How to Build an Incident Response Plan Your Team Will Actually Use

Picture this: it's 2:00 a.m. on a Tuesday. Your IT manager gets a Slack message - a server is throwing alerts, multiple employee accounts are locked out, and someone's spotted an unfamiliar process running on a critical machine. Nobody knows who to call first. Nobody can find the emergency contact list. The on-call engineer is trying to remember if there's a playbook for this.

By the time the team figures out the chain of command, two hours have passed. The attacker, already inside your environment, used that window to move laterally and exfiltrate a database backup.

This scenario is not hypothetical. It plays out at Canadian SMBs every week. The difference between a $50,000 incident and a $2 million one is almost always the quality of preparation - specifically, whether you had a tested incident response plan before the attack began.

This guide walks you through what a real incident response plan looks like, who needs to own each phase, and what Quebec businesses must do under Loi 25 when personal data is involved.

What Makes SMB Incident Response Different

Enterprise security teams have dedicated SOC analysts, 24/7 monitoring, and legal departments on speed dial. Most SMBs have one or two IT generalists, a managed service provider on a retainer, and a legal team that handles contracts - not breaches.

That gap creates three specific vulnerabilities:

No clear incident commander. When everyone is responsible, no one is. Without a named person who has authority to make decisions under pressure, teams default to consensus. Consensus takes time. Attackers don't wait.

Critical timelines are shorter than you think. Research consistently shows that the median time between initial compromise and data exfiltration is measured in hours, not days. Your 9-to-5 response cadence is not a match for an attacker working around the clock.

Legal obligations are real and non-negotiable. Under Quebec's Loi 25 (Act respecting the protection of personal information in the private sector), if a privacy incident presents a risk of serious injury to an individual, you are legally required to notify the Commission d'accès à l'information du Québec (CAI) and the affected individuals. That notification must happen promptly - and "we didn't have a plan" is not a legal defense.

The Five Phases of an Effective Incident Response Plan

A good incident response plan is not a 60-page policy document nobody reads. It's an operational guide your team can pull up mid-incident and follow without interpretation. Structure it around five phases.

Phase 1: Detection and Triage

Your plan starts before the incident does. Detection means having the right signals in place - and triage means evaluating those signals quickly so you allocate resources proportionally.

The most reliable detection signals for SMBs:

• Firewall and IDS/IPS alerts on anomalous outbound traffic
• Authentication failures in Active Directory or your identity provider
• Antivirus or EDR alerts on endpoint behavior (process injection, lateral movement indicators)
• User-reported anomalies - employees noticing they can't access files, or seeing unfamiliar programs

When an alert fires, your first task is severity classification. Not every alert is a breach. Apply a quick severity matrix:

Critical - Multiple systems affected, sensitive data likely exposed, financial impact imminent. Drop everything. Escalate immediately.

High - A single system compromised, personal data potentially accessed. Fast response within 4 hours.

Moderate - Isolated anomaly, no confirmed data access. Investigate within 24 hours.

Low - False positive or contained event. Document and monitor.

Assign severity at triage, not after a 3-hour investigation. Your escalation path should be pre-defined: discoverer notifies IT lead within 15 minutes; IT lead contacts the incident commander within 1 hour; incident commander engages legal and executive within 2 hours if High or Critical.

Phase 2: Containment

Once an incident is confirmed, containment is your single highest priority. Every minute of continued attacker access is additional damage.

Immediate actions (first 30 minutes):

Physically or logically isolate affected systems from the network. Pull the Ethernet cable if you need to - downtime now is better than full compromise later. Disable any accounts you believe are compromised. Block suspicious IP addresses at the firewall. Do not shut down affected machines yet; you'll lose volatile forensic evidence.

What not to do: Do not communicate anything publicly. Do not tell employees details beyond "we're investigating an IT issue." Do not post anything on social media. Every public statement before your legal team reviews it is a liability.

Preserve the evidence: Before you clean anything up, capture logs. CloudTrail exports, Active Directory audit logs, firewall logs, endpoint telemetry - all of it. Take a snapshot of affected VMs if you're running cloud infrastructure. The forensic investigation that happens next depends entirely on what you preserved now.

Phase 3: Investigation

You've stopped the bleeding. Now you need to understand what happened, because the remediation you do in Phase 4 depends entirely on knowing the full scope.

The core questions your investigation must answer:

• What was the initial attack vector? (Phishing email, exploited vulnerability, compromised third-party vendor, weak credential, RDP exposed to the internet?)
• Which systems did the attacker touch, and in what order?
• What data was accessed, copied, or destroyed?
• How long did the attacker have access before detection?
• Are there any persistence mechanisms left behind - scheduled tasks, new admin accounts, backdoors in code?

Build a timeline. Write down every event with a timestamp. What fired at 14:23? What did the user report at 14:45? When did IT confirm the compromise at 15:00? A documented timeline is critical for both your internal remediation and for any regulatory notification that follows.

If you suspect malware, isolate the affected files in a sandboxed environment before analysis. Use tools like VirusTotal for quick checks. For deeper analysis, your incident response partner should be involved.

Phase 4: Eradication and Recovery

You now know what you're dealing with. This phase removes the threat completely and restores operations - in that order. Do not rush to restore operations before eradication is complete. Recovering a system that still contains malware or a persistence mechanism just resets the clock.

Eradication checklist:

• Remove all identified malware using specialized removal tools
• Patch the vulnerability that was exploited
• Disable any unused services or ports that were leveraged
• Rotate all credentials that were potentially exposed - not just the ones you know were compromised, but any account that could have been accessed
• Enable MFA on any account that didn't have it

Recovery - staged, not simultaneous:

Bring systems back online in order of criticality, with monitoring watching for recurrence. Run clean antivirus scans before reconnecting anything to production. Restore from backups you've verified are clean and pre-incident.

Monitor intensively for 48 hours post-recovery. If your attacker planted a backdoor and you missed it, you'll see the signs within that window.

Phase 5: Post-Incident Review and Compliance Obligations

This phase is where most SMBs cut corners, and it's a costly mistake. The lessons learned review is how you turn a bad event into a defensible security posture.

Schedule a post-incident meeting within 5-10 business days. Cover four questions honestly: What worked? What failed? What tools or capabilities did we lack? What changes do we commit to making?

Quebec's CAI notification requirement under Loi 25:

If your incident involved personal information - employee data, customer data, health data, financial information - and that information creates a risk of serious injury to affected individuals, you have a legal obligation under Loi 25. You must:

1. Notify the CAI (Commission d'accès à l'information du Québec) as soon as reasonably possible
2. Notify the affected individuals as soon as reasonably possible
3. Maintain a register of all privacy incidents (breaches and near-misses)

The CAI's threshold is "risk of serious injury" - which includes identity theft, discrimination, physical harm, or significant financial loss. When in doubt