Bridgehead IT logo

How to Craft an Effective Computer Security Incident Response Plan

Posted: Mar 2021

The pandemic has caused many businesses to switch to remote working. This has sped up our reliance on the cloud and similar solutions. While these are great options, we do need to be aware of the higher security risks.

Data breaches in 2020 cost an average of $3.86 million. That doesn’t include the reputational cost if customers don’t trust you’ll protect their data.

To combat this, your business needs a computer security incident response plan. It will help you to guard against attacks but it also shows you what to do if the worst happens.

Here’s how to craft an effective incident response plan.

What Is an Incident Response Plan?

Your first step to crafting a plan is to understand what it does and why you need one.

In short, your cyber incident response plan explains how to respond to the most likely threats. That can include cybercrime, malware, and even user error.

Malware and viruses continue to pose an ever-present threat. Vicious malware Emotet made a comeback in 2020. It affected 5 percent of businesses around the world.

Meanwhile, you can provide training to combat user error once you know what the risks are. You’ll pinpoint these training needs in your plan.

The plan also outlines the responsibilities of different roles. It guides who has the authority to make decisions. It also includes the way communication should flow and how to notify users.

Ultimately, the plan’s job is to save time during an incident by giving you a roadmap to follow. It also guides your post-incident evaluation. In this process, you can learn from what happened and strengthen your plan.

1) Establish the Plan’s Scope

Is the plan going to be specific to a department? A service? Or do you want the plan to cover the entire business?

Any of those options are fine, but you need to establish the scope first. This will dictate how complex the plan needs to be.

Use this to get funding and approval from management to create the plan. Again, the scope of the plan will dictate who needs to give approval.

A single department needs approval from the department head. Getting approval for a plan for the whole business can take longer.

Small businesses will have fewer needs than multinational corporations. Yet they still need a plan to cover their operations.

2) Decide on the Plan’s ‘Trigger’

Your next step is to decide how you will know when to use the plan. What will alert you that an incident has happened?

You might already have a system in place to log information. You can design a process to analyze this information so you get alerts about issues.

Remember, different threats can present with the same symptoms. It’s important to pinpoint the problem quickly so you can apply the right solution.

What will the system look for? You need to decide what counts as an incident. This could include:

  • The presence of malware
  • Unidentified or unauthorized users accessing files
  • Unsecured devices appearing on the network
  • DDoS attacks on your servers

List the incidents the plan will cover. Add the appropriate responses to each type of incident. It’s also good practice to list the responses in order of priority.

Decide at what point you need to escalate incidents to senior management. Your IT department can deal with one user who clicks a malicious link and floods their machine with adware. 

Yet high-risk incidents mean you need to let them know what’s happening. You need to flag those incidents so you know to escalate them.

3) Determine Your Priorities

When a single incident occurs, your plan walks you through how to respond to it. Yet what will you do if several incidents happen at once? How do you know what to tackle first?

Your plan should also list incidents in order of how critical they are. This means you can deal with incidents based on the damage they can do, rather than the order in which they happen.

Incidents that impact business functions should be higher up the list. One way to organize the list is in terms of how much downtime each incident will cause.

Some incidents will be related, so build a point of analysis into your plan. That way, you can tackle several incidents at once by responding to their shared root.

By now, you’ll know what documentation you need to write. You can also create a training schedule for the team members involved in each step.

Staff can be your Achilles heel when it comes to security. Keeping their training up-to-date is an ideal way to reduce risks.

4) Respond and Recover

So far, you’ve focused on identifying what counts as an incident and who needs to deal with it. The next stage of your plan will tell you what to do next. It also focuses on how to get back to normal operations.


Craft an incident report template. This adds consistency to your reporting procedures so you can spot patterns in the incidents you encounter.

Following a template also means you capture as much information as possible. This means your IT staff can focus on solving the problem, rather than trying to figure out what the problem is.

Damage Control

Create a damage control procedure. How can you stop the damage from getting worse, or affecting other services?

Let’s look at our previous example, that of a lone user ending up with an adware infection. The device can be disconnected from the network and handled appropriately.

Make sure your procedure includes these processes, as well as those scaled across the whole business.

Required Tools

Pinpoint the tools you’ll need to fix the incidents you’ve identified so far. Plan the cost of software into your IT budget.

This also includes training and education so your staff has the right skills to deal with security incidents.

Potential Partners

You’ll need to work with others to contain problems and get the business back up and running.

List who you will work with internally to manage a recovery effort. Next, list those external bodies who may be able to help. These include your cybersecurity partners.

Assemble a team that can liaise with stakeholders. They can let them know what’s happening and how long it may take to resolve the incident.

They can also communicate the length of the recovery process.

Getting Back To Normal

How will you restore the system back to normal operations? This will vary depending on the severity of the incident. Create a series of procedures to suit each incident.

This should also include the order in which you’ll restore services. Their priority dictates the order this should take.

6) Add a Final Review Stage

The last part of your plan should be a review of how you handled the cyber attack response. Ask yourself these questions in your analysis phase.

  • How quickly did you identify the issue?
  • What impact did it cause?
  • Did it expose any weak spots in your system or procedures?
  • Have you found any extra training needs as a result?
  • What could you do better next time?
  • Who needs to be responsible for finding security problems?
  • Did your plan address the resources you need to resolve incidents?

Use your answers to improve your systems, processes, and plan. With any luck, your plan will work well and you’ll respond quickly. You’ll avert excessive damage and be back up and running very soon.

Even so, you’ll still find things you can add to your plan that you didn’t foresee. This is a good thing because it means you can continually strengthen your plan.

77 percent of companies don’t even have a plan. Having one that you refine over time is still a definite advantage.

7) Formalize Your Plan

Now you’ve followed all these steps, it’s a good idea to formalize your plan. 

Make sure it includes contact details for staff identified as crucial to the plan. Include backup details in case anyone is unavailable. Try to include two people per role and two types of contact methods.

Turn your plan into a flowchart so that you can follow the processes and procedures quickly. Include the escalation plan so staff know who to contact and when if an incident happens.

Checklists are helpful so staff can follow the process you’ve laid out in the right order. Include your reporting templates to gather information about the incident.

Have guidance for handling different types of incidents. You don’t want staff running the procedure for a whole-organization problem if it only affects one department.

Where possible, link the incident response plan to the business continuity and disaster recovery plans.

Do You Have an Incident Response Plan?

Now you know how to craft an effective incident response plan. This will give you the confidence to tackle problems when they arise.

Remember, new threats emerge on a regular basis so you won’t be able to plan for every eventuality. Yet your plan should be flexible enough to accommodate incidents you haven’t anticipated.

Forewarned is forearmed!

Do you need help in creating an incident response plan for your business? Contact us today and we can help you get up and running.

Connect with us today for all of your outsourced IT needs