Why Every Organization Needs An Incident Response Plan

An incident response (IR) plan is a structured set of instructions that guide organizations and help them detect, respond to, and recover from security incidents. IR plans typically address cyber-attacks, data breaches, and service outages.

Every business should have an incident response plan in place because it is not a matter of if your organization will suffer from a security breach, but when. An incident response plan is a critical part of a successful security program because it establishes what measures your organization will take when responding to a breach. By being prepared with a plan, you can minimize the damage done to your organization, including on your infrastructure, data, and public image, and recover faster from a security event. Incidents that are not handled properly can escalate to a devastating data loss or even, in extreme cases, force you to cut your losses and close your business entirely. A fast response will help limit losses, quickly restore services, and reduce the risk of future incidents by protecting the vulnerable points in your security system.

Gaps in your organization’s cyber security that aren’t dealt with can be expensive for businesses. You may face regulatory fines, legal fees, and data recovery costs. They can also impact future profits by blemishing your reputation and driving away current and potential customers. Additionally, an incident response plan is a common necessary requirement for qualifying for cyber insurance.

Entara follows the National Institute of Standards and Technology (NIST) IR framework. The NIST process is a cyclical standard to be applied that includes ongoing learning and adaptation in order to best protect the organization against evolving threats. It includes four main stages: preparation, detection and analysis, containment and eradication, and recovery.


The first step in an IR is preparation. This should occur before a breach is even detected to make sure your IT team is on the same page and has all important action steps and relevant information ready to go. In this phase, you should identify all key contacts, contact info, and identify method(s) of communication. You should also have reference to a list of your assets, such as servers, networks, applications, and critical endpoints. Ideally you should include processes in your  incident response plan for several types of cyber security incidents and run mock scenarios to identify weak points in your system. Entara helps clients finalize this step of their IR plan through our Business Continuity and Disaster Recovery (BCDR) Assessment and Cyber Security Tabletop Exercises.

Additionally, a common ramification of a breach is data being lost or compromised. Because of this, we recommend having a backup system in place to avoid losing compromised data permanently or to avoid having to pay a ransom in order to regain access to your important data.

Detection and Analysis

In the event of a security breach, the main priority is to first detect and analyze the threat. Detection usually occurs by security systems in your environment or reported by personnel. Once the detection is made, analysis should immediately occur. Your team should gather as much information as possible in this phase to determine the impact and severity to your systems.

Containment, Eradication, and Recovery

Once the entry point and breadth of the impact are determined, the next step is to contain the breach, so it doesn’t spread and cause further damage to your business. Common action steps we recommend include disconnecting or isolating affected users or devices from the network, confirming your backup system has not been compromised, and consider changing user credentials and passwords.

In order to eliminate the cause of the security breach, such as malware, it may be necessary to bring in additional security experts to both eradicate the current issue and update your security system to mitigate a similar threat in the future.

After the breach is contained and under control, meet with your incident response team to discuss what you’ve learned from the breach. It is important to document everything about the breach to determine the strengths and weakness of your plan. In this phase, you will also restore any affected systems and devices and get your operations up and running again.

Post Incident Activity

Following an incident, there should be a root cause analysis or post-mortem type activity that includes lessons learned that review the incident from start to finish. This may identify gaps in processes, system configurations, and controls, as well as identifying learning opportunities to teach your team how to better protect against and respond to future security incidents.

Entara: Incident Response, Remediation and Recovery Consultants

Our 24/7 security incident response team helps companies recover quickly and efficiently during some of the darkest days in their organization’s history. We focus on the root issue that caused the security breach to not only mitigate future, similar events but provide insight on the evolving threat landscape and offer proactive solutions. We handle the situation so you can focus on what you do best – running your business. Connect with us if you’re ready to strengthen your cyber security stance and want to prepare for the unpredictable with a comprehensive IR plan and other vCISO services.

Scroll to Top