How should a small business plan for a cyber incident?

This will be the intro to a series where we look at the creation of a practical Incident Response Plan that is appropriate to a small business. The Incident Response Plan will allow the company to manage the incident, minimise the effect upon the company’s customers and the possible follow on loss of business and damage to the company’s reputation. The aim will be to identify the key tasks of an Incident Response Plan, and how they can be implemented within the resource constraints, which are typically expertise, time and finance.


The National Cyber Security Centre (NCSC) defines a cyber security incident as:

1. A breach of a system’s security policy in order to affect its integrity or availability

2. The unauthorised access or attempted access to a system

However in addition to the above,

3. Also consider now that the integrity of a system may be compromised accidentally.

All organisations will experience security incidents at some point. Making a suitable investment in establishing effective incident response plans and processes will help to improve resilience, support business continuity, improve customer confidence and potentially reduce any impact. The plan itself will be a task list that can be easily actioned during the incident, a form for recording key information and actions.

An incident response plan sounds very corporate but even small companies will require a plan.

The plan needs to be relevant to the business size, complexity of its systems and the risks to the business. There are some common steps that will make managing an incident easier and the response more effective.

Cyber security incidents can take many forms which include Denial of Service  (DoS), viruses and malware, ransomware and phishing attacks. It doesn’t matter if these terms are alien to you or appear to be another language, for small companies the aim should be to work with an IT partner that can deal with this whilst you concentrate on your business.

What is the risk?

Security incidents will inevitably happen, and they will vary in their level of impact. All incidents need to be managed effectively, particularly those serious enough to warrant invoking the organisation’s Business Continuity or Disaster Recovery plans. Severe incidents can often lead to a complete loss of service for small companies, which in turn become disasters.

Many small businesses don’t have an Incident Response Plan or a Business Continuity Plan because they either don’t have the expertise, time or understanding of the risks. It doesn’t have to be as daunting as it sounds because it is relevant to the complexity and size of the business. Small and simple businesses will typically have small and simple plans, although we have worked with some organisations who break the rule.

Manage the business impact: 

You need to understand when an incident is occurring. The initial effects may expand out and lead to a significant impact on the business through system downtime, financial loss, damage to customer relationships and possible regulatory fines. By reviewing the internal systems and processes and the risks the effects of an incident can be minimised. THIS NEEDS TO BE DONE IN ADVANCE. When an incident occurs the stress and emotional impact will impair the decisions that are made, a basic checklist could well save you!

The checklist should include key team members, external support companies, financial & legal contacts.

 Follow-on disruption: 

Once a system is compromised you should expect repeat incidents unless you secure the situation. Fix the underlying problem and make changes that are appropriate. You may have to invest time and money and it’s always more expensive if you have done nothing to prepare.


Understand the Legal Requirements: 

A loss of personal data that places data subjects at risk will need to be reported. Understand the timeframes and GDPR requirements. You need to start the timer from the discovery of the beach and report within 72 hours. Ensure the plan considers the risks, and actions are pre-planned to avoid mistakes when under stress.

Have the plan and checklist show key requirements and contact information for relevant parties, you don’t want to be searching for these things during the incident.

Next article. How can small a small business manage the risk….