Incident Response Planning: What to Do When You Get Hacked

Why Incident Response Planning Matters

The question isn't whether your business will face a security incident—it's when. Organizations with incident response plans save an average of $2.66 million per breach compared to those without one.

Without an incident response plan, businesses waste critical hours determining who's responsible, what steps to take, and how to communicate. With a plan, your team executes coordinated responses that minimize impact and demonstrate competence to customers, regulators, and stakeholders.

The Cost of Poor Incident Response

Time Delays Multiply Damage

In 2025, it takes an average of 241 days to detect a breach and 82 days to contain it. Each day of exposure increases costs exponentially.

Breaches contained in under 200 days cost $1 million less than those taking longer. The global average breach cost has reached $4.44 million.

Without a plan, leadership debates response while the attack continues. Teams struggle with notification obligations, delayed engagement of external experts, and costly mistakes from operating without procedures.

Regulatory Penalties

Many regulations require incident response capabilities. HIPAA mandates incident response plans, while GDPR requires breach notification within 72 hours.

State privacy laws specify notification timelines, and PCI-DSS demands documented incident response procedures. Failure to respond appropriately compounds regulatory penalties beyond the breach itself.

Reputation Damage

Chaotic, delayed, or incompetent incident response loses customer trust beyond the incident itself. It creates media stories about poor security and demonstrates lack of preparation.

A fumbled response suggests ongoing security deficiencies. Customers remember how you handled the crisis more than the breach itself.

The SMB Gap

57% of small and medium-sized businesses have no incident response plan. This leaves them vulnerable to catastrophic damage from security incidents that larger organizations routinely manage.

Incident Response Framework

The NIST Incident Response Lifecycle provides the standard framework followed by security professionals worldwide.

Preparation

Establish capabilities before incidents occur. Build your team, create playbooks, and establish relationships.

Detection and Analysis

Identify and understand incidents as quickly as possible. Determine scope, severity, and initial response requirements.

Containment, Eradication, and Recovery

Stop the attack, remove attacker presence, and restore operations. Balance speed with thorough investigation.

Post-Incident Activity

Learn from every incident. Update procedures, implement improvements, and share lessons learned.

Phase 1: Preparation

Build Your Incident Response Team

Incident Response Coordinator

The coordinator manages overall incident response and coordinates team activities. Often an IT Manager or Security Lead, this person has decision-making authority and serves as the external communication liaison.

Technical Lead

Your Technical Lead handles investigation, containment actions, and system recovery. This is typically IT staff or your MSP, responsible for forensic evidence preservation.

Legal Counsel

An attorney assesses legal obligations and provides regulatory notification guidance. They review communications, manage litigation risk, and can invoke attorney-client privilege over investigations.

Communications Lead

This role manages internal communications, customer notifications, and media relations. Marketing or PR staff monitor social media and ensure consistent messaging.

Executive Sponsor

The CEO or owner provides final decision authority. They allocate resources, communicate with stakeholders, and make business continuity decisions.

Additional Members

Include HR for insider threats, Finance for fraud incidents, and Compliance staff for regulated industries.

Establish Communication Channels

Out-of-Band Communications

Don't rely on email or systems that may be compromised. Use personal cell phones, dedicated incident response phone lines, and secure messaging apps like Signal.

Use external video conferencing tools that aren't part of your corporate infrastructure.

Contact Lists

Maintain team member phone numbers including personal cells. Document after-hours contact information, escalation procedures, and external contacts.

Keep these lists updated and accessible outside your normal systems.

Identify External Resources

Incident Response Firm

Establish relationships with specialized cybersecurity firms before you need them. Understand costs and engagement processes—these firms are often provided through cyber insurance.

Breach Response Legal Counsel

Work with attorneys who specialize in breach response, not just general business law. They understand notification requirements and can invoke attorney-client privilege over investigations.

Cyber Insurance Carrier

Know how to initiate a claim and have the 24/7 breach hotline number readily available. Understand your approved vendor panel, coverage details, and limits.

