header image

“When it Hits the Fan, You Need a Plan”: Getting Incident Response Preparation Right

Daniel Caplin 12 January 2021
12 January 2021    Daniel Caplin

Challenging Insecurity: A Roadmap to Cyber Confidence

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

Those of you up to date with the cyber security industry’s spiel will have heard the increasingly popular maxim ‘it’s not a matter of if you will experience a cyber-attack, but when’. As much as this may seem like scaremongering, there’s a grain of truth to it. Most cyber defence experts when pushed are forced to admit that, at least for the moment, the bad guys are winning the arms race in cyber. The reasons for this are varied, including increasing information and tool sharing between cybercriminals, increasing complexity of organisations’ IT environments making it more challenging for security teams, and a skills shortage in the cyber security job market, amongst others. The long and short of it is that you need to be prepared for the worst, and that means having confidence in your planning, capabilities and the team that you will – at some point – have to rely on to help you deal with an attack when it happens.

Too much advice, too little focus

The million-dollar question is how should you prepare? Received wisdom from regulators, cyber security firms and governments alike is that a central pillar of any preparations should be to create and rehearse an incident response plan. Experts will go on to claim that a well-established incident plan will reduce the impact – and ultimately the costs – of attacks when they happen.

However, a confusing array of different plan templates, guidance and advice await those looking to understand what a good incident plan should contain. The variety comes because there is no one-size-fits-all approach. Unfortunately, this means that when incidents happen, even those with plans may not use them. Over hundreds of incidents, S-RM’s incident response team rarely sees victims using their plans (if they have one). Now don’t get us wrong, this isn’t because plans aren’t useful! It’s because most organisations do at least one of the following three things with their plans:

Overcomplicate: Diligent plan owners often fall into the trap of trying to provide detailed guidance for every scenario. This almost always goes out the window in the “fog of war”, except for the most mature, well-resourced and well-rehearsed response teams.

Tick the boxes: Another common pitfall is to create a plan which follows a “best practice” checklist, but fails to be actually relevant to the organisation and the practicalities of real incidents. This may help you pass an audit, satisfy a regulator or put a nice stamp on those pesky vendor due diligence questionnaires – but it won’t help you respond to an incident when it happens.

File and forget: Many organisations write their plan and then let it gather virtual dust for 18 months until an incident hits. Organisations grow and change without these plans being updated. Also, no one can remember where they are kept.

“Most cyber defence experts when pushed are forced to admit that, at least for the moment, the bad guys are winning the arms race in cyber.”



“The best laid plans go out the window in the fog of war, unless they are second nature.”

Playbooks for the inevitable

Once you have the basics down, the next step is to plan for specific incident scenarios aligned to your risks and then rehearse those regularly. This process is a bit more complicated, but those who achieve this are often able to dramatically reduce the number of serious incidents they experience, as well as halve the costs of the response when they do happen. 

For example, if you’re a law firm and you know that you are likely to be targeted by a nation-state backed group as a result of your work on a contentious international lawsuit with a foreign government, having playbooks for dealing with the inevitable espionage attempts, whether using malware, co-opted insiders or listening devices, can be crucial to minimising your exposure. 

Equally, if you are most worried about ransomware temporarily paralysing your business (realistically a threat to most corporates these days), then having a well-rehearsed playbook for that scenario can ultimately save you from thousands or millions in losses, or in the worst case scenario: bankruptcy. 

Developing those playbooks is also the perfect time to interrogate and understand whether your current technical capabilities are up to task and will detect and contain as many attacks in their early stages. This last exercise is both broad – as it involves understanding your overall security programme in detail – and narrowly specific, when it comes to defining exactly what you need to stop a ransomware threat from a technical perspective (for example, ensuring you have a well-managed heuristic endpoint detection technology, robust control of privileged accounts, secure remote access, etc.)

Concluding thoughts

Clearly, there is a lot to do here if you want to be confident in your ability to “get off the mat” when an incident happens, but the key takeaway is that incident response planning is a process. As with any capability, planning should begin with the basics and receive the right investment to evolve over time. That means it must involve executive management. Finally, above all, practise, practise, practise. As all emergency workers know, the best laid plans go out the window in the “fog of war”, unless they are second nature.


Key Takeaways: 

The basics of an incident response plan

Define the responsibilities of key response leaders. Incident response is rarely simple and typically benefits from a pre-agreed central coordinator, as well as an idea of who should lead common workstreams (such as system restoration activities, forensics, communications, legal, etc).


Decide who can take key decisions. Building on the last point, a serious cyber-attack may trigger the need to take decisions which could have an immediate and long-lasting impact on the business if handled incorrectly, such as when to notify law enforcement or regulators, take customer-facing systems offline, or activate insurance. Knowing who can take those decisions in advance will remove delays and avoid miscommunications that can derail your response.


How to contact response leaders. Hours spent trying to contact response leaders can be critical lost time in an incident. It could make the difference between catching a ransomware group during their planning phase and after they have encrypted all your data. Having a central contact list, an outline of backup methods of communication if, for example, corporate email is down and an idea of a Plan B if critical people are uncontactable is essential.


Know who to call for support. Most internal teams (hopefully) don’t have a lot of experience with large-scale cyber incidents. This means that when a serious incident happens, you will need help from people who deal with them every day, such as specialist data recovery, forensics, legal and public relations firms. Knowing who you would call and having the right paperwork in place in advance to eliminate delays can significantly reduce the impact of an attack. Often this might be in place via your cyber insurance.

S-RM is a global risk consultancy providing intelligence, resilience and response solutions to clients worldwide. To discuss this article or other industry developments, please reach out to one of our experts.

Daniel Caplin
Daniel caplin Associate Director Email Daniel


We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance.

Download Report