The average time for a small business to detect a data breach is 197 days. By the time most companies know they've been compromised, the damage has been done for months. What you do in the first 24 hours after discovering a breach determines whether the incident becomes a manageable event or an existential one.
Most small businesses have no written cyber incident response plan. They improvise. Improvising under pressure, with systems down, customers calling, and employees panicking, is one of the worst ways to manage a security incident.
Five phases of an incident response plan
1. Preparation
Who is on your incident response team? What are their after-hours contact numbers? What vendors do you call? (IT provider, cyber insurance carrier, legal counsel.) Where is the plan stored — and is it accessible if your systems are down? If your IR plan lives only on your corporate server and the server is encrypted by ransomware, you have no plan.
2. Detection and analysis
How do you know something is wrong? A user can't log in. Files have been renamed with unfamiliar extensions. An email rule is redirecting messages externally. Establish a severity classification: a phishing email with no click is different from a confirmed account compromise, which is different from active ransomware.
3. Containment
The goal is to stop the bleeding. Critical mistake: attempting to clean infected systems before preserving evidence. Preserve first, then remediate. Regulators and cyber insurers will need evidence. Wiping a system before documenting it can void your cyber insurance claim.
4. Eradication and recovery
How do you remove the threat and restore operations? Where are your backups? How recent? Have they been tested? The businesses that recover from ransomware in hours rather than weeks almost always had clean, recent, tested, offline backups.
5. Post-incident review
What happened? Why? What worked? What didn't? Document the timeline and lessons learned. Update your IR plan.
Notification requirements
HIPAA: notification within 60 days of discovery. Most state privacy laws: 30–72 hours for consumer data. PCI-DSS: its own requirements for payment card data. Not knowing these timelines is not a defense.
The tabletop exercise
Writing a plan is necessary but not sufficient. Practice it. Walk through a simulated scenario: "It's 9 PM Friday and your IT provider calls to say ransomware has been detected." An hour, the right people, hard questions. That exercise is worth more in a real incident than a hundred hours of theoretical security training. Scarlet Risk ships with an IR playbook tailored to your environment so you're not drafting one at 2 AM.