A Cyberattack Will Test Your Business
Does Your Team Have a Plan?

By David Luft | CEO, LDD Consulting | MCSE, MCT, MBA | Published July 2026 | 5 min read

LDD Consulting team meeting in conference room discussing IT security planning

What Is a Cyber Incident Response Plan?

A cyber incident response plan (sometimes called an IRP) is a written playbook your business follows when something goes wrong — ransomware locks your files, an employee clicks a phishing link, a vendor gets breached and takes your data with them. It tells you who to call, what to shut down, what to document, and how to communicate with clients and staff.   

Think of it like a fire evacuation plan. You hope you never need it. But if the alarm goes off and nobody knows where the exits are, things go sideways fast.

For small businesses, the stakes are real. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach for small and mid-sized businesses has climbed steadily — and a significant portion of that cost comes not from the attack itself, but from the slow, disorganized response that follows.

Why Small Businesses Need One

There’s a common assumption that cyberattacks target big companies. They don’t — or at least, not exclusively. Small businesses are frequently targeted precisely because they’re less likely to have strong cybersecurity defenses or a documented response process. 

When an incident hits without a plan in place, a few things tend to happen: employees don’t know who’s in charge, critical decisions get delayed, and the business loses far more time and money than necessary. IT Services in Albuquerque can help prevent many incidents in the first place — but even well-protected businesses need a response plan for the scenarios that get through.

A documented plan also matters for compliance. Depending on your industry, you may be required to demonstrate that you have incident response procedures in place. Healthcare organizations, financial firms, and businesses handling personal data are especially likely to face this requirement. 

What a Solid Plan Includes

You don’t need a 50-page document. A practical incident response plan for a small business covers six core areas:

1. Defined Roles

Who is in charge when something happens? Who contacts clients? Who calls your IT provider? Assign names, not just job titles, and make sure those people know they’re on the list.

2. Contact List

Your IT support team, your cyber insurance carrier, legal counsel if applicable, and any regulatory contacts relevant to your industry. This list should be printed and accessible offline — if your systems are locked, you still need it. 

3. Incident Classification

Not every incident is a five-alarm emergency. A minor phishing attempt is handled differently than a full ransomware lockout. Your plan should define the difference and outline a different response level for each.

4. Containment Steps

What gets shut down first? Which systems get isolated? Your IT support team should be involved in defining this — it requires knowing your network layout and which systems are most critical to your operations.

5. Communication Protocol

Who needs to be notified, and when? Employees, clients, vendors, and in some cases regulators all have different timelines and requirements. Getting this wrong can create legal exposure on top of the original incident. 

6. Recovery and Documentation

How do you get back to normal operations? What do you document for insurance, compliance, or future prevention? Cloud backup and recovery procedures belong here — if your data is backed up and tested regularly, recovery is dramatically faster.

Pro tip: Once you’ve written your plan, test it. Run a tabletop exercise where you walk your team through a simulated incident. You’ll find gaps you didn’t know were there.

Common Mistakes Businesses Make

Mistake 1 — Assuming It Won’t Happen to Them

We hear this regularly from new clients. Small businesses are targeted constantly — often because attackers know they’re easier to breach than large enterprises. Having no plan because you don’t think you’re a target is one of the most costly assumptions a business owner can make. 

Mistake 2 — Keeping the Plan Only in Digital Files

If ransomware locks your systems, a response plan saved only on your network is inaccessible when you need it most. Keep a printed copy in a known physical location and make sure key staff know where it is.

Mistake 3 — Writing the Plan Once and Forgetting It

Your business changes. Your staff changes. Your technology changes. A plan written three years ago and never revisited is better than nothing — but not by much. Review and update it at least once a year.

Mistake 4 — Leaving IT Out of the Process

A response plan written without input from your IT team often misses critical technical steps — what to actually shut down, in what order, and how to preserve evidence for insurance purposes. Your IT provider should be a core contributor, not an afterthought. 

Frequently Asked Questions

Do small businesses really need a formal incident response plan?

Yes. Cyberattacks on small businesses are common, and the damage from a disorganized response compounds quickly. Even a simple, one-page plan is significantly better than having nothing documented.

How long does it take to put a plan together?

A basic plan for a small business can be drafted in a few hours with the right guidance. The harder part is making sure the right people are trained on it and that it stays current.

What's the difference between an incident response plan and a disaster recovery plan?

They overlap but aren’t the same. An incident response plan focuses on the immediate reaction to a security event — containment, communication, and control. A disaster recovery plan focuses on restoring operations afterward. Ideally, you have both.

Does my cyber insurance require an incident response plan?

Many cyber insurance carriers now ask about incident response procedures during underwriting. Some require documentation of a plan as a condition of coverage. Check your policy or ask your carrier.

Can LDD Consulting help us put a plan together?

Yes. This is part of what we do for managed IT clients. If you don’t have a plan in place, contact us to start the conversation.

David Luft

CEO, LDD Consulting

David founded LDD Consulting in 2003 with a straightforward mission: help small and mid-sized businesses in Albuquerque and across New Mexico get reliable, enterprise-quality IT support without the enterprise price tag. He holds an MBA with a concentration in Information Systems from the University of New Mexico, along with Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Trainer (MCT) credentials. He’s been solving business technology problems for more than 25 years. 

Linkedin |  Learn More About David