Incident Response Plan for Small to Medium-Size Organizations

Reading Time: 7 minutes

The existence of cybersecurity issues in this modern era is undeniable. Its aftermath leaves an organization with scarred functioning, economy, and reputation. In such a situation, precautionary measures seem to be the most obvious solution but, according to Cyber Security Breaches Survey 2018, about 82% and 70% small and medium-size organizations, respectively, do not have even a formal incident response process incorporated within their organizations [1]. It has been observed that SMEs don’t take an aggressive approach when it comes to cybersecurity issues [2]. In fact, they are slow in putting their best foot forward. Another report mentions that 

  • 51% respondents do not consider incident response plan as a priority  
  • 39% of respondents do not consider their organizations being at risk of a cyberattack 
  • 20% of the respondents have no available budget [3] 

However, the severity of the situation suggests otherwise. Data compiled by SCORE, a nonprofit organization providing free business advice and mentoring small businesses, depicts that 43% of cyberattacks target small businesses, and 60% of small companies, after falling prey to a cyberattack (or incident), go out of business within the next six months [4]. So, handling an incident with a well-thought-out strategy will keep your organization protected from potential cyber threats as well as help your business survive for years to come.  

To keep your company operational both during and after an incident, a proactive and ever-evolving security/risk management planIncident Response Plan (IRP)is required. 

Cybersecurity Budget and Using Appropriate Cybersecurity Framework 

Incorporating a calculated plan to counter possible future cyberattacks is easier said than done. Small to medium-size organizations pay extra attention to their revenues and implementing a security management plan becomes difficult when the organization prioritizes other goals over the cybersecurity budget. Even starting with a basic plan can help your organization secure its assets, resources, and sensitive data. This basic plan can then be evolved from time-to-time to advance your cybersecurity measures for any probable cyber threat. 

For small and medium-sized enterprises, it would be better to begin with an already established risk management framework. One such framework is NIST’s cybersecurity framework that installs required security procedures and policies. This framework possesses the following five function areasIdentify, Protect, Detect, Respond, and Recover. 


Under this function area, the organization develops an understanding of the potential risks and then it switches to work on the capabilities to subdue these risks. It gathers a clear understanding of critical data, systems, and assets of the organization. This function demands full visibility to all your assets (digital and physical) with their interconnections among each other, clearly defined roles and responsibilities, and that all the policies and procedures should be put into place to handle any of the cyber threats. 


The organization now needs to develop and implement required security measures with the identified capabilities and security controls. The operations under protect limit and contain the drastic effects of an incident. For this, limited control access to your assets will help you to contain the impact of cyberattacks. Also, try providing awareness training for concerned professionals to deal with the incident. 


It’s time to implement activities that can detect the occurrence of an incident. It also includes the investigation of the whole incident. The ability to anticipate any cyberattack and having all the information at hand to handle it will help in this detect functioning. Especially, continuous monitoring and looking for exploits can be a great deal to prevent your systems and network from cyber incidents. 


The activities related to responding to the results of the investigation get implemented under this function area. The implementation of procedures and controls will target restraining the issue at hand. It mainly limits the impact of the incident. For responding to an incident, your organization should have a well-drafted IRP.  


Under recover, operations are implemented to restore any impaired assets or services. These operations make every possible attempt and effort to return the operations of the organization to its usual functionality. Though for timely recovery, it would be better to have a prioritized list for your actions. 

This risk management plan will help you manage the risk and devastating effects of an incident. 

Six Phases for an IRPDedicated for Small to MediumSize Organizations Only 

There are six phases of an incident response plan (IRP): preparation, identification, containment, eradication, recovery, and lessons learned. Each of these phases deals with different processes and operations after the occurrence of an incident. 

The phases of the IRP won’t change for small to mediumsize organizations, but it will certainly have a slightly modified approach to handle an incident. Here, you will find an IRP committed to serving SMEs only. 

Phase IPreparation 

This is the very first and crucial step to handle an incident successfully. The resources used by a small or mediumsize organization will be different from those being used by larger organizations. 

* Concerned Professionals 

You can either opt for full-time in-house professionals or outsource to a trusted third-party to get the job done. However, you can enhance the productivity of this phase by opting for a combination of internal and external resources. 

