Please fill in the form below to subscribe to our blog

Cybersecurity Disaster Preparedness 101: Incident Response Planning

September 16, 2020

Every company needs to take incident response planning seriously, as we all learned in 2020 

Emergency preparedness is essential for smooth emergency response – and the faster you respond to an emergency, the better. September is National Preparedness Month. As you’re reviewing the other disaster preparedness plans in your life, it’s time to make sure that your incident response planning is still up to date, especially around cybersecurity.

We’ll be covering a different aspect of Cybersecurity Disaster Preparedness Planning every Thursday in September including business continuity planning, incident response planning, cybersecurity planning facts to consider, and lessons learned from the COVID-19 pandemic to give you the information that you need to update your Cybersecurity Disaster Plan for 2021.

Learn how to defeat terrifying cybersecurity monsters to keep systems & data safe in a dark world! READ IT IF YOU DARE!>>

Incident Response Planning saves time, money, and your sanity.

Incident response planning can be challenging and confusing. But as we’ve all discovered in 2020, a disaster can come out of nowhere to cause trouble. So, creating a solid cybersecurity incident response plan for the most likely scenarios that your business could face (and a few unlikely ones) can not only shave precious time off of the response to a disaster like a ransomware incident or a data breach, it can be helpful as you seek to mitigate other unexpected disasters.  

While there are several popular guides for incident response plans, the most fundamental industry-standard plan uses the framework developed by the National Institute of Standards in Technology (NIST)

The NIST Incident Response Lifecycle contains four steps: 

  • Preparation 
  • Detection and Analysis 
  • Containment, Eradication, and Recovery 
  • Post-Incident Activity 

Understanding and adequately accomplishing each step is vital to creating an efficient incident response plan. You can see the agency’s breakdown in the basic NIST Incident Response Planning Guide

10 Essential Cybersecurity Disaster Facts: 

dark web economy represented by the words dark web in white on a black background blurred like a faint tv transmission

Are you ready to take back control of cyberattack risk from the villains on the dark web? This webinar shows you where to start. WATCH NOW>>


This may be the hardest step, because it’s easy to rush through it. The Dale Carnegie maxim “An hour of planning can save you 10 hours of doing” explains exactly why you shouldn’t rush through this two-part step. 

Create a team 

If something like ransomware infects your systems, who gets the first call? Who do they call? Who has access to the things that are needed to triage the problem? Who needs to be informed?  

In an emergency, you need to be able to answer these questions quickly and definitively. That’s why every business should start its incident response planning with establishing an incident response team, and setting the hierarchy, responsibilities, and capabilities of that team in stone – in an emergency, you don’t have time to waste on deciding who does what. 

Establish a protocol 

How exactly will everyone be informed and get their instructions on how to handle the incident – and who is empowered to make hard decisions

The framework of your plan can use any criteria you choose and be customized for your business. The most important part of this step is to establish the parameters of your planning framework, then use that framework to create your response plan for every incident. Consistency in format and layout for each plan will make it easy for your incident response team to follow it during a disaster, enabling them to stay focused on the next two steps.

Learn why ransomware is today’s nastiest threat and how to defend against it in Ransomware 101. READ IT>>


The first step to fixing the problem (and mitigating the damage) is to figure out the problem. To continue with the ransomware scenario, this is the step where your experts get a SITREP and find the cause, extent, and location of the damage. 

50% of IT pros do not believe their organization is prepared to repel a ransomware attack. Is yours? Build stronger defenses with the strategy in Ransomware Exposed. DOWNLOAD NOW>>



Has the ransomware spread? Can you put the brakes on it and prevent it from going anywhere else? What systems and data did the affected computer have access to? Can this incident be handled remotely?  

If you’re using Passly, each staffer will have their own, unique LaunchPad that enables your IT staff and incident response team to quickly add and remove access remotely. Otherwise, this is where your detective work and forensics from step one inform your decisions.  


Can you remove the ransomware?  Can you restore your data and systems from backup? What will you do if you can’t?

This is the step where your team decides what the most expedient and effective way of eliminating the problem is for your business. Every business had unique needs and capabilities, so this step may vary dependent on the systems and data affected. You may want to include multiple options that account for each variable that affects the choices that your team makes here.  


Where are the backups? Who has access to the systems and software that you need to get back to work? How do you fix the damage?

In our ransomware example, this step is where you’d restore your data from backups, reboot machines or add new ones, and reinstall any necessary software. With Passly’s Secure Shared Password Vaults, companies are more easily able to make sure that staffers have access to essential administrator and privileged user credentials, but they’re stored securely to keep them safe from cybercriminals.

us government hack by suspected russsian cybercriminals represented by a hacker in a hoodie in silhouette against a russioan flag created in binary code

Go inside the world of hackers and see how it really works with these true tales of cybercrime undercover operations! WATCH NOW>>


Is there reporting to be filed with the government or industry officials?  What went right with your incident response plan? What went wrong with your incident response plan? How can your team improve their performance next time? 

After the incident ends and you’ve started getting back to normal, it pays to immediately analyze your incident response plan and your team’s performance. Finding weaknesses in the plan will help you create a more efficient plan for next time – because there will be a next time, so refining your plan matters.

Then, spend some time determining what you can do to reduce the chance of this being a problem for your business in the future. In our scenario, a staffer unleashed a ransomware nightmare because they were fooled into interacting with a phishing email. How can you prevent that from happening again?

Practice Makes Perfect 

Solid, clear, sensible incident response planning will save you time and headaches in an emergency – and save money by preventing expensive response and recovery mistakes. Review your plan and practice your incident response at least once per year in order to make sure that it still fits your needs. By adequately planning ahead for cybersecurity incidents, you’ll have confidence that your team is ready for anything.  

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!