Kenneth Ellington on Why You Should Have an Incident Response Plan

 It’s easy to assume that a cybersecurity incident will never happen at your small business. Sure, you’ve seen all the headlines about hospitals getting hacked and banks experiencing data breaches. But surely cybercriminals have no interest in your company — right?

Think again. A staggering 94% of small and medium-sized businesses (SMBs) have fallen victim to at least one cyber attack, according to a 2024 ConnectWise survey. Despite this, many companies are totally unprepared to respond to these incidents.

Kenneth Ellington, Founder of Ellington Cyber Academy, shares his thoughts on why all companies should prepare for the unexpected with an incident response plan. 

This article maps out how your team should plan to react to cyberthreats and other emergencies before the metaphorical fire breaks out. Here’s how you can create this must-have resource for your business.

5 Steps You Need to Know To Create Your Own Incident Response Plan

Chances are, you’ve already thought about what you would do if your business were hit by a cyberattack. Maybe there’s a hidden sticky note full of passwords under your desk. And you probably keep your best tech person on speed dial. But these small measures aren’t a replacement for a real incident response plan.

“Most small businesses don’t have a cybersecurity plan or even know what one is, which is a major issue,”  explains Kenneth Ellington, the founder of  Ellington Cyber Academy. “The worst time to plan for a disaster—whether a fire or a flood—is when it’s already happening, and you’re trying to escape.”

The Cybersecurity and Infrastructure Security Agency defines an incident response plan as “a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident.”

Follow these steps to develop your plan: 

• Create a Team
• Define Your “Incidents”
• Build a Communication Plan
• Conduct Regular Training
• Review and Update Your Plan

1. Create a Team

Your IT staff can handle a lot of issues on their own — but a cybersecurity incident isn’t one of them. You need an A-team that can come together to respond to crises immediately.

Every incident team should include these key players:

• Leadership: Cyberattacks can be incredibly chaotic, especially if they disrupt core operations. A ransomware attack, for instance, could knock out your payment system, preventing sales. You need strong leaders to guide recovery efforts and keep everyone calm.
• IT Professionals: Obviously, you’ll need tech experts to identify and contain the threat. These can be part of your internal team or outside consultants you can call when things go sideways.
• Legal Counsel or Representative: All fifty states have passed data breach notification laws, and you may also have contractual obligations to clients affected by the incident. With a legal expert on hand, you can make sure that you handle everything by the book.
• HR Staff: Cybercriminals often target sensitive employee data, such as bank accounts and Social Security numbers. Your HR team can help you inform and support affected staff. They can also provide guidance and training if employees have accidentally caused an incident. For example, a worker might click a malware link in their email or plug a suspicious USB drive into their computer.
• Communication Experts: Incidents can feel embarrassing, but hiding them is deeply unethical (not to mention illegal). A public relations (PR) team can help you shape the narrative and address your clients’ concerns tactfully.

Make sure your entire team is aware of their roles before an incident occurs. That way, you won’t surprise your PR staff or head of HR with a late-night emergency phone call.

2. Define Your “Incidents”

Take the time to spell out what your business considers an incident or threat. This step will help your team tell the difference between an all-hands-on-deck crisis and a minor disturbance.

Here are a few examples of common incidents:

• Malware: Cybercriminals use “malicious software” to steal data or damage a company’s network.
• Phishing Scams: Ever received a shady email asking for your passwords or phone number? Outsiders often try to trick employees into giving out sensitive information.
• Hacking: An external actor breaks into a device or network, often to steal information.
• Unauthorized Access: Someone — either an employee or an outsider — gains access to confidential data or systems.

This list only scratches the surface of all the possible cyberattacks, so do your research.

3.  Build a Communication Plan

There’s no time for miscommunication — or, even worse, secrecy — during an incident. A communication plan will allow you to share news and updates as quickly as possible.

Start by choosing a dedicated spokesperson to convey all messages. That way, you won’t have to worry about multiple team members giving contradictory or half-true information.

Develop a communication template for incident alerts, too. It’s much faster to plug a few details into a pre-written message than create one from scratch, especially under pressure.

You should also create a communication matrix for your team. This document breaks down who needs to be informed based on the incident’s severity. Of course, you must immediately disclose a major data breach to customers and stakeholders. However, only your internal team needs to know about an employee who accidentally accesses the payroll system and then logs out right away.

4. Conduct Regular Training

When it comes to cyberthreats, your team can be your greatest defense — or your biggest weakness. Educate your employees with frequent training activities, such as:

• Live simulations of data breaches or unauthorized access attempts
• Drills to practice detecting phishing scams, social engineering, and other threats
• Role-play scenarios with some employees posing as cybercriminals

You can also bring in cybersecurity professionals to host seminars or give talks on the latest threats. These events can empower everyone to prevent incidents, not just your IT team.

5. Review and Update Your Plan

Cybercriminals never rest, so neither should you. Start your incident response planning right now by identifying a cybersecurity consultant or firm that can help in an emergency.

“If you don’t have a plan, at least have the contact information of someone who can help,” Ellington advises. “Every minute and hour is critical in these situations.”

Once you’ve fleshed out your full plan, regularly review and update it. These checks should take place alongside your training sessions and after every major incident.

For example, you might need to expand your communication team when your top PR person goes on maternity leave. Or you may add a new type of incident to your threat list. These small tweaks will make sure that you’re as prepared as possible when — not if — a crisis strikes.

Give Yourself Peace of Mind With an Incident Response Plan 

There’s no size limit for cybersecurity threats. Incidents affect everything from small, family-owned businesses to Fortune 500 companies with huge tech budgets. And they usually occur at the most inconvenient times, like on a weekend or when your top IT person is on vacation.

Stay two steps ahead with an incident response plan. This handy document will help you stay focused and react quickly during an emergency. Plus, sharing it with your team will allow them to mentally prepare for disaster.

About Kenneth Ellington, Founder of Ellington Cyber Academy

Kenneth Ellington, is a cyber security instructor and cyber threat hunter. He helps Cybersecurity Professionals and Organizations Strengthen Defenses, Build Teams, and Advance Careers.