Imagine your business opens tomorrow morning to discover that every computer is locked, a ransom demand is on every screen, and your backup drive — plugged into the server — is also encrypted. What do you do in the next 60 minutes?
If your honest answer is “I don’t know,” you’re in the majority. Research consistently shows that the vast majority of small businesses have no documented cyber incident response plan. And while that’s an understandable gap — there are a thousand other demands on a small business owner’s attention — it’s one of the most consequential.
Why the First Hour Matters So Much
Cyber incidents are not static events. They evolve. Ransomware, once deployed, may still be spreading. An attacker with access to your network may still be active. Data may still be being exfiltrated. Every minute without a coordinated response allows the situation to worsen.
The decisions made in the first hour — which systems to isolate, who to call, whether to shut down connectivity, what evidence to preserve, whether to contact customers or regulators — have disproportionate impact on the ultimate outcome. Making those decisions well under pressure, with no preparation, is extremely difficult.
The organisations that handle incidents well almost always share one characteristic: they’ve thought about it beforehand. They have a plan. They practice it. When something happens, they execute rather than improvise.
What a Basic Incident Response Plan Covers
You don’t need a 100-page enterprise security playbook. A practical small business incident response plan addresses:
Who does what. Name specific people for specific roles. Who is the incident coordinator? Who handles technical response? Who communicates with customers and suppliers? Who contacts the insurer? Who handles media enquiries if it escalates? In a crisis, “someone should probably…” leads to everyone assuming someone else is handling it.
How to reach everyone. Your incident plan needs to be accessible when your systems are compromised — which means a physical printed copy, not a document on your server. It should include mobile numbers, not just work email addresses.
First actions by scenario. Different incidents require different initial responses. Ransomware: isolate affected systems from the network immediately, do not pay, call your IT provider. Phishing success: change compromised credentials immediately, review what was accessible. Unknown device on network: isolate it, don’t alert the potential attacker, investigate. Having pre-defined responses prevents improvised decisions that make things worse.
What not to do. Common mistakes in the first hour of an incident include: continuing to use compromised systems, attempting to delete evidence in a misguided cleanup effort, paying a ransom without legal advice, notifying everyone immediately before assessing the situation, or — conversely — telling no one and attempting to handle it internally without appropriate expertise.
Notification obligations. Your plan should specify the notification obligations relevant to your business: the regulator (72 hours for GDPR breaches), your insurer (typically immediate), your bank (if financial fraud is involved), affected customers (if required). Having the contact details and notification templates ready in advance means compliance under pressure is more achievable.
Your IT provider. The number for your technology partner should be on the first page of your incident plan. Not “find the IT company’s website and submit a support ticket.” A direct line.
The Backup Question
Any incident response plan must address your backup situation honestly. The questions that matter:
- Do you have backups?
- When were they last tested? (A backup you’ve never restored is a backup you cannot trust.)
- Are they isolated from your main network? (Backups on a drive plugged into the server that ransomware can reach are not useful.)
- How quickly can you restore from them?
- What would you lose if you restored from the most recent clean backup?
The answers to these questions determine how bad the worst case is. Businesses with clean, tested, isolated backups recover from ransomware. Businesses without them face a much starker choice.
Tabletop Exercises
One of the most effective ways to test an incident response plan requires no technology and less than an hour: a tabletop exercise. Sit down with the relevant people, walk through a realistic scenario (“it’s Monday morning and we’ve discovered ransomware on three computers — what do we do?”), and follow the plan. The gaps and uncertainties that emerge reveal what needs to be addressed before a real incident.
This doesn’t need to be elaborate. An honest conversation about what you would actually do in specific scenarios is more valuable than an untested document.
Where W3IT Fits In
Having a trusted technology partner before an incident occurs is qualitatively different from trying to find one during one. W3IT builds an understanding of your environment — your systems, your network, your critical assets — that makes our response faster and more effective if something goes wrong.
Our monitoring reduces the likelihood that an incident develops undetected. But when something does happen, we’re the number on page one of your plan.
We help small businesses develop practical incident response documentation that reflects their actual environment. Not a template pulled from the internet, but a real plan for your specific systems, your specific team, and your specific risks.
If you don’t have a plan, this is the simplest possible starting point: book a security review. We’ll assess your current posture, identify your most significant risks, and help you understand what your response capability looks like today.
The time to make a plan is before you need one.