Public Relations Firm

Find a crisis communications specialist and establish the relationship in advance. Ensure they have rapid engagement capability when you need them.

Forensic Specialists

Identify digital forensics providers for investigation and data recovery. These may be the same as your incident response firm.

Notification Services

Line up credit monitoring providers, customer notification vendors, and call center services before a breach occurs.

Law Enforcement

Understand reporting procedures for FBI and Secret Service. Know your local field office contacts and establish relationships with cybercrime units.

Technical Preparation

Logging and Monitoring

Implement centralized log collection with a SIEM or similar tool. Maintain appropriate log retention of 90+ days with regular review procedures.

Set up alerting on suspicious activities to catch incidents early.

Backup and Recovery

Test backup procedures regularly and maintain offline or immutable backups. Document restoration procedures and conduct regular restoration testing.

Untested backups are worthless during ransomware attacks.

Network Documentation

Maintain current network diagrams, asset inventories, and data flow maps. Identify critical systems that require priority protection and recovery.

Access Inventory

Track all user accounts and permissions, administrative access, and VPN or remote access methods. Document third-party vendor access to your systems.

Detection Tools

Deploy endpoint detection and response (EDR) tools, network intrusion detection, and email security monitoring. Implement cloud security monitoring for cloud-based assets.

Documentation and Templates

Pre-Create Templates

Prepare customer breach notification letters, employee incident communications, and media statements in advance. Have regulatory notification forms, vendor notifications, and website incident notices ready.

During an incident, you won't have time to write these from scratch.

Procedures and Playbooks

Create step-by-step playbooks for ransomware response, phishing incidents, data breaches, and insider threats. Each should provide specific actions for different scenarios.

Contact Lists

Maintain lists for your incident response team, external resources, key stakeholders, customer contact methods, and regulatory agencies.

Training and Exercises

Tabletop Exercises

Conduct annual scenario-based walkthroughs to test decision-making without technical execution. These exercises identify gaps in your plan and build team familiarity.

Walk through realistic scenarios like ransomware encryption of your file server, phishing compromise of executive email, data exfiltration by malicious insiders, or third-party vendor breaches exposing your data.

Technical Drills

Test backup restoration, practice network isolation, and verify evidence collection procedures. Test communication channels to ensure they work when needed.

These hands-on drills validate that your technical procedures actually work.

Phase 2: Detection and Analysis

Incident Identification

Common Detection Sources

Security tool alerts from EDR, firewalls, and SIEM systems are primary detection sources. User reports of suspicious emails or unusual behavior are equally important.

External notifications from customers, vendors, or security researchers often reveal incidents. Abnormal system behavior like slow performance or crashes may indicate compromise.

Audit findings, media reports, and dark web monitoring can also reveal incidents.

Initial Assessment Questions

Determine what type of incident occurred—malware, phishing, breach, or other. Establish when it started and what systems are affected.

Assess whether the incident is still active and what data is involved. Identify who needs immediate notification.

Incident Classification

Critical (P1)

Active ransomware or destructive attacks require immediate response. Large-scale data breaches in progress, compromise of critical business systems, and incidents with significant business impact all fall into this category.

High (P2)

Confirmed malware infections that are contained, unauthorized access to sensitive systems, and data exposure of moderate scope require urgent response within hours.

Medium (P3)

Phishing emails that were clicked but resulted in no compromise, suspicious activity under investigation, and limited scope incidents require response within the business day.

Low (P4)

Security policy violations, unsuccessful attack attempts, and informational security events follow standard workflow response procedures.

Initial Response

First 30 Minutes

Activate your incident response team immediately. Notify the coordinator, brief available team members, and establish your out-of-band communication channel.

Perform initial containment if possible. Isolate affected systems from the network, disable compromised accounts, and block malicious IPs or domains.

Document everything from the start. Record time of discovery, systems affected, actions taken, people notified, and all observations and evidence.

Assess immediate risks. Determine if the attack is ongoing, what data is at risk, what systems are vulnerable, and whether business continuity is threatened.

