Business Security

Incident Response Plan Guide: What to Do When You Are Breached

By AntiPhishers Published

Incident Response Plan Guide: What to Do When You Are Breached

Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.

Every organization will experience a security incident. The difference between a minor disruption and a catastrophic breach often comes down to preparation. An incident response plan (IRP) defines who does what, when, and how when a security event occurs. Organizations with a tested IRP reduce the average cost of a breach by $2.66 million according to IBM’s Cost of a Data Breach Report.

The NIST Incident Response Framework

The National Institute of Standards and Technology defines four phases: Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity. This framework provides the structure for building your plan.

Phase 1: Preparation. Assemble your incident response team (IRT) with defined roles: incident commander, technical lead, communications lead, legal counsel, and executive sponsor. Document escalation procedures. Establish communication channels that do not depend on potentially compromised systems. Prepare forensic toolkits. Define what constitutes an incident versus a routine event.

Phase 2: Detection and Analysis. Define how incidents are detected: SIEM alerts, employee reports, vendor notifications, or customer complaints. Establish triage procedures to assess severity and scope. Categorize incidents by type (malware, unauthorized access, data exfiltration, DDoS) and severity level (low, medium, high, critical).

Phase 3: Containment, Eradication, and Recovery. Short-term containment isolates affected systems to prevent spread. Evidence preservation captures forensic data before remediation. Eradication removes the threat (malware, compromised accounts, exploited vulnerabilities). Recovery restores systems from clean backups, verifies integrity, and monitors for re-compromise.

Phase 4: Post-Incident Activity. Conduct a blameless post-mortem within two weeks of resolution. Document lessons learned, root causes, and process improvements. Update the IRP based on findings. Briefings for leadership and affected parties.

Key Plan Components

Contact lists with 24/7 phone numbers for all IRT members, legal counsel, law enforcement contacts (FBI, local police), cyber insurance carrier, forensics retainer, and PR/communications agency. Maintain these lists in both digital and printed form.

Communication templates for employee notifications, customer breach notifications, regulatory disclosures, and media statements. Pre-drafting these during calm periods ensures accurate, measured communication during crisis.

Decision trees for common scenarios: ransomware (pay or not pay, contain, restore from backup), BEC wire fraud (initiate recall, contact receiving bank, law enforcement), data exfiltration (scope assessment, notification requirements, regulatory timeline).

Legal and regulatory requirements. Document breach notification requirements for your jurisdictions (GDPR 72-hour requirement, state-specific laws, SEC disclosure rules). Engage legal counsel in plan development to ensure compliance.

Testing Your Plan

A plan that has never been tested will fail when needed. Conduct tabletop exercises at least annually, walking through realistic scenarios with all stakeholders. For advanced testing, perform purple team exercises where the red team simulates an attack and the blue team executes the response plan.

For more on building your detection capabilities, see our security operations center guide. To understand the most common attack type your IRP must address, explore our complete phishing guide.

Regulatory Notification Requirements

Your incident response plan must include regulatory notification procedures specific to your industry and jurisdictions. GDPR requires notification within 72 hours of discovery. HIPAA requires notification within 60 days. SEC rules require disclosure of material incidents within four business days. State-specific breach notification laws vary in timing and requirements. Your legal counsel should map all applicable requirements and integrate them into the response timeline.

Maintain template notifications that can be customized quickly during an incident. Having pre-approved language from legal counsel saves critical hours during the high-pressure early stages of response. Include templates for regulatory notices, customer notifications, employee communications, and media statements.

Keeping the Plan Current

An incident response plan that was written two years ago and never updated may reference former employees, outdated systems, and defunct communication tools. Review and update the plan quarterly. After every real incident, conduct a post-mortem that feeds improvements back into the plan. Changes in staff, technology, and business operations should trigger plan reviews.

More in Business Security

M&A Cybersecurity: Due Diligence and Integration Risks API Security Basics: Protecting Your Business Integrations Endpoint Detection and Response: Beyond Traditional Antivirus Security Policy Templates: Creating Effective Company Policies

View all Business Security articles →