Incident Response Plan

man with diagram in front of him pointing to a button to activate an incident response plan
Let's Talk

What is an Incident Response Plan?

Your IT operation faces threats every day from cybercrime, data loss, service outages, and even natural disasters. Without an incident response plan (IRP), you could be subject to substantial downtime. An IRP gives you a disaster recovery plan to quickly mitigate the risk and control the incident. In addition, it provides a set of instructions to support detection, response, and recovery from network security incidents.

An IR Plan serves to:

  1. Protect your data by securing backups, identity access and management, and timely patching of vulnerabilities.
  2. Reduce the costs and damage associated with a breach like regulatory fines, liability compensation, investigations, and system restoration.
  3. Reinforce your reputation. A study by IDC determined that 80% of consumers would do business elsewhere if a data breach directly impacted them.

Despite the apparent need in light of constant cyber-attack threats, IBM Security reported that 77% of organizations lack a cybersecurity incident response plan. Even worse, companies (54%) with a plan fail to regularly test them, making them less capable of managing attacks.

Automation, in particular, falls short as roughly 25% of companies deploy any kind in their processes like identity access management  (IAM) or security information and event management (SIEM) tools. Equally concerning, many organizations indicate they lack sufficient employee levels to maintain a high level of cyber resilience.

The lax approach to incident response comes when 57% of organizations indicate that the time to resolution of cyber incidents is increasing. Moreover, 65% of organizations indicate the severity of attacks is increasing. Speed plays a major in managing a cyber breach. The longer a hacker spends in your network, the more damage they can do. An IR plan limits that time because responders know the necessary steps to mitigate the breach.

Expect an Increased Profile in Incident Response Management

Considering that PCI DSS requires an incident response plan, the market for IRP is forecast to grow considerably. Last year, it stood at $21.72 billion. By the end of 2026, the market value projects to $61.01 billion at a CAGR of nearly 19%.

Additional factors contributing to that growth include increased security breaches, more stringent compliance and government regulations, and greater cyber-attack sophistication. The heavy financial losses associated with security breaches also factor in the projected growth.

Services associated with incident response include breach investigation, forensic services, examination and analysis of applications, data, networks, and endpoint systems.

Steps to Creating an Incident Response Plan

The National Institute of Standards in Technology (NIST) presents four steps relating to an IR Plan:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Event Activity
Source: NIST

Here’s a closer look at each step:


Compile a list of IT assets covering networks, servers, and endpoints. Next, identify which assets are critical or contain sensitive data. Next, monitor each asset to establish a performance baseline. Finally, determine what security events require investigation and create detailed response steps for those incidents.

Make sure your plan includes any assumptions or limitations. And make it clear what your plan intends to accomplish. You’ll also want to establish who has the authority to activate it and when they can do so.

Preparation also requires proper training regarding incident response roles in the event of a breach. In addition, you should include backup individuals if the primary contact is absent. Finally, it’s critical to conduct mock data breaches to evaluate your plan and ensure its success.

Detection and Analysis

The former requires data collection from:

  • IT systems
  • Security tools
  • Public availability information
  • People from inside and outside the organization
  • Identifying precursors for incidents that may happen
  • Identifying indicators showing an attack occurred or is happening now

You’ll want to determine when the event happened, areas impacted, how significant the compromise is, and the point of entry.

Analysis requires identifying a baseline of regular activity for affected systems, correlating related events, and determining their deviation from expected behavior.

Containment, Eradication, and Recovery

Containment seeks to stop the attack to minimize its damage. Your containment strategy depends on the damage potential of each incident, service availability requirements, and solution duration based on hours, days, weeks, or a permanent solution.

During containment, you should identify the attacking host and validate the IP address. Doing so allows you to identify and block the attacker and understand their mode of operations. You can also search for and intercept other communications they have in use. It’s best to have a redundant backup system in place to help restore business operations.

It’s important to note that you should avoid a knee-jerk reaction and remove items until you have conducted your investigation. Otherwise, you’ll destroy evidence that will support your forensics and prevent you from devising a plan for future prevention.

Your plan should address recovery time and recovery point objectives. For example, how much time can your business afford to be offline? An hour? A day? The answer to those questions shapes your recovery plan and underlying efforts.

Eradication and recovery require removing all elements of the breach from your environment – identifying affected hosts, removing malware, hardening your systems, applying patches, and closing or resetting passwords for breached user accounts. You’ll also want to update and patch your systems to make them current.

The recovery stage gets your business operations up and running again. Therefore, you’ll want to examine available tools to mitigate reoccurrences. For example, you might consider incorporating file integrity monitoring, intrusion detection/prevention, and other devices into your operation.

Post-Incident Activity

Learn from the cyber event. Then, hold an after-action meeting to review the incident and discuss your learnings. Here are some questions you might want to ask:

  • How did the breach occur?
  • What worked well?
  • Where did you encounter issues?
  • What could you have done better?
  • What were system weaknesses exposed?
  • How can you prevent a similar breach?

Use your findings to improve your process and adjust your IR plan.

Ready to Assemble an IR Plan for Your Organization?

There’s no time like the present to create your incident response plan. The consequences associated with a data breach cripple your business with downtime, lost revenues, and reputation loss. Plus, studies show that you face an 80% chance of a second breach once successfully breached.

We’ve helped SMBs from all industry sectors with various IT services, including cybersecurity, cloud backup, business continuity and disaster recovery, and more. So if you’re looking for an IT company near you for IT support, get in touch. We’ll help you navigate through the escalating cyber threat environment.

Experiencing similar challenges?

We'll Eliminate Your Technology Hurdles

At IntermixIT, we approach your business challenges from experience. We deploy best practices in delivering all our IT solutions. We’ll drive your IT success.

Don't Settle for Poor Support from Your Managed IT Service Provider​
We’ll Deliver a Customer Experience that Drives IT Success.

Book Your 13-Minute Consultation