clear process for employees to report suspected incidents, including whom to contact and how to provide details.

• Set Up an Incident Hotline: Consider establishing a dedicated phone number or email address for reporting security incidents. Perhaps you set up an email box SOC@yourcompanyname.com or use a Slack or Teams channel for people to use.

Step 4: Outline Incident Response Procedures

What to Do:

• Contain the Incident: Define steps to isolate affected systems to prevent the spread of the incident. This may include disconnecting from the network or shutting down affected systems. Ensure that you and your system administrators know if performing a certain action would contaminate or prevent the ability to investigate an incident. For example, Shutting down a system during an incident can potentially lose valuable data, hinder investigation efforts, and disrupt operations further, depending on the nature of the incident, as it essentially stops the system from recording ongoing activity and can make it difficult to analyze what happened during the breach or malfunction.

• Eradicate the Threat: Develop procedures for removing malware, closing vulnerabilities, and eliminating the threat from your environment. In instances where you do not have the expertise in house to perform the eradication, talk to your insurance provider. Typically, cyber insurance companies provide resources to their customers in the event of a security incident, including access to experts and tools to help manage the process. Don’t have cyber insurance? Some quick cyber insurance tips: (1) talk to a broker to get multiple quotes to ensure the best pricing, (2) make sure you understand the policies (ask for legal help if needed), (3) ensure you are assessing the risks honestly as you are filling out the questionnaires, and (4) consider customization of your policies and what they are offering for coverage to keep costs down.

• Recover and Restore: Outline the steps to restore affected systems and data from backups, ensuring they are fully operational before reconnecting to the network.

Step 5: Develop Communication Protocols

What to Do:

• Internal Communication: Establish clear guidelines for communicating with employees during an incident. Ensure that the Incident Response Team is kept informed at all stages. This means understanding what prioritization of incident can be discussed outside of the core IRT.

• External Communication: Create templates for communicating with customers, partners, authorities (such as the police/FBI), and regulatory bodies if needed. Designate a spokesperson for media inquiries (and ensure that person has media training).

• Document All Communications: Keep detailed records of all communications related to the incident, including the timing and content of messages.

Step 6: Conduct Regular Testing and Drills

What to Do:

• Simulate Incident Scenarios: Conduct regular drills simulating different types of incidents to test the effectiveness of your response plan. This can be accomplished by creating scenarios internally or hiring a third-party to come in and conduct a tabletop exercise for you. Talk to your insurance company and see if they offer any services as part of your policy coverage.

• Review and Update the Plan: After each drill, review what worked and what didn’t, and update the plan accordingly. Perhaps the core IRT needs to be expanded to include more subject matter experts (SMEs).

• Incorporate Lessons Learned: Document lessons learned from real incidents or drills and integrate them into the response plan to improve future responses.

Step 7: Document and Review the Incident

What to Do:

• Record Incident Details: As part of the core IRT, there should be someone designated to take notes; keeping track of timelines will be crucial when reviewing detection and notification timing (especially if a breach requires notification to regulatory bodies). Document every aspect of the incident, including how it was detected, the response actions taken, and the outcome.

• Conduct a Post-Incident Review: After resolving the incident, as noted above, conduct a review with the Incident Response Team to evaluate the effectiveness of the response.

• Update the Incident Response Plan: Incorporate findings from the review into the IRP to improve future responses.

Step 8: Ensure Legal and Regulatory Compliance

What to Do:

• Understand Legal Obligations: Familiarize yourself with legal and regulatory requirements for reporting cybersecurity incidents in your industry and region. Additionally, ensure you understand your reporting requirements to your customers. Most contracts have reporting requirements and being compliant with customer contractual obligations builds and maintains trust.

• Notify Regulatory Bodies: If required, notify relevant authorities and regulatory bodies within the mandated timeframe. This is usually handled by Legal Counsel, whether internal or external to an organization. Establishing a process for notification to regulators will be instrumental in ensuring the right information is communicated at the appropriate time.

• Prepare Legal Documentation: Ensure all legal documentation related to the incident, including breach notifications and communications and the incident report, is accurate and complete.

Step 9: Educate and Train Employees

What to Do:

• Conduct Regular Training: Provide ongoing cybersecurity training to employees, focusing on recognizing and reporting incidents.

• Share Incident Insights: Use insights from past incidents to educate employees on best practices and potential threats.

• Encourage a Security-First Culture: Foster a culture where cybersecurity is a priority, and employees feel empowered to act as the first line of defense.

Why It Matters: Well-informed employees are less likely to fall victim to cyber threats and more likely to respond appropriately if an incident occurs.

Step 10: Review and Update the Incident Response Plan Regularly

What to Do:

• Set a Review Schedule: Regularly review and update your Incident Response Plan, ideally at least once a year or after any significant changes to your business or IT infrastructure.

• Incorporate Feedback: Use feedback from drills, actual incidents, and employee input to make continuous improvements to the plan.

• Stay Informed: Keep up with the latest cybersecurity trends and threats, and adjust your plan accordingly.

For SMBs staying ahead of potential threats by proactively setting up an Incident Response Plan tailored to your business needs is a great step forward.

This guide has been designed to be accessible for all knowledge levels, ensuring that every SMB can take the necessary steps to protect their data, maintain operational continuity, and preserve their reputation in the event of a cybersecurity incident.