How to Create an Incident Response Plan for Small Business

When a cyber attack hits your business, the last thing you want to do is figure out what to do next on the fly. Panic leads to mistakes, mistakes lead to longer downtime, and longer downtime means more damage — to your data, your reputation, and your bottom line.

An incident response plan is simply a documented set of steps your team follows when something goes wrong. It doesn't have to be a 50-page document. For most Australian small businesses, a clear, practical plan of a few pages is more than enough.

Here's how to build one from scratch.

Why Small Businesses Need an Incident Response Plan

Many small business owners assume incident response planning is only for large enterprises with dedicated IT security teams. But the Australian Cyber Security Centre (ACSC) consistently reports that small businesses are among the most targeted — and the least prepared.

In the 2023–24 financial year, the ACSC received over 87,000 cybercrime reports. A significant portion came from small businesses dealing with ransomware, business email compromise, and data breaches. Without a plan, most of these businesses lost more time and money than they needed to.

A good incident response plan helps you:

• Respond faster and more consistently when an incident occurs
• Reduce the damage caused by a breach or attack
• Meet your legal obligations under Australian privacy law
• Recover more quickly and get back to business
• Demonstrate due diligence to insurers, partners, and clients

The Six Phases of Incident Response

The ACSC and global frameworks like NIST recommend structuring your response around six key phases:

1. Preparation

This is where you build the plan itself. Identify your critical systems, assign roles to team members, and make sure everyone knows what to do. Preparation also means having the right tools ready — backups, contact lists, and access credentials stored securely offline.

2. Identification

How will you know an attack is happening? Common indicators include unusually slow systems, accounts locked without explanation, strange emails sent from your domain, or unexpected charges on your accounts. Define what counts as a security incident for your business and train staff to recognise the signs.

3. Containment

Once you've identified an incident, your priority is to stop it spreading. This might mean disconnecting an infected computer from the network, disabling a compromised email account, or revoking access credentials. Have a short checklist of containment steps ready.

4. Eradication

Remove the threat from your systems. This could involve deleting malware, wiping and rebuilding a machine, or closing the vulnerability that was exploited. If you're not sure how to do this yourself, this is the point where you call in a professional.

5. Recovery

Restore your systems and data from clean backups, and verify everything is working normally before bringing systems back online. Test your backups regularly so you know they actually work when you need them.

6. Post-Incident Review

Once the dust settles, review what happened, what you did well, and what you'd do differently. This is covered in detail in our article on post-incident reviews.

What Your Plan Should Include

Your incident response plan doesn't need to be complicated. At a minimum, include:

• Contact list: Key team members, your IT provider, your cyber insurer, and the ACSC's 24/7 hotline (1300 CYBER1 / 1300 292 371)
• Asset inventory: A list of your critical systems, software, and data so you know what to protect and restore
• Role assignments: Who is in charge of the response? Who handles communications? Who calls the lawyer?
• Containment steps: A quick-reference checklist for the first 30 minutes of an incident
• Reporting obligations: When and how to notify the Office of the Australian Information Commissioner (OAIC) and Australian Signals Directorate (ASD)
• Communication templates: Draft notifications for customers, staff, and the media so you're not writing from scratch under pressure
• Backup and recovery procedures: Where your backups are, how to access them, and how long restoration takes

Assigning Roles: The Incident Response Team

In a small business, one person might wear several hats. That's fine. What matters is that the roles are defined before an incident happens. Common roles include:

• Incident Lead: The person who coordinates the response and makes decisions
• Technical Contact: Your IT provider or internal tech person who handles the technical remediation
• Communications Lead: The person who handles notifications to customers, suppliers, and the media
• Legal/Compliance Contact: Your lawyer or privacy officer who advises on reporting obligations

Tools to Help You Build Your Plan

You don't have to start from a blank page. The ACSC provides free resources at cyber.gov.au, including guidance specifically designed for small businesses. Their Small Business Cyber Security Guide and the Exercise in a Box tool both contain practical templates you can adapt.

Microsoft and Google also offer incident response documentation for businesses using their platforms. If you use Microsoft 365, for example, Microsoft Defender has built-in incident response workflows you can configure without needing a dedicated IT team.

For businesses that want more structure, the NIST Cybersecurity Framework (available free at nist.gov) provides a widely used model that scales well for smaller organisations.

Testing Your Plan

A plan you've never practised is a plan that might fail when you need it most. Schedule a tabletop exercise at least once a year — this is simply a conversation where you walk through a hypothetical scenario (like "we've just discovered ransomware on our accounting computer") and talk through what each person would do.

You don't need expensive software or a specialist facilitator. A 90-minute meeting with your team, a scenario, and your written plan is enough to identify gaps and build muscle memory.

Key Takeaways

• An incident response plan tells your team exactly what to do in the first hours of a cyber attack, reducing panic and mistakes
• A good plan covers six phases: preparation, identification, containment, eradication, recovery, and post-incident review
• At minimum, document your contact list, critical assets, role assignments, containment steps, and reporting obligations
• Free templates and guidance are available from the ACSC at cyber.gov.au
• Test your plan with a tabletop exercise at least once a year

Not sure where your biggest cyber risks lie? Take the free Flagged cyber risk assessment to get a personalised picture of your business's security posture and prioritised steps to improve it.