* Incident Handling Instructions 

Create authoritative and detail step-by-step instructions to handle the incident. This is a comprehensive document that covers almost all the decisions that need to be made during an incident. This document will include  a list of all professionals who are either primarily or secondarily involved with the incident response team, including contact information. It is recommended to include the contact information of local law enforcement. This detail will give a clear indication of whom to contact at different levels of an incident handling process. The team should know who is going to be the first responders at the time of crisis. These professionals ensure whether the organization is under attack or not and, if it is, then whether the infected system or network needs to be isolated. During this first phase, ensure that the concerned professional doesn’t contaminate digital evidence that will later be investigated by the forensic team.  

* Tools Involved in Phase I 

Having functional tools lined up before you face an incident will certainly help you to stay prepared for any incident handling operation to perform. These important tools areevent logs, network-based intrusion detection system (NIDS), and host-based intrusion detection system (HIDS). Note: Synchronize the time of all the tools and devices being used to avoid discrepancies among the time recorded for the same event by different team members using different tools. 

Phase IIIdentification  

Identification of a cyberattack is not the sole responsibility of the IT staff. In fact, in SMEs, it is important that any employee facing issues like the slow performance of the system or network should be reporting it to the IT department of the organization. This report then should be taken into consideration by the concerned professionals. 

* Collect Information  

As soon as your organization fall prey to any kind of cyberattack, it is the responsibility of the incident handler to refer to the incident handling instructions to collect all the data that has been listed under it.  

* What Should Raise Suspicion? 

You should be looking for unusual processes or services, unknown files and registry keys, unfamiliar network traffic, unauthorized users or accounts, and foreign entries for suspicious events. Note: For finding such suspicious activities, you can use the tools mentioned in the previous phase.  

* Forms to Gather Information  

Incident handlers should have forms to keep a track of information that can be used later in the process to respond and strategize accordingly once the incident has been identified successfully. 

Phase IIIContainment   

This phase is where the incident handler starts making changes in the system or network to prevent the incident from victimizing the other parts of the network. It consists of short-term containment, system backup, and long-term containment, which are applicable to SMEs also. 

* How to Contain a Progressing Incident? 

You must know that once you start the containment process, the perpetrator will get to know that you’ve already discovered the incident. So, decide whether you want to catch the hacker in the act or restrain him or her from his or her ongoing activities. But make sure you follow the instructions defined earlier. For the containment process, you can—isolate the targeted system from the network, disconnect the network cable, and change DNS of the existing IP address. 

In case you don’t want to alert the hacker, then the best way is to create a backup of the targeted system and search for the tracks or activities of the hacker. 

Phase IVEradication 

Under this phase, all suspicious files, log entries, registry keys, or user accounts should be eliminated from the system. Also, ensure that you clean the root cause of the incident so that the vulnerability of the system or network won’t be exploited again. Use the pre-defined tools for this phase. It gives you two optionsrestoring the backup of the system and rebuilding system from scratch. 

* Restoring System Using Backup 

For this step, you should have a prior backup of the system. Well, this is undoubtedly a risky affair as there are incidents that go unnoticed for several days, weeks, and, in some cases, for months. If you want to restore your system from backup, then check for rootkits, viruses, and backdoors before you go ahead with the process.  

* Rebuilding the System  

Ensure that you get rid of the existing vulnerabilities before your sensitive data get compromised again. Validate the security of your system before it goes online. 

Phase VRecovery  

In the previous phase, you have validated the security of the system. And, in this phase, you will be checking for the operational status of the system. 

* Things to Keep in Mind 

Before the system goes online, validate its security and operational status. Also, make sure that the potential cyber threats get detected at its earliest stage. This phase is much easier to deploy in a smaller organization than in a larger one. Again, use tools to monitor any cyber threat lurking upon the security system of your organization. 

Phase VILessons Learned  

In this last phase, a detailed report is documented for future use. But, in small organizations, it would be wise to have a short report instead of going for infeasible lengthy reports. 

* What to Include in this Report?  

Under this concise report, make sure to include the following details: 

  • Details of the compromised system(s)  
  • The root cause of the attack  
  • Step-by-step process to handle and contain the incident  
  • The recovery processes  
  • Steps to avoid the incident in the future 

For an in-depth understanding of incident handling, look at the EC-Council Certified Incident Handler (E|CIH). The program extensively covers everything that an incident handler should know, including the various skills, processes, and tools. It is mapped to NICE 2.0 and CREST frameworks making your skillset the most demanded in the industry. Under this E|CIH program, you will acquire technical skills that can be put to use in a similar real-world situation. 






Editor's Note:
Reviewed by Dawie Wentzel, Head of Cyber Forensic Investigations at Absa Group Ltd and William Yurek, Founder / President at Inspired Hacking Solutions, LLC
get certified from ec-council
Write for Us