How to draft an Incident Response


Being cyber-confident doesn’t stop at robust controls and protection, it also involves having an incident response plan at your fingertips. By putting clear guidance in place, you can limit the damage if you suffer a cyber-attack, saving your business a great deal of expense and disruption.

Despite their importance, research suggests only 19% of businesses have a formal strategy in place. Increase your odds of defeating cyber criminals by making your incident response plan a priority – it’s easier than you might think. Read on for some tips and, if you’d like more advice, contact the Business Cyber team for a free 30-minute consultation.

Identify key people

Cyber-attacks can have a far-reaching impact, with the potential to affect everyone from your security team to IT, senior stakeholders, legal experts, insurers and marketers. Decide who needs to be involved in the event of an incident and ensure everyone is clear on their roles and responsibilities. Make sure you have at least two methods of contacting each person too – bear in mind you may need to reach them out of hours, and that their work email could be compromised.

Pinpoint priority assets

Take time to identify your most business-critical assets. This enables the incident response team to sharpen their focus in the event of a cyber security threat. Having clarity on your highest priority assets will also help shape your cybersecurity strategy.

Do regular dry runs

Organise regular walk-throughs, so key stakeholders have the opportunity to rehearse what to do in the event of a cyber-attack. This will familiarise everyone with the process, and expose potential weaknesses too. Ensuring you’re well-prepared also makes it easier for everyone to think clearly and react appropriately when under pressure if a real-time incident occurs. Make sure you cover a wide range of scenarios too, including ransomware attack and data breach, and involve all necessary key contacts.

Be system savvy

Without clear visibility into what a cyber-criminal is doing, it will be hard to react effectively. Be sure your IT and security teams are able to identify the extent of a cyber-attack, the conditions that enabled the attack and understand the potential impact too. Sophos advises that IT and security teams should ensure they have the ability to determine adversary entry points and points of persistence, and that they collect log data too (be sure this is backed up). Make use of incident response tools such as endpoint detection and response – these make it easier to identify which assets have been targeted.

Confirm action points

IT and security staff should be confident that they can follow an appropriate course of remedial action once a cyber-attack is identified. These measures will vary according to the scenario, but could include isolating systems, freezing breached accounts and blocking remote access.

Cultivate cyber-crime awareness

Human error remains a major cybersecurity risk, so ensure your employees have thorough training too. This improves their understanding of cyber threats, enabling them to better protect themselves and your business.

Of course, robust IT security is a first-line method of defence. For more advice on this and drafting your incident response plan, book your free 30-minute consultation with the Business Cyber team here.


At the end of November, the UK government introduced their new, updated Product Security and Telecommunications Infrastructure Bill (PTSI).
Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect themselves against common online threats!
A guide to start by taking cybersecurity seriously.
Paddy Bradley MBE talks about his responsibility in ensuring that the Business Cyber Centre (BCC) is a success.