Does Your Small Business Have an Incident Response Plan? Most Don't.
It is 8am on a Monday. Someone on your team opens an email attachment. Within minutes, files start encrypting across your network. A ransom message appears on the screen. What do you do next? If your answer is 'call our IT guy and figure it out,' you do not have an incident response plan. Most small businesses don't. That is a problem, and it is becoming a more expensive one.
What is an incident response plan?
An incident response plan is a written document that tells your team exactly what to do when a security incident happens. Not in general terms. Specifically. Who makes the call to shut systems down. Who contacts your IT provider. Who notifies clients if their data is involved. Who calls your insurance company. What gets documented and when.
It sounds like something only large companies need. It is not. Small businesses are attacked constantly, often because attackers know there is no plan in place and no one watching. A small firm with no response plan is easier to ransom than a large company with a security team.
What an incident response plan actually needs to cover
- Who is responsible for declaring an incident and making decisions under pressure
- How to isolate affected systems quickly to stop the spread
- Who your IT provider is, their emergency contact number, and your account details
- Your cyber insurance policy number and the insurer's claims line
- A list of critical systems and which ones need to come back online first
- When and how to notify clients whose data may have been affected
- How to preserve evidence for insurance claims and any legal requirements
- Who speaks publicly about the incident, and what they are authorized to say
What is a business continuity plan, and how is it different?
An incident response plan focuses on the first hours of an attack. A business continuity plan focuses on the days after. How do you keep serving clients when your systems are down? What is the minimum you need to operate?
For a CPA firm, that question is especially pointed during tax season. If your file server goes down on April 8th and your backup is three weeks old, your continuity plan needs to address that gap before it happens.
A business continuity plan maps out your critical functions, the systems and people those functions depend on, and what you do when those systems are unavailable. It also covers recovery time objectives: how long can you afford to be down before the damage becomes serious?
Your cyber insurance may already require both
This is the part most small business owners do not know. Many cyber liability insurance policies now require a documented incident response plan and a business continuity plan as a condition of coverage. Some require that both are reviewed and updated annually.
If you file a claim after a breach and you cannot show that you had a plan in place, your insurer may deny the claim or reduce the payout. The coverage you have been paying for may not protect you the way you think it does.
Before your next renewal, read your policy carefully. Look for language around security controls, incident response procedures, or business continuity requirements. If you are not sure what you are looking at, ask your broker to walk you through it.
How to build one without overcomplicating it
A small business incident response plan does not need to be a 50-page document. It needs to be clear, specific, and something your team can actually follow when they are panicked at 8am on a Monday.
Start with the basics. Write down the five to ten most likely scenarios: ransomware, phishing, a lost laptop, an employee account being compromised. For each one, write out the first five steps your team should take. Put the document somewhere everyone can access it, including offline if your systems are down.
Then review it. Every year, or any time something significant changes, like a new IT provider, a new office, or a change in the systems you use. The plan that reflects how your business worked two years ago may not reflect how it works today.
Who needs one most urgently
Any business that stores client data, handles financial records, or operates in a regulated industry should have both plans in writing. That includes CPA firms, medical offices, law firms, and financial advisors.
It also includes any business that has cyber liability insurance, since the coverage may depend on having these plans in place.
If a breach or extended outage would threaten your ability to serve clients or stay in business, you need a plan. Most small businesses that answer that question honestly realize they are overdue.
We help small businesses and accounting firms in the Chicago area build incident response plans and business continuity plans that are practical, up to date, and aligned with what their cyber insurance requires. If you are not sure where to stand on either, a free security assessment is a good place to start. We will review what you have and tell you honestly what needs attention.
ITM Consulting
Questions about your IT setup?
We work with small businesses and accounting firms across the Chicago area. Schedule a free 30-minute consultation and we will tell you honestly what we see.