Incident Response Planning: Preparing for a Potential Cyber Attack - Barnes Commercial Limited
Incident Response Plan

How to create an incident response plan

Incident Response Plans - How to Prepare for a Cyber Attack 

Incident response plans (IRPs) map out a set of procedures that your business can use to identify, eliminate and recover from cyber-security threats. If carried out effectively, response plans can minimise the damage caused from potential attacks, including data breaches, loss of customer trust and in turn reputational damage to your business.

In order to develop a successful IRP, a great deal of consideration must be taken to tailor each stage of the planning process to your business. The procedures planned will be based on which threats are of the highest likelihood to your sector meaning every businesses IRP will be largely unique to them.

Therefore, we thought it would be useful to produce a guide based on information from our insurer partner CFC Underwriting to get you started with creating your own incident response plan so if the unexpected happens, your business is prepared.


Incident response planning

Let’s first outline the basic phases of an IRP

  1. Preparation

The first phase of your IRP should involve assigning everyone in your incident response team a particular role and ensuring they know exactly what their responsibilities are. Once this is established, drill scenarios should be regularly conducted to evaluate and amend your IRP. Key questions for you to address in phase 1 could include:

  • Who will be contacted in the event of a cyber attack? IT, senior management, legal teams, HR and your insurance provider will all play crucial roles.
  • Are all members of staff properly trained on security policies?
  • Does the incident response team know their roles and who to notify if an incident occurs?


  1. Incident Identification

This is the process in which you determine whether a breach has occurred and how severe the response needs to be. Pre-determined severity scales ranging from critical to low severity could be used in this instance. During this stage, some considerations must be taken. Questions to ask yourself might look like:

  • To what extent is the breach?
  • Has the source of the event been discovered?


  1. Process of containment

During this stage, your incident response team must decide on how to contain the breach. One method is deleting files, however this prevents you from detecting where the point of entry during the breach occurred. Another and possibly more effective method of containment is to disconnect devices from the internet as well as disabling remote access or wireless access points. Things to consider during the planning of the containment phase are:

  • How is the breach going to be contained in the short and long term?
  • Are there any offline backups of company data?


  1. Eradication

The IRP team must then locate and securely remove any malware or threats present on your system. Following this, steps need to be taken to ensure another incident through the same point of entry doesn’t occur. This might mean replacing weak authentication methods by enabling multi-factor authentication, patching any vulnerabilities within your software, or updating and hardening passwords frequently.


  1. Recovery

The final phase is carefully returning your systems and devices back online whilst ensuring another breach doesn’t occur. During this process it is imperative that an analysis is carried out in order to decide when the systems can be used again. Frequent monitoring of the systems to verify that those affected are running as normal should also take place. During this time, questions to think about might include:

  • Is there a trusted back up of data that can be used to restore operations?
  • How long will the systems be monitored for?


Document and share your plan

To help mitigate the risks, your business’ plan should be well documented and available to your IRP team so in the event of an incident, procedures can be followed efficiently. On reflection of an incident, weaknesses within the plan can then be pinpointed and amended. To help you with this, an existing framework from one of our insurance partners, CFC Underwriting, can be utilised. This is offered to all their cyber policy holders. Alternatively, the following web page includes some online IRP templates.



Add Cyber Liability Cover

Ultimately your cyber security strategy and internal measures are going to be the key factor in protecting your business. Although it’s imperative to prepare, sometimes things don’t go to plan, which is why we recommend a comprehensive cyber liability policy alongside a robust IRP to support your business. This means complete peace of mind should the worst happen; you are in an excellent position to recover quickly with minimal disruption to your business operation.

We can offer you expert risk management advice and arrange Cyber Liability Insurance for your business.

Talk to us about Cyber Liability Insurance today – call us on 01480 272727 or drop us an email at

Nick Long

Authored by: Nick Long

Head of Insurance

01st October 2022

Contact us today

"*" indicates required fields