In 2020, the COVID-19 pandemic and organizations’ rapid transition to remote operations have created numerous opportunities for threat actors to launch sophisticated cyber attacks, with serious repercussions. Research suggests that since the start of the pandemic, remote workers have caused security breaches in 20% of organizations, while ransomware attacks accounted for over one-third of cyber incident response cases in 2020. Yet another report called 2020 the “worst year on record,” with almost 3000 publicly-reported data breaches, leading to the exposure of a staggering 44+ billion records.

Clearly, cybersecurity incidents are inevitable. However, how organizations respond to an incident can have a tremendous bearing on its ultimate impact. To mitigate an incident’s effect on their data, and ultimately on their revenues and reputations, organizations must take appropriate steps to minimize their vulnerability. Here’s where Incident Response (IR) can play a game-changing role in preparing and protecting organizations from future threats. We must ask four questions when considering Incident Response Plans:

  • What is incident response and why is it important?
  • What are the four phases of incident response?
  • What are the five steps of incident response?

In this detailed guide, we will cover all of these key aspects. We will also explore incident response plans for small businesses, and give examples of incident response plan flow charts.

Let’s start with the most basic question: What is Incident Response?

What is Incident Response?

“Incident Response” (IR) involves more than just responding to a security incident. IR is a systematic, proactive, reactive and preventative approach that enables organizations to prepare for, detect, mitigate, and recover from cybersecurity incidents. It involves both planning and execution, and allows firms to respond effectively to an incident in an orderly and effective manner so that they can minimize its impact and protect their assets, financial health and reputation.

An IR program helps strengthen the organization’s ongoing risk assessment and incident response process. It also supports knowledge-sharing and documentation, and helps with litigation so legal teams can understand the applicable reporting and notification requirements under data breach laws.

Why is Incident Response Important?

A failure to implement an IR Plan (IRP) can have disastrous consequences. It weakens the organization’s security posture and makes them more vulnerable to the business, financial and legal consequences of attacks. Their insurance claims may be rejected, which will affect their bottomline, business continuity and longevity.

Unfortunately, most organizations lack a formal IRP. In fact, IBM found that although organizations using an IRP experienced less business disruption and greater cyber resilience, 51% of them have only an informal or ad hoc plan. The good news is that organizations with an IRP spend about $1.2 million less on data breaches than companies without such preparations.

Many cybersecurity risks are often not detected until it’s too late (280 days on average), which creates numerous operational challenges for organizations. Due to its emphasis on anticipation, adaptation, agility and speed, a formal IRP with clear measures can help eliminate these challenges quickly, and/or minimize their impact.

What Are The Four Phases Of Incident Response?

The National Institute of Standards and Technology (NIST) has created an “Incident Response Life Cycle” that effectively answers the question: What are the four phases of incident response? 

I. Preparation

It is impossible to effectively respond to incidents – much less prevent them – at a moment’s notice. That’s why preparation is critical when establishing IR capability and ensuring the security of the organization’s systems, networks and applications.

Preparation must include all the below activities:

  • Set up an IR team, define responsibilities and clarify their decision-making powers
  • Set up multiple communication and coordination mechanisms, including devices, software and incident analysis resources
  • Create a jump kit containing materials that may be needed during an investigation in order to facilitate faster responses
  • Conduct periodic risk assessments of systems and applications
  • Harden hosts using standard configurations, following the principle of “least privilege”
  • Configure the network perimeter to deny all unauthorized activities
  • Deploy anti-malware software at the host, application server and application client levels
  • Conduct awareness training so users are clear on the appropriate use of networks, systems and applications

II. Detection and Analysis

The second phase helps determine whether a security incident occurred, and analyze its severity and type. The NIST outlines the following steps:

  • Identify the most common attack vectors so as to define specific handling procedures
  • Pinpoint signs of an incident, both current (indicators) and future/possible (precursors) to determine the type, extent and magnitude of the problem, as well as weed out false positives.
  • Analyze and validate incidents to determine their scope, points of origin and attack vectors
  • Document and timestamp all incidents including system events, conversations and observed changes in files
  • Prioritize incidents based on relevant incident-specific factors like:
    • Functional impact
    • Information impact
    • Size
    • Type of resources affected
  • Notify appropriate individuals so they can execute their specific roles and functions

This phase can be challenging for numerous reasons. One, incidents may be detected by many means, making the detection process extremely complex. Next, some incidents are nearly-impossible to detect. Third, the high volume of indicators of potential compromise (IOCs) make it difficult to separate genuine issues from “noise.” Finally, incident analysis is a people-dependent activity, even with automation, so a lack of human expertise can weaken the organization’s detection/analysis capabilities.