Notify key stakeholders including executive leadership, your cyber insurance carrier, and legal counsel to invoke privilege.

Investigation

Forensic Analysis

Determine the initial access vector—how attackers got in. Establish a timeline of when the compromise began and the full scope of what systems were accessed.

Assess what data was accessed or exfiltrated. Identify any persistence mechanisms or backdoors that were installed.

Understand the attackers' goals and what they were after.

Evidence Preservation

Create forensic images before remediation begins. Preserve logs by making copies before they rotate out of retention.

Screenshot relevant findings and maintain chain of custody. Don't alert attackers that you're investigating—operate quietly until you're ready to eradicate them.

Analysis Tools

Use EDR forensic capabilities, log analysis through your SIEM, and network traffic analysis. Memory forensics and malware analysis may be necessary for complex incidents.

Phase 3: Containment, Eradication, and Recovery

Containment Strategy

Short-Term Containment

Isolate affected systems and disable compromised accounts immediately. Block malicious traffic, stop data exfiltration, and prevent lateral movement to other systems.

Long-Term Containment

Patch vulnerabilities that were exploited and strengthen access controls. Implement additional monitoring and prepare for complete eradication.

Containment Considerations

Balance business continuity needs with security requirements. Don't alert attackers prematurely before you're ready to act.

Preserve evidence for investigation and document all containment actions taken.

Eradication

Remove Attacker Presence

Delete all malware and remove unauthorized accounts. Eliminate backdoors and persistence mechanisms, close access vectors, and patch exploited vulnerabilities.

Validation

Scan for remaining indicators of compromise and verify all attacker access is removed. Check for additional compromised systems and test for any remaining persistence mechanisms.

Timing

Coordinate eradication across all systems simultaneously to prevent attackers from re-establishing access. Plan for business interruption during this phase.

Recovery

System Restoration

Rebuild critical systems from clean state rather than trying to clean infected systems. Restore from known-good backups taken before the compromise occurred.

Update all systems before returning them to production. Verify integrity before reconnecting to the network.

Phased Return to Operations

Restore critical systems first with enhanced monitoring during recovery. Gradually reconnect systems to the network and verify functionality before returning to normal operations.

Validation

Ensure all systems are clean and patched with security controls functioning properly. Verify monitoring is operational and backups are current.

Complete all documentation before declaring the incident resolved.

Communication During Response

Internal Communication

Provide regular team updates daily during active incidents. Brief executives at least daily on incident status and response actions.

Notify employees as appropriate and establish clear guidance on what to say and what not to say.

External Communication

Customers

Provide timely notification if their data was affected. Offer a clear explanation of what happened and what actions you've taken to protect them.

Advise customers on steps they should take and provide resources like credit monitoring.

Regulators

Submit notifications within required timeframes with all required information and documentation. Maintain ongoing cooperation and provide remediation plans.

Media

Prepare statements in advance with a designated spokesperson. Maintain consistent messaging and never speculate about aspects you haven't confirmed.

Partners and Vendors

Notify partners if their data was affected. Collaborate on investigation if vendor-related and fulfill contractual notification obligations.

Law Enforcement

Contact FBI, Secret Service, or local police as appropriate. Provide requested information but understand they may not investigate due to resource constraints.

Phase 4: Post-Incident Activity

Incident Documentation

Incident Report Contents

Create an executive summary of the incident with a detailed timeline of events. Document the attack vector and methodology, systems and data affected, and response actions taken.

Calculate costs incurred and capture lessons learned. Include specific recommendations for improvement.

Evidence Retention

Maintain all incident-related documentation and preserve forensic evidence. Retain logs, analysis results, and communication records for litigation and compliance needs—typically 3-7 years.

Lessons Learned Review

Post-Incident Meeting

Conduct a lessons learned meeting within two weeks of incident resolution. Include the full incident response team, key stakeholders, and external parties who assisted.

Discuss what happened and why, what worked well, and what didn't work. Determine what you would do differently next time.

Identify gaps that were discovered and improvements that are needed.

Meeting Outcomes

Update your incident response plan based on lessons learned. Launch security improvement initiatives and identify training needs.

Document tool and resource requirements to handle similar incidents better in the future.

Remediation and Improvement

Technical Improvements

Patch vulnerabilities that were exploited and implement additional security controls. Enhance monitoring and detection capabilities and improve backup and recovery procedures.

Address infrastructure gaps that contributed to the incident.

Process Improvements

Update incident response procedures based on what you learned. Refine communication templates and adjust escalation criteria.

Improve team coordination for future incidents.

Training

Provide incident response team training on new procedures. Conduct security awareness training for employees incorporating lessons learned.

Run tabletop exercises specifically addressing the incident type you experienced.

Incident-Specific Playbooks

Ransomware Response

Immediate Actions

Isolate infected systems by disconnecting them from the network immediately. Identify the ransomware variant from the ransom note and file extensions.

Determine the scope of how many systems are encrypted. Notify your cyber insurance carrier and incident response firm right away.

Don't pay the ransom immediately—consult with experts first.

Investigation

Determine the initial infection vector and attacker dwell time, which is often days or weeks before encryption occurs. Assess whether data was exfiltrated in a double extortion scenario.

Check whether your backups were compromised by the attackers.

Recovery

Restore from offline or immutable backups and rebuild critical systems. Implement enhanced security measures before returning systems to production.

Consider whether decryption tools exist for your specific ransomware variant.

Ransom Payment Decision

Consult with legal counsel, insurance, and your incident response firm before making payment decisions. Consider backup availability, business impact, and double extortion risks.

Law enforcement discourages payment, and paying doesn't guarantee successful decryption.

Phishing Incident Response

Immediate Actions

Identify all affected users and disable compromised accounts. Reset credentials and review account activity logs for unauthorized actions.

Check for email forwarding rules that attackers commonly install. Scan for malware if an attachment was opened.

Investigation

Determine what data was accessed through the compromised account. Check whether other accounts were compromised and if MFA was bypassed or enrolled by attackers.

Identify whether emails were sent from the compromised account.

Recovery

Remove the malicious email from all mailboxes where it was delivered. Restore any emails that were deleted by attackers.

Notify affected parties if their data was accessed. Provide additional training to affected users to prevent recurrence.

Data Breach Response

Immediate Actions

Stop ongoing data exfiltration immediately. Preserve all evidence of the breach and engage legal counsel to invoke privilege.

Notify your cyber insurance carrier right away.

Investigation

Determine exactly what data was accessed or exfiltrated and how many individuals are affected. Identify the attackers if possible and document the access method and full timeline.

Notification

Determine your legal notification obligations, which vary by state and regulation. Timelines are often 30-60 days from discovery, though some regulations require faster notification.

Ensure notification content includes all required elements. Use appropriate methods including mail, email, or substitute notice.

Notify regulators according to parallel notification requirements. Provide credit monitoring services when required or as good practice.

Key Takeaways

Organizations with incident response plans save $2.66 million per breach compared to those without one. The 57% of SMBs without plans face catastrophic damage from incidents that prepared organizations manage routinely.

Breaches contained in under 200 days cost $1 million less than those taking longer. With average detection at 241 days and containment at 82 days, preparation dramatically reduces both timelines and costs.

Start with the basics: identify your incident response team, establish communication procedures, and create simple playbooks. Build from there based on your risk profile and resources.

Test your plan regularly through tabletop exercises and technical drills. Untested plans fail when needed, while regular exercises build muscle memory that proves invaluable during actual incidents.

The goal isn't to prevent all incidents—that's impossible. The goal is to detect quickly, respond effectively, and recover completely while minimizing damage and demonstrating competence to all stakeholders.

Ready to Build Your Incident Response Plan?

Don't wait until you're breached to start planning. Get your free security audit and receive customized incident response templates and playbooks for your business.

SimplCyber provides tabletop exercise facilitation, incident response plan development, and ongoing support to ensure you're ready when incidents occur.