Incident response planning is the work done before an incident to make the response work. Businesses that handle incidents well don't improvise — they execute against a plan they built and rehearsed beforehand. Businesses that handle incidents poorly are figuring it out in real time, with predictable results. The good news: incident response planning isn't complicated. The bad news: most SMBs haven't done it. Here's what an actual IR plan should contain.

The Components of a Useful IR Plan

An incident response plan that actually helps during an incident includes:

  • Roles and responsibilities — who does what during an incident, by name and role, with backups if primary contacts are unavailable
  • Decision authority — who has authority to make specific decisions (declare an incident, isolate systems, pay ransom, notify customers)
  • Communication procedures — internal communication to employees, executive communication, customer communication, regulatory notification timelines, public communication strategy
  • Triage criteria — how to assess severity quickly and route to the appropriate response level
  • Technical playbooks — specific procedures for common incident types (ransomware, BEC, data breach, account takeover)
  • External resources — incident response retainer, cyber insurance contacts, legal counsel, law enforcement contacts, forensics vendors
  • Evidence preservation — what to do to preserve forensic evidence while containing the incident
  • Recovery procedures — how systems get restored, in what order, with what validation
  • Post-incident review — process for capturing lessons and updating the plan
Incident response team conducting tabletop exercise with documented runbooks, communication templates, decision authority chart, and external resource contact list ready for activation

The Roles That Need Pre-Assigned

During an incident, the team activates immediately. The roles to define in advance:

  • Incident commander — runs the response, makes operational decisions, coordinates the team
  • Technical lead — directs technical investigation and containment
  • Communications lead — handles internal and external communication, including legal-coordinated messaging
  • Legal coordinator — internal or external counsel managing regulatory notification, privilege considerations, and law enforcement coordination
  • Executive sponsor — senior leadership member who can make business-impact decisions
  • HR liaison — if the incident involves insider threat or affects employees
  • External vendors — IR firm, forensics provider, breach coach, public relations support

For small businesses, one person may hold multiple roles. The point isn't separation of duties — it's that someone is doing each job and knows it's their responsibility.

The Decisions to Pre-Authorize

Some decisions need to happen fast during incidents. Pre-authorizing them eliminates delay:

  • System isolation — who can disconnect a system from the network without further approval
  • Account suspension — when admins can suspend potentially compromised accounts immediately
  • External resource engagement — pre-approved vendors that can be activated without procurement processes
  • Internal communication thresholds — at what severity employees get notified, by whom
  • Customer notification thresholds — when customer-facing communication starts, by whom
  • Law enforcement notification — when FBI/local law enforcement gets contacted
  • Insurance carrier notification — when the carrier hotline gets called

Every hour spent figuring out who can authorize what is an hour the attacker has more time to operate.

The Tabletop Exercise

An IR plan that's never tested is fiction. Tabletop exercises — walking through hypothetical incidents around a conference table with the IR team — are the most effective way to test and improve the plan. Best practice: annual tabletop covering a substantial scenario (ransomware, major data breach), quarterly mini-exercises on specific aspects.

The first tabletop after an IR plan is built always finds dozens of gaps — roles not clear, communication paths missing, technical procedures incomplete. That's the value of the exercise. Subsequent tabletops find fewer gaps because the previous ones drove fixes.

The Common Failure Modes

What we see going wrong with IR planning at SMBs:

  • No plan at all — most common situation. The first incident is the test.
  • Plan that exists in someone's head — institutional knowledge that disappears when the person is unavailable
  • Plan that's out of date — references systems no longer in use, people no longer at the company, vendors no longer engaged
  • Plan that's purely technical — covers IT response but not communication, legal, or business decisions
  • Plan that's never been exercised — looks good on paper but breaks in practice
  • Plan without executive engagement — IT-driven without leadership involvement in the decisions the plan describes

If you're scoping incident response planning for your business, a conversation with our team can scope what realistic IR capability looks like for your environment.

About Leonidas

Leonidas is a managed IT services provider, cybersecurity consulting firm, and unified communications consultancy serving businesses across industries. We offer free 30-minute assessments for businesses evaluating their IT and security posture. Contact us or call 850-614-9343.