III. Containment, Eradication and Recovery

The goal here is to mitigate or minimize the effects of a security incident before it can overwhelm resources or cause too much damage. But it’s necessary to predetermine strategies and procedures. It’s also important to define containment strategies based on acceptable risks and criteria, such as:

  • Potential for resource damage
  • Value and business impact of affected assets
  • Need to preserve evidence/order of volatility
  • Continuity of service
  • Resources and time required to implement the strategy

Other important steps include:

  • Evidence gathering, handling and documentation: For incident resolution and (possible) legal proceedings
  • Identifying the attacking host(s): By validating the attacking host’s IP address, using incident databases, and monitoring possible attacker communication channels
  • Eradication and recovery: By identifying all affected hosts and exploited vulnerabilities, and eliminating components of the incident (e.g. malware)
  • Restore systems to normal operations: By remediating vulnerabilities to prevent similar incidents in future

IV. Post-incident Activity

While cybersecurity incidents cost organizations, on average, $3.86 million, they also provide opportunities for learning and improvement. This is why NIST suggests that every IR program should include a “lessons learned” element based on meetings and follow-up reports that produce a set of actionable data, like:

  • Incident count
  • Time spent per incident
    • Objective assessment via logs, forms, reports, etc.
    • Subjective assessment of performance and outcomes

These metrics can help improve security measures and the incident handling process, and also help with risk assessment and the implementation of additional controls.

What Are The Five Steps Of Incident Response?

What are the five steps of incident response in order in this model?

  1. Preparation: Develop IR policies and guidelines, conduct cyber hunting exercises, assess threat detection capability, and incorporate threat intelligence feeds
  2. Detection and Reporting: Monitor security events, create tickets, and report incidents 
  3. Triage and Analysis: Collect data from tools and systems for further analysis
  4. Containment and Neutralization: Restore systems and resume normal operations
  5. Post-incident Activity: Document all information to prevent similar future occurrences

What is An Enterprise Incident Response Plan, and What are Its Key Steps?

Incident response plan elements

An incident response plan usually includes these elements:

  • The organization’s approach to IR
  • How IR supports the firm’s vision, mission and goals
  • IR phases and activities
  • Personnel roles and responsibilities, a clearly articulated chain of command, and senior management approval
  • Resource and activity prioritization strategy depending on the attack vector, data exfiltrated, and the criticality of the infrastructure components that may be affected
  • Key metrics to capture the capability, effectiveness and performance of the IR program
  • Communications flows between the IR team and stakeholders (internal and external)
  • How lessons learned will be reinforced across the enterprise

An effective incident response framework also includes a tailored IR policy that clearly defines elements, such as: 

  • Purpose, objectives and scope
  • Statement of management commitment
  • Definition of security incidents
  • Definitions of roles, responsibilities, and levels of authority
  • Reporting, communications and information-sharing requirements
  • Handoff and escalation points in the IR process
  • Incident prioritization
  • Performance measures

Standard Operating Procedures (SOPs) should also be defined based on the IR policy and plan. They must specify the processes, techniques, checklists, etc. to be used, and should be tested to validate their usefulness. Training on SOPs can ensure that security incidents are handled efficiently and with minimal impact to the flow of business.

Incident response plan steps

This 7-step process is very effective for creating an effective IR plan:

  1. Prepare for potential incidents with triage exercises and playbooks
  2. Identify the size and scope of an incident by starting with the initial compromised device
  3. Isolate compromised devices to stop the spread of the attack
  4. Eradicate threats by patching devices, disarming malware, disabling compromised accounts, etc.
  5. Recover and restore normal services to the business
  6. Document lessons learned to prevent future incidents
  7. Train staff on incident response

Incident Response Plans for Small Businesses

An incident response plan is critical for small businesses, particularly in a post-COVID world because it can help them react quickly and correctly to security incidents while minimizing cost and potential damage.

Here are the steps to create an incident response plan for small businesses:

  • Identify possible security incidents that could impact the business
  • Decide how to react to each incident
  • Identify the personnel who will be responsible for handling incidents
  • Implement internal and external communications channels
  • Consolidate this information to create a comprehensive plan
  • Practice incident response
  • Adjust the plan as needed

Incident Response Plan Flowchart

A fllowchart can be a great way to visualize the creation steps outlined in the previous two sections. Below is a good example of one: 

Incident Response Team

The IR team’s main goal is to ensure that the proper response is initiated with any security incident. It should include specialized sub-teams, each with a job to do. These include:

  • Security Operations Center (SOC): The first line of defense to triage security alerts
  • Incident Manager: To determine incident response and a plan of action with various stakeholders
  • Computer Incident response Team: To provide expert technical inputs
  • Threat Intelligence Team: To constantly assess the cyber threat landscape and strengthen the organization’s security profile

Incident Response Plan Examples and Templates

Instead of building your IRP from scratch, you can save time and effort by starting from a template. One such example is provided by the California Department of Technology here. It discusses the steps to be taken to implement an incident response plan, and to prevent the intrusion from happening again. Another template from the Criminal Justice Information Center provides guidelines on how an incident response plan can be written in order to respond to security incidents.

Automated Incident Response

As soon as suspicious activity is identified, our Evolve Security Automation platform triggers Automated Incident Response procedures to ensure the incident is contained as quickly as possible to minimize any negative impacts to your organization.


Incident response begins as soon as a threat is detected in a company’s environment. With a detailed incident response plan, the organization can properly prepare for and plan to prioritize actions and minimize potential damage in the event of an incident. The threat landscape is widening and will continue to do so over the next few years. In this scenario, incident response is as critical for large enterprises as it is for small businesses, not only to regain control over systems and data, but to ensure business continuity in an unstable world.