Every cybersecurity expert tells you to have an incident response plan. Few acknowledge that most small businesses don’t have security teams, dedicated IT staff, or any idea where to start.

Let’s fix that.

Why Bother With a Plan?

During a security incident, people panic. They make bad decisions. They waste time figuring out who should do what. Critical evidence gets destroyed by well-meaning attempts to “fix” things.

A plan doesn’t prevent any of this completely, but it helps. Having something written down - even something imperfect - is dramatically better than figuring it out while your systems are encrypted and your clients are calling.

Your cyber insurance almost certainly requires a plan. And increasingly, larger clients want to see one before they’ll work with you.

The Minimum Viable Plan

Forget the 50-page enterprise documents you’ll find online. Here’s what actually matters for a small business:

Section 1: Key Contacts

Who do you call when something bad happens? Write it down. Include:

Internal contacts:

• The person making decisions (usually the owner/director)
• The person managing IT (even if that’s also the owner)
• Anyone with admin access to critical systems

External contacts:

• Your IT support provider (if you have one)
• Your cyber insurance provider and policy number
• The incident response firm your insurance recommends (call them now and find out)
• Your lawyer
• ACSC ReportCyber: cyber.gov.au/report

System contacts:

• Microsoft 365 support (or Google Workspace)
• Your bank’s fraud line
• Your accountant
• Key clients who’d need to know about a breach

Put this on a single page. Print copies. Store them somewhere accessible even if your computers are down.

Section 2: What Counts as an Incident?

People need to know what to report. Give clear examples:

Report immediately:

• Ransomware message appears
• Someone can’t log in and suspects their account is compromised
• Someone transferred money and now suspects fraud
• Unusual behaviour on systems (files disappearing, programs running that shouldn’t be)
• Someone clicked a suspicious link and entered credentials

Report same day:

• Suspicious email that was opened/clicked (even if nothing obvious happened)
• Lost or stolen device with access to company data
• Former employee still has access they shouldn’t

Report when convenient:

• Suspicious email that wasn’t clicked
• General security concerns or questions

Section 3: First Response Steps

What should the person who discovers an incident do? Keep it simple:

Don’t panic. Rushed actions often make things worse.

Don’t turn off the computer (evidence can be lost). Do disconnect it from the network - unplug the ethernet cable, turn off Wi-Fi.

Don’t try to fix it yourself unless you genuinely know what you’re doing.

Do contact [name] immediately. Outside business hours, call [phone number].

Do write down everything you remember. What did you see? What did you click? What time? What was on screen?

Section 4: Decision Tree

Once leadership is involved, what happens next? Here’s a basic framework:

Suspected compromised account:

1. Reset the password immediately
2. Enable MFA if not already active
3. Review recent activity in the account
4. Check for mail forwarding rules (attackers often add these)
5. Notify anyone who might have received suspicious emails from the account

Suspected malware/ransomware:

1. Isolate affected systems (network, not power)
2. Call IT support and/or insurance incident response line
3. Do NOT pay any ransom without professional advice
4. Assess whether backups are intact and safe
5. Prepare for potential extended downtime

Suspected data breach:

1. Determine what data may have been accessed
2. Call your lawyer - there may be notification requirements
3. Report to ACSC via ReportCyber
4. Assess notification requirements under the Privacy Act (notifiable data breaches)
5. Prepare communication for affected parties

Business email compromise (money transferred):

1. Call your bank immediately - sometimes transfers can be reversed
2. Document all details of the fraudulent transaction
3. Report to police (Australian Cybercrime Online Reporting Network)
4. Notify your insurance
5. Identify how the compromise occurred and fix it

Section 5: Communication Templates

During an incident, you’ll need to communicate with people. Having templates ready saves time and reduces mistakes.

Internal notification:

Team - We're currently investigating a potential security incident.
Please avoid logging into [system] until further notice.
If you notice anything unusual, contact [name] immediately.
Updates will follow as we learn more.

Client notification (if needed):

Dear [Client],

We are writing to inform you of a security incident that may have
affected your information. We discovered [brief description] on [date].

The information potentially affected includes [specifics].

We have taken the following steps: [actions taken].

We recommend you [suggested actions for client].

If you have questions, please contact [name] at [contact details].

We apologise for any concern this may cause.

Regulators (if notifiable breach): Don’t wing this one. Use the OAIC Notifiable Data Breaches form and get legal advice before submitting.

Section 6: Recovery and Review

After the immediate incident is contained:

Document everything. What happened, when, what actions were taken, by whom.

Review with your insurance and legal. They’ll guide ongoing steps and documentation.

Conduct a post-incident review. What went well? What went badly? How did they get in? What changes prevent recurrence?

Update this plan based on what you learned.

Making the Plan Useful

A plan sitting in a drawer helps nobody. Here’s how to make it practical:

Keep it short. Nobody reads 50 pages during a crisis. Aim for 5-10 pages maximum.

Store it somewhere accessible. If it’s only on your server and your server is encrypted, good luck. Print copies. Store a version in your password manager. Email it to key people.

Review it annually. Contacts change, systems change, threats change. Set a calendar reminder.

Do a tabletop exercise. Once a year, gather your key people and walk through a scenario. “The accounts team just received this ransom note. What do we do?” You’ll find gaps in your plan.

Test your backups. The plan probably assumes you can restore from backup. Verify that’s actually true.

Starting Today

You don’t need to write a perfect plan. You need to start.

Today, create a one-page contact list. Names, phone numbers, roles. That single page will be more valuable in a crisis than nothing.

Tomorrow, add the first response steps. What should someone do if they think something’s wrong?

Next week, flesh out the decision trees and communication templates.

In a month, you’ll have a working incident response plan. It won’t be enterprise-grade, but it’ll be there when you need it.

And you will need it. The only question is when.