In a recent article, we looked at the topic of Security Roadmaps, exploring what they are and why they’re such an important tool for proactive cybersecurity. Today, we’ll discuss the equally important documentation that directs the reactive side of cyber security, the Incident Response Plan. 


What is an Incident Response Plan?

An Incident Response Plan is a set of instructions a business creates to limit the consequences of a cyber-attack. While a wealth of information goes into an Incident Response Plan, at its core are three main objectives: to identify threats, manage the response and keep your business moving. 

Detecting attacks

A cybersecurity event is not always immediately apparent. The first stage in developing a plan is to create a procedure for assisting your personnel in identifying and reporting suspicious or unusual behaviour that may signal a cybersecurity event has occurred. It should be very clear what you want staff to do and to whom they should report any suspected incidents.

The plan must be clear and easily actionable to prevent time from being lost in resolving the situation.

Managing the response

A plan for handling an incident will address more than just the technical problem at hand. Once the incident and its scope have been determined, an Incident Response Plan directs how the information will be disseminated to staff and affected parties. It may also list contact information for relevant parties and external providers for ease and efficiency. 

Keeping business moving

Finally, an Incident Response Plan offers solutions to ensure “business as usual” can be maintained as closely as possible. There are two aspects to this focus on business continuity – first, to ensure operations continue as efficiently and effectively as possible while the incident is resolved, and second to provide a roadmap for returning to full capacity once the event has been dealt with.

Consider your most vital systems, such as email or operational software – how can you avoid a total shutdown if your IT systems become unavailable due to a cyber threat? An Incident Response Plan sets out the procedures that your personnel can use if your IT systems are down or compromised. By accessing this guidance, your organisation can continue to run, albeit in a restricted capacity, while you resolve the event.


The Phases Of An Incident Response Plan

While an Incident Response Plan is specific to the business that created it, some commonalities remain regardless of the size or nature of the company involved. A well-considered plan will include four phases; preparation, detection, containment and post-incident recovery. 

  • Preparation

The incident response preparation phase includes all the tasks we may do ahead of time to better prepare for a cyber threat. This typically entails putting in place the policies and procedures that govern incident response and handling, training for incident handlers and those expected to report incidents, performing drills and many other similar tasks.

  • Detection and analysis

It’s in the detection and analysis stage of the Incident Response Plan that we begin to react to potential incidents. To properly respond to an issue, we must first detect the anomaly and determine whether it constitutes an incident. The process will usually be a combination of automation and human judgement. Antivirus software, proxy logs, firewall logs, and other security tools can notify a company of a potential problem. Still, the person handling the incident will decide whether or not the next steps must be taken.

  • Containment and eradication

The goal of the containment and eradication phase is to prevent the problem from causing any more harm than it has already, or at the very least, to minimise harm. If, for example, a malware-infected server is actively being controlled by a remote attacker, this may involve unplugging the server from the network and updating rules on firewalls and intrusion prevention systems to stop malware traffic. Once the issue is contained, the Incident Response Plan will then give direction for eradicating the threat, perhaps examining logs and systems to ensure that it hasn’t spread.

Finally, the incident responders will need to recover systems, ensuring they’re in a better state than before the cyberattack. This could entail reloading software, rebuilding operating systems, recovering devices or data from backup media, or other related tasks.

  • Post-incident activity

During the post-incident activity phase, often known as a postmortem, responders try to pinpoint what happened, why it happened, and how they can prevent it from happening again. It may well be necessary to alter infrastructure or regulations based on the results. The goal of this phase is not to assign blame but rather to prevent or mitigate the consequences of future attacks.

Having a robust Incident Response Plan in place enables those within your business to identify and avoid potential threats while also giving direction about how to deal with a cyberattack. Setting clear guidance from the start can avoid significant potential disruption down the line and enable your business to maintain composure in the face of cyber threats.


To learn more about how an Incident Response Plan can improve your cybersecurity, speak to the Loopli team today.