Fairdinkum > Blog > Cybersecurity > You’ve Been Breached! Build an Incident Response Plan to Prepare for the Worst-Case Scenario
Dark Mode

You’ve Been Breached! Build an Incident Response Plan to Prepare for the Worst-Case Scenario

Incident Response Phase #1: Preparation and Documentation

Every week, there are an average of 1300 cyberattacks against any single U.S. company—a number that rises significantly in industries like healthcare and education. With so many attacks, chances are one or more will be successful. And successful cyberattacks are costly for an organization, averaging $4.88 million per incident in 2024, according to IBM. That’s why creating an incident response plan (IRP) is necessary for any organization.

As described in our blog post, How—and Why—to Create a Strong Incident Response Plan, the IRP outlines everything your organization must do to monitor and respond to threats to your business.  The goal is to develop an IRP that outlines the procedures required to detect, respond to, and recover from any type of cyber incident. This process is best done in phases, so each aspect of the response plan is well organized and comprehensive, covering all areas of the organization. The first phase is preparation and documentation.

Preparing Before an Incident Strikes

Not every cyber attack will turn into an incident. That’s because your organization can put tools and teams in place to detect and mitigate problems before they can infiltrate your network. Preparation requires involving those people who have access to your system and should include the following actions:

  • Establish protocols around incident reporting structure. Determine a contact person that employees will call if they notice suspicious events and who will work with the managed service provider (MSP) about potential threats.
  • Create an incident response team. This can include internal and external security teams, representatives from financial, marketing and public relations, legal, and human resources departments. The team will be responsible for putting the IRP into action and creating a united corporate response.
  • Regularly backup data.
  • Implement cybersecurity awareness training. Every employee across the company should know how to identify socially engineered attacks like phishing emails, fake websites or malicious content in social media.
  • Schedule regular security reviews and audits.

Organize Your Documentation

The preparation phase needs one more step to be effective: you must know what you are protecting. To best prepare before an incident strikes, the incident response team needs a comprehensive picture of your entire infrastructure. Documentation you should gather for your IRP include:

  • Copies of service plans with MSPs, contractors, third-party vendors—anyone with access to your network—and the roles they play within your organization.
  • A list of all devices connected to the network, including employee-owned devices that hold company information, vehicles, remote smart sensors and factory machinery.
  • Administrator access information.
  • Unique identifiers of any device that is different from the information on other documentation.

Preparation Sets Up the Next Phases

Each phase of the IRP builds into the next. While no one wants to hear “You’ve Been Breached,” preparation and documentation provide the foundation for a smooth process and the best possible outcome if disaster strikes.

Next up is Phase #2: Incident Classification

Category: Cybersecurity
Last Updated: On January 21, 2025