You don’t have to predict the future to be ready for it. A cyberattack doesn’t have to be sophisticated to destroy a small business. A single phishing email, one employee clicking the wrong link, and suddenly the question isn’t “can we prevent this?” – it’s “do we know what to do right now?” Most small businesses don’t. Not because they’re careless, but because they assume a response plan requires a full IT department and enterprise-grade software. It doesn’t. It requires a process, some preparation, and people who know their role when things go wrong.
The Golden Hour Matters More Than You Think
The first 60 minutes after a breach is discovered – what security professionals call the “golden hour” – has an outsized effect on total recovery cost and downtime. Businesses that act fast contain the damage. Businesses that freeze, argue about who’s responsible, or spend that hour trying to figure out who to call, often turn a recoverable incident into a catastrophic one.
This is the core argument for having a written incident response plan before you need it. When ransomware encrypts your files or a data breach is detected, you don’t want your team making decisions under pressure for the first time. You want them following a documented workflow they’ve already rehearsed.
Organizations with strong incident response planning saved an average of $1.49 million compared to those with none (IBM Cost of a Data Breach Report 2023). For a small business, that gap isn’t just financial – it’s the difference between recovery and closure.
Build A Communication Chain That Works Offline
An often ignored aspect of any cybersecurity preparation is asking a basic question – if your email system is down or compromised, how does your team communicate?
Every response plan must have an offline communication chain – a list of personal phone numbers, a meeting place if remote access is impossible, and a hierarchy of who calls who. Employees need to know who to contact, in what sequence, and what information to report. This must be a physical document, not just a shared inbox since that will be unavailable when you need it most.
Social engineering attacks (where someone talks a staff member into providing login details) often work because nobody asks if that’s really who they say they are. A clearly defined chain of command helps with that as well, it eliminates disputes about authority and makes it more difficult to impersonate someone.
Containment First, Recovery Second
The NIST Cybersecurity Framework provides a response workflow worth following: Contain, Eradicate, Recover, but in that order. It sounds obvious, but businesses regularly skip the middle step. They contain a ransomware infection, feel relieved, and immediately restore systems from backup – without confirming the original entry point is closed. The result is re-infection within hours.
Containment means isolating affected devices from the rest of the network immediately. Unplug them if necessary. Endpoint security tools help with this, but even manual isolation buys time.
Eradication means finding and removing the threat entirely – not just its visible symptoms. This is where professional oversight earns its cost. Partnering with a specialist like AG Security Group helps small businesses bridge the gap between having a response plan on paper and having the technical capability to execute the eradication step without missing something.
Recovery means restoring from clean backups, verifying system integrity, and only then bringing services back online.
Document Everything During The Incident
Many skip this step as they consider it a secondary concern during a crisis. However, it is crucial. Keeping a running incident log with timestamps, actions taken by individuals, impacted systems, and related information on potential data access is necessary to simplify insurance claims, meet reporting obligations, and in some cases, defend your response.
For example, in almost all jurisdictions most if not all states, as well as countries in Europe and Asia, have data breach notification laws, which require a company to report an incident within a specific number of hours or days if personally identifiable information (PII) is compromised. If you cannot give reasonable answers to investigators’ questions about the timeline, you will struggle to do so after the fact. But having an accurate log that you shared early with law enforcement and insurers can show that you did act responsibly and promptly.
Run The Exercise Before You Face The Real Thing
A tabletop exercise is a simulation of a cyber incident where your team gathers around a conference room table and talks through how you’d respond to the situation. You don’t fix anything or write any code – you just talk.
These exercises are great for small businesses because they’re low cost and easy to run. Make up a scenario and ask “what would we do?”
The kind of incident you simulate isn’t that important. What’s important is making sure you’re asking and answering the right questions, and that when the time comes, you know you can rely on your people to act effectively.
That’s why you shouldn’t wait until you can start a full infosec program to do tabletop exercises. Do them first, because if you can’t talk through how you’d respond to an incident, the rest of the program doesn’t matter.
And testing your backup process from a ransomware attack is better (and cheaper!) during a simulation than when you’re scrambling for your business.
