Have an Incident Response Plan if You’re Hacked?

Sep 30, 2021 | Uncategorized

With more and more small and medium businesses and non-profits becoming the victims of cyber-crime it is important to know that the correct answer to “Who you gonna call?” The answer to that question isn’t “The Ghostbusters” nor “Alexander Shunnarah.” Having an incident response plan ready in advance means you don’t have to figure this out on the fly.  There may even be steps involved requiring compliance regulations, such as HIPAA. It makes sense to be prepared in the event you are the victim of cyber-crime.

Incident Response Plan

Most experts say an incident response plan has between 4 (NIST)  and 6 (SANS) steps.  They all have the same information; they just break the steps up differently.  The SANS model is:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

As long as you cover all the steps, an incident response plan does not have to be a massive document,  tens or hundreds of pages long.  For a small business that would be overkill.  In fact, our response plan at the time of this writing, is only three pages long.  The first page is general wording concerning HIPAA and the conditions under which the Incident Team Leader should be notified.  The second page is a flowchart of what our response plan folowing the 6 steps outlined above.  The third page is the contact information for the incident response team leader, the PR point person and our lawyer.  That’s it.

You could spend a bunch of time and effort on a great deal of paperwork or even download a template from the internet.  In reality you don’t need to do that.  


All That is Great, But Who Do I Call?

Hopefully, if you are a small or medium sized business or non-profit you have a good working relationship with a professional IT firm.  Your first call, if you suspect a breach, should be to your IT firm.  They should be able to identify if there is an actual issue or have a recommendation for a specialized forensics team who could do a thorough investigation.

If you do not have a relationship with a professional IT firm, now is the time to get one.  Generally speaking, an IT company is going to be cheaper than a forensics firm. You will need that IT firm for the rest of the process.


They Said I Was Breached, Now What?



Hopefully you’ve read our post on cyber-liability insurance and have insurrance.  If you have this kind of insurance then it is time to call your agent.  You will need to contact them ASAP as they may have forensic teams or legal teams they want you to use.  If you don’t use their teams then you may be on the hook for some or all of the bills.


In the event you have either been breached, or have reasonable suspicionof a breach, you need to get a forensics investigation going.  It is possible your IT company can do this but if you are relying on them for your day-to-day support we recommend having an external company do the investigation.  Your auditor needs to come from a different company than the provider performing the day to day service.


This is also the right time to involve your lawyer.  Since every state now has data breach reporting laws you need to let your lawyer know what’s going on. They can advise you of the legal impact and the reporting requirements you need to follow.  Depending on what kind of data you house you might need to get a firm involved that has expertise in multiple state reporting laws.

How Long Will All This Take?

We all want to know how long it will take and how much it will cost.  There is no way to know beforehand. It depends on how much data was at risk, where it housed, and a plethora of other factors.  It could be a few weeks or more than 6 months until the investigation is concluded.  During this time your IT provider can help translate what everyone is telling you.

At some point you have to also fix any issues that were found during the investigation to prevent the breach from occurring again.  You will need to work with your IT company to come up with the remediation plan and timeline.

That Seems Like a Lot

It is a lot to take in, which is why it is important to have a good relationship with a professional IT firm.  While you could handle all of this yourself you still have a business to run. Having a plan and team of professionals ready to help is crucial. And, as you develop your response plan, it might be a good time to assess if you have the appropriate prevention measures in place.

If you need guidance with your own breach response plan, or assistance in response to a breach, Sawyer Solutions is here to help.  We partner with small and medium businesses and non-profits to make their technology work better and protect them cyber-criminals.

Contact Us:

Email us at info@sawyersolutionsllc.com or call us at (844) 448-7767.