May 16, 2026
Write an Incident Response Plan in One Afternoon (Small Business Edition)
When ransomware hits a small business, the expensive part usually isn't the malware — it's the improvisation. Who decides to disconnect? Who has the insurer's hotline? Where are the backups, and who knows the restore password? Businesses burn their most valuable response hours discovering they never decided.
The fix is a one-page plan, written this afternoon, printed, and taped inside a cabinet. Here's the page, section by section.
1. The call list (five lines)
Names, roles, and phone numbers — because email may be the crime scene:
- Incident lead: the decision-maker (owner or designated deputy) — the person with authority to say "shut it down"
- IT support: your provider or internal tech, with their after-hours number
- Cyber insurance hotline: from your policy documents — most policies require prompt notice and provide breach counsel; call them early, not after you've "handled it"
- Bank contact: for fraud holds and wire recalls, where minutes matter
- Attorney (if you have one): particularly for anything touching client or patient data
2. The first-hour actions (in order)
- Isolate, don't power off. Disconnect affected machines from the network (unplug cable / kill Wi-Fi). Powering off destroys evidence and, with some ransomware, makes recovery harder.
- Preserve the scene. Photograph ransom notes and error screens with a phone. Note times — insurers and investigators will ask.
- Cut remote access. Disable VPN and remote desktop until you know how they got in — the attacker's door is often still open.
- Call the insurer's hotline before making promises, payments, or public statements. Breach counsel exists to keep the response from creating new liability.
- Change core credentials from a clean device — email admin, banking, remote access — in that order.
3. The asset facts (fill in today)
The section that saves hours at 2am:
- Where backups live, how far back they go, and who can perform a restore
- Domain registrar, DNS, and hosting logins (location in password manager)
- Server/critical machine list — what actually matters if encrypted
- Email admin console access — who and how
If filling this section reveals you're not sure the backups work — congratulations, the plan just paid for itself before any incident. Test the restore this week.
4. Notification triggers (know your deadlines)
You don't need legal analysis on the page — just the tripwires that mean call the attorney/insurer now:
- Client, patient, or employee personal data possibly accessed → state breach-notification laws start clocks (some as short as 72 hours for regulated industries)
- Card data involved → processor and card-brand obligations
- HIPAA-covered data → OCR notification rules
The plan's job is ensuring nobody discovers these deadlines after they've expired.
5. Communications defaults
Two pre-decisions prevent the most common self-inflicted wounds: who speaks (one named person; everyone else refers questions), and what we don't say (no cause speculation, no "we've fixed it" until it's true — early confident statements have a way of appearing in lawsuits).
Print it. Then drill it once.
A plan in a cloud drive that's encrypted along with everything else is a plan you don't have — print two copies. Then, once a year, run the tabletop version over coffee: "It's Monday 7am and the server shows a ransom note — what happens?" Thirty minutes of walking the page turns it from a document into a reflex, and reflexes are what the first hour is made of.
Total cost: one afternoon, two sheets of paper, and one coffee-length drill a year — against incidents where response speed routinely swings costs by tens of thousands of dollars.
Know your security grade in 3 minutes
Answer 10 plain-English questions and CyberGrade scores your business A+ through F, with your top risks identified — free, no email required to start.
Get Your Free Security Grade