Skip to main content
main content, press tab to continue

Cyber Incident Preparedness – Building a ‘good enough’ incident response plan

Cyber Security Awareness - Blog series: 5

December 7, 2023

Our cyber team collaborate their insights to help ask questions and provide answers during Cyber Security Awareness Month.
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

In our last blog we asked readers if their approach to and strategy for cyber incident response was ‘good enough’. Hopefully you will have had time to consider this broad question, and at least assessed whether you believe your plan to be sufficiently effective.

No two cyber incident response plans will (nor should) be the same. How can they be; cyber incident response is an intimate set of decisions, actions and processes that apply to your business and your people – there’s no ‘copy and paste’ option for such a critical component of your wider business response, recovery, and business continuity efforts, or at least there shouldn’t be.

That said, there must of course be structure and consistency of language. Multiple business stakeholders will have roles and responsibilities within the plan, and so it must be developed to cater for and be usable by all. Yes, it is likely that your technical and IT security teams will require a more detailed set of plans that delve into the 1s and 0s of technical incident response, but for this blog we are going to focus solely on the business response to cyber crises.

Stressed, confused, angry? Don’t panic, that’s normal

Before we get into the plan in a little more detail, we must first address the obvious – cyber incident response, in the real world, can be scary. Typical human emotions will kick-in, and you’re going to be expected to make business critical decisions without full knowledge of precisely what’s happening to you and your business. Did I mention that you’re likely to have only minutes, not hours or days, to make these decisions?

I’m sorry it must be like this, but that is the reality - you are going to feel stress, pressure, panic, and confusion; hopefully you can take some comfort from knowing that these emotions are totally normally and are indeed expected. If cyber incident response was a stroll in the park, well, we wouldn’t be here talking right?

Here’s some key points for business leaders to remember at this stage:

Preparedness is critical

Your cyber incident response plan/playbook is only your guide; it won’t have all the answers. Incident simulation and testing (of the plan) will build awareness of responsibilities, comfort in processes, and will highlight any opportunities for improvement.

Your IT team will have minutes to respond

Trust and empower them, they are the professionals, but they can’t (and won’t want to) make all the decisions. Provide support and resources, but also look to offer healthy challenge when the time is right.

Every decision matters

All eyes will be on you, internally and eventually (once news breaks) externally. Leadership alignment, communication, and support to each other is going to be vital – this must be a ‘one team’ effort.

Don’t panic

Trust each other and your plans and processes. It’s going to be awful, so expect to be put in a position of extreme discomfort. You aren’t the first business responding to a cyber security incident, and you won’t be the last. You can, and you will, get through this.

Turning a negative into a positive

Most crises, can ironically provide an opportunity to shine by (1) responding decisively, and (2) finding opportunities to improve. There will be bumps, disagreements, and a whole load of uncertainty, but your enactment of the incident plan by a united team with effective communication, will help you respond well, recover successfully, and grow as a business unit.

Getting the basics right

Instead of telling you what should be in your plan, I believe a more effective and personal approach, at this stage, would be to focus on the basics of the plan.

Questions to ask of yourselves and each other

The following questions should help prompt business leaders into thinking about their response to a cyber incident and highlight gaps in knowledge or process, which in turn may act as a baseline to further develop or improve activities. Whilst your IT and security teams will manage the technical response, it is the leaders who will command and control the overall effort. Are your leaders ready and prepared for that?


Question 1: First and foremost, do you have a formal and documented cyber incident response plan?

Question 2: Hopefully you responded ‘yes’ to the first question, if so, where is it and who controls your plan? Can it be accessed if systems are down?

Question 3: Will you activate your Crisis Management Team (CMT)? Who is involved, when will it be activated and who will make that decision? Do you know how and when to declare a cyber security incident or crisis? Have you established escalation thresholds i.e., what events would require escalation to business leaders?

Question 4: Do business leaders know what actions and decisions are their responsibility within the plan? Who will be Responsible, Accountable, Consulted and Informed throughout your response process? The eagle-eyed will have noticed a reference to a RACI – RACI matrices are great way of visually articulating who is responsible for what.

Question 5: Do you have a recognised structure of delegated authority? Do all stakeholders understand what roles and responsibilities are delegated by business leaders to the likes of your IT teams? For common cyber threats (e.g., ransomware), have you established incident decision-making diagrams or flowcharts in advance to pre-empt what your response actions may be?

Question 6: How will business leaders and associated parties communicate? Are you located at the same physical site? If not, what systems will you use to co-ordinate your response efforts? Do you have names and contact details (including alternate details) for key plan participants and their deputies?

Question 7: Have you prepared any incident recording or evidence gathering documentation? These might be needed as part of any post-event investigation, so best to have them ready.

Question 8: Have plan participants familiarised themselves with your communication strategies, and do they know how to engage with customers, vendors, and any applicable regulatory requirements? Have you developed any incident response template holding statements to support swift communications?

Easy right? I mentioned earlier, a cyber incident response plan is unlikely to cover every eventuality. However, by responding to the questions above and subscribing to a proactive approach, your business can feel assured they are taking positive steps to building a robust responsive plan – one built for you, and by you.


Global FINEX Cyber Strategy Leader

Associate Director, Consulting and Client Management, CRS – FINEX GB


Engaging Cyber Security Awareness

Contact us for any questions or comment you have from our blog series.

Contact us