man looking at tablet in front of servers
Safety and Security Nov 03, 2021

How to Create an IT Incident Response Plan for Your Business

Learn how to build an incident response plan for your business so you can protect private employee, customer, and company data when a cyberattack hits.

Cybersecurity incident response should be a daily concern for businesses of all sizes. The Identity Theft Research Center reports nearly 281.5 million people have been affected by some sort of data breach in 2021. And this year’s numbers for cybersecurity incidents have already surpassed 2020 totals by 17%.

In May 2021, ransomware attacks hit a major U.S. insurance carrier, shut down one of the country’s largest fuel pipelines, and halted operations at a global beef manufacturer. In June, another IT incident exposed the private personal data of 700 million LinkedIn members. It’s not just large businesses that are susceptible though. 43% of cyberattacks target small businesses—many of which have no IT incident response plan in place.

As IT security incidents increase in volume and severity, every business needs a plan for keeping employees informed and connected if critical IT systems are compromised. Below, we’ll outline the process of creating an IT incident response plan to help you protect private employee, customer, and company data.

Why Businesses Should Prioritize Incident Response

Cybersecurity incidents cost American individuals and businesses billions of dollars each year—approximately $3.5 billion in 2019 alone, according to the FBI. From phishing and malware to stolen passwords or unencrypted employee laptops, there are a number of ways hackers can gain access to private information.

When business systems or data are compromised, it disrupts vital business functions, including service delivery to your customers. Your systems could be taken offline or taken over without your permission. Hackers will have access to unauthorized sensitive information, and, depending on your industry, you could face legal and compliance violations. Between legal fees, cleanup costs, lost sales, and more, IBM reported an average cost-per-incident of $4.24 million.

But perhaps the highest toll of a data breach is the damage caused to consumer trust and brand reputation. With the right incident response, your business can better navigate the challenges of a cybersecurity event and maintain good standing with your customers and public opinion. And the first step to a good response is to create a plan.

Download these templates to effectively respond to any IT or system disruption.

Creating an Incident Response Plan for Your Organization

An IT incident response plan is a set of written instructions and procedures which outline how you’ll respond to attempted or actual attacks. The ultimate goal is to prevent, detect, and mitigate cybersecurity incidents. Having an incident response plan in place allows your company to:

  • Identify security incidents as early as possible
  • React quickly to minimize damage
  • Reduce system and business downtime
  • Prevent future attacks

Incident response (and the creation of your plan) should not fall completely on the IT team. Instead, think of it as a company-wide initiative that includes ongoing education, training, information security, and the use of data safety practices.

6 Steps for a Successful Cybersecurity Incident Response

The SysAdmin, Audit, Network, and Security (SANS) Institute’s framework is a widely used and respected approach to incident response. SANS is the world’s largest provider of training, education, certification, and research about cybersecurity, and they also operate an early warning system for global cyber threats. Here are the incident response steps recommended by the SANS framework:

1. Preparation

Preparation can make or break the effectiveness of your incident response process to a data security threat,—thus a lot goes into this phase. The goal is to get all your systems and procedures ready so that you can react quickly when a threat comes to light. Start by reviewing existing data security protocols and refining them or, if necessary, creating new ones.

Other key actions in the preparation phase may include:

Define your threats

Use a risk assessment to understand the different types of cybersecurity threats that could affect your business, assess your company’s vulnerabilities, and assign priorities to assets based on their value.


Hold tabletop exercises to run through potential scenarios, ask questions, and consider what-ifs from a place of calm (vs. after a threat or an attack has occurred). You can draft an After Action Report to help you tune your plan after trial runs.

Outline the steps

A comprehensive incident response plan should include specific instructions for before, during, and after an attack. For instance, who will be responsible for threat intelligence, who will they contact and when, what steps should be taken, and in which order.

Build your security team

Assign roles and outline who is responsible for each action of the plan. Ideally, an incident response team will be a cross-functional group including members from IT, operations, legal, and communications.

Create a crisis communication plan

A crisis communication plan covers how you’ll handle both internal and external communication about the outage, as well as how you plan to communicate when critical systems are down. An emergency notification system is one option for getting the word out to your people when all else fails.

2. Identification

Identifying threats early on is critical for damage control. Threat identification includes processes, tools, and procedures used to detect the nature, source, and severity of potential attacks to your IT infrastructure. If you don’t already have a threat process in place, the response plan is your chance to do so.

Consider what monitoring tools, intrusion detection systems, and firewalls you will use to identify risks and determine their reach. Abnormal user or system behavior is often the first clue that something is amiss—thus, the identification process should include collecting and monitoring ongoing data such as error messages, event logs, and login attempts. When a threat or a breach is identified, notify the response team so they can launch containment and communication plans immediately.

3. Containment

Once your organization detects an incident, containment becomes top priority. Containment methods depend on the type of threat. Regardless, acting fast is key to minimizing and preventing further damage to your systems, data, and business continuity. Containment generally includes the following sub-phases:

Short-term containment

For example, isolating the network segment that is under attack, taking an infected server offline, and redirecting traffic to a backup or standby system.

Long-term containment

This includes protective measures like adding access controls to unaffected systems or blocking IP addresses and providing temporary fixes while preparing for the recovery phase.

4. Eradication

By this point, your IT and incident response team should be able to see and understand the full extent of an attack. They will begin removing malicious content, viruses, malware, or other threats and restoring affected systems while being careful to minimize data loss. This key stage of effective incident response also entails identifying the root cause of the attack and applying basic security best practices to prevent future incidents. Other critical eradication tasks might be to reinstall or reimage hosts, reset passwords, and adjust firewalls or network configurations.

5. Recovery

Next, the recovery phase begins. At this point, the PR or external crisis communications team will focus on proactive communication and service recovery with customers. Meanwhile, the organization should be focused internally on restoring the data to its most recent clean version, then testing and validating affected systems before carefully bringing them back online. You should monitor system behavior closely throughout recovery to ensure that systems are not re-infected.

A key goal of recovery is to do everything possible to prevent another incident in the future. Preventative actions might include additional encryption methods, setting up multi-factor authentication for devices, performing system updates, and investing in security and backup.

6. Lessons learned

They say hindsight is 20/20, and that’s certainly true with threat intelligence and response. For this reason, the SANS incident response framework recommends taking time to reflect after a cybersecurity incident affects your company. No more than two weeks from the end of the incident, the response team should begin this process, which should include:

Write an incident report

An IT incident report with complete documentation will come in very handy for response to future incidents—and it’s necessary if you plan to press criminal charges.

Hold a recap meeting

Conduct a meeting with your response team and other key stakeholders to go over the report and discuss lessons learned.

Identify key areas for improvement

Using all evidence, documentation, and findings from the recap meeting, update your response plan based on what you learned.

Maintain Cybersecurity Best Practices to Prevent IT Incidents

As you can imagine, incident response is an ongoing process—ideally, one that improves with each round through documentation and feedback. Another way to protect your organization is by promoting a culture of data safety within your company. Teach your employees about security best practices and work to maintain them. For example:

  • Keep hardware and software up to date
  • Use a VPN to privatize connections
  • Have an action plan for securing employees’ mobile phones
  • Provide firewall security for your internet connection
  • Make sure all laptops have security software installed
  • Train employees about smart password use
  • Limit employee access to sensitive data and information
  • Encourage employees to back up their devices regularly
  • Require employees to change passwords every three months


The reality is, cyberattacks affect companies every day, regardless of industry, size, or number of years in business. Creating a company-wide incident response plan is no small task—but simply hoping for the best isn’t an option. When the inevitable does occur, you’ll be happy you had a plan in place.

As with any emergency, communication is critical during an IT incident. You need to notify employees about system outages, communicate with the response team, and field questions—all during a fast-moving and high-stakes situation. An emergency notification software solution can help you streamline communication during this time. Having a place to store your contact records and communication templates helps you plan for and organize your communication around these events and saves your organization time and stress.

IT & Cybersecurity Communication Templates

Please complete the form below to receive this resource.

Like What You're Reading?
Subscribe to Our Newsletter
Subscribe to The Signal by AlertMedia to get updated when we publish new content and receive actionable insights on what’s working right now in emergency preparedness.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Cookie Notice