IT Incident Response Plan for Small Business: What to Have Ready Before You Get Breached

The version of this conversation I have too often: a small business calls after a ransomware hit, and in the first ten minutes I learn that the IT admin rebuilt two affected workstations before anyone thought to image them, someone already emailed customers about a "technical issue," and the cyber insurer has not been notified. Every one of those decisions — made quickly, under pressure, trying to help — just made the situation worse. The insurer may dispute coverage because the machines were wiped before forensics. The customer email may trigger a formal breach notification obligation the business was not ready for. The rebuilt machines are gone as evidence.

None of that happens when there is a plan in the drawer. Not because the plan is perfect, but because the plan had already thought through those decisions in a calm room with people who knew what they were doing.

Why most small business IR plans fail before the first call

The most common failure mode is not having no plan — it is having a plan that is inaccessible during an incident. A plan that lives in a SharePoint folder is useless when SharePoint is down. A plan that references the previous IT vendor's phone number is useless when that vendor was replaced eight months ago. A plan that says "contact the IT department" is useless when the IT department is one person who is also the person staring at the ransomware note.

The second failure mode is a plan that nobody has read since it was written. A 40-page incident response policy produced by a consultant three years ago and never opened again is a compliance artifact, not an operational tool. Whoever picks up the phone during an incident has not read it, does not know where it is, and will not find it in time to help.

The fix is simple: a short plan, printed and physically accessible, reviewed once a year by the people who will actually use it.

The five things your IR plan must include

1. A single-page quick-reference card, printed. One page covers: the name and emergency number of your IT provider, the breach hotline number for your cyber insurer, your attorney's number if you have one, and the three immediate steps anyone in your office should take if they suspect an incident. That card lives in the office manager's desk drawer and the server room. Not in the cloud. If your systems are down or encrypted, a PDF is inaccessible. Paper is not.

2. Clear containment authority. Someone in your organization must be explicitly authorized to disconnect machines from the network, disable user accounts, or take a server offline — without waiting for a conference call. In a ransomware incident, the difference between disconnecting an infected machine in the first 60 seconds and waiting 15 minutes for someone to make that call can be the difference between one encrypted device and your entire file share. Document who that person is, who the backup is when they are unavailable, and what they are authorized to do without prior approval.

3. A vendor contact list with emergency escalation paths. Your managed IT provider's regular help desk number is not the right call at 11 PM on a Saturday. You need the after-hours emergency line. Same for your cyber insurer: there is a standard claims number and there is a breach hotline. The breach hotline is the one that triggers immediate response; calling the claims number often means leaving a voicemail. Your plan should also include the FBI's Internet Crime Complaint Center (IC3) at ic3.gov — reporting ransomware incidents does not require you to seek law enforcement action, but the intel supports their active campaign tracking and is worth doing.

4. A communication holding statement. When something is clearly wrong and employees and customers are asking questions, someone will say something. Make sure it is something that does not create legal exposure. A pre-drafted holding statement — "We are aware of a technical incident and are working with our IT provider to investigate. We will communicate more information as soon as it is available." — buys you 24 to 48 hours without admitting scope, without triggering premature breach notification, and without saying anything a plaintiff's attorney can use later. Your cyber insurer's breach counsel can provide approved language before you need it; ask during onboarding, not during the incident.

5. An evidence preservation rule, written down and enforced. This is the rule most often violated under pressure, and the one that causes the most downstream damage. Do not wipe, rebuild, or restore a compromised machine until your IT provider or the insurer's forensic team has imaged it. Forensic investigation — determining how the attacker got in, what they accessed, and whether data was exfiltrated — depends on log files, memory contents, and disk artifacts that are permanently destroyed the moment you run a recovery install. A claim dispute over whether the breach triggered notification obligations cannot be resolved if the evidence no longer exists. Write the rule down: "No affected system will be wiped or rebuilt until written clearance from [IT provider or forensic team]."

Testing your plan: the tabletop exercise

A plan that has never been practiced is a guess. A tabletop exercise is the lowest-cost way to find the gaps before they cost you anything.

The format is simple: one hour, the relevant people in a room or on a call, and a facilitator who walks through a scenario. "It is Tuesday at 9 AM. An employee calls to say their desktop shows a message claiming all files have been encrypted and requesting Bitcoin payment. What does your team do first?"

What typically surfaces: nobody has the emergency IT number memorized and it is not posted anywhere visible. The person with containment authority is on vacation and there is no designated backup. The backup system has not been tested in 11 months and nobody is confident it will actually restore. The CEO's first instinct is to pay the ransom before calling anyone. None of these are unusual findings. All of them are fixable in an afternoon when discovered in a tabletop exercise; they are catastrophic when discovered during a real incident.

Once per year is enough to keep the plan current and the team calibrated. A managed IT provider typically facilitates these as part of the ongoing service relationship — it takes one hour and produces a short punch list of gaps to close before the next incident, whenever that comes.

FAQs about incident response planning for small business

Do I need a lawyer to write my incident response plan?

No, but your plan should include a lawyer in the notification chain. California breach notification law may require you to notify affected individuals within 72 hours depending on the type of data compromised. Your plan does not need to be a legal document — it needs a line that says "Step 4: Contact legal counsel at [number] to assess notification obligations." Most small businesses do not have a privacy attorney on retainer. Your cyber insurer's breach response team typically includes breach counsel as part of the claims service; that is one of the underappreciated values of cyber liability coverage for small business.

How long should my incident response plan be?

For a 5-to-50-person business, the working document should fit on two pages or fewer. One page is the quick-reference card — contact list, first three containment steps, communication holding statement. The second page covers evidence preservation, escalation paths by incident type, and the post-incident review checklist. A 40-page plan that lives in SharePoint is less useful than a laminated one-pager in the office manager's desk drawer. Brevity and accessibility beat comprehensiveness every time.

What is the first call I make when I think I have been breached?

Your managed IT provider or IT support team — containment has to start before anything else gets worse. The second call, made in parallel if possible, is to your cyber insurer's breach hotline. Many policies require notification within 24 to 72 hours of discovery; waiting until after cleanup can complicate your claim significantly. Do not google the ransomware strain and follow random remediation instructions. Do not let an employee rebuild their own machine. The sequence is: contain (IT), notify (insurer), then investigate and remediate in a controlled and documented way with professional support.

Does cyber insurance require a written incident response plan?

Most carriers ask about it on the underwriting questionnaire, and having a documented plan can move you into a lower risk tier on premium. More practically, claims where the insured had a documented plan and followed it tend to close faster and with fewer disputes. The insurer's breach response team works better when your team already knows the contact numbers and containment steps — they spend less time on basic triage orientation and more time on actual forensic work. It is not a hard requirement at most carriers, but it signals operational maturity that underwriters recognize and price accordingly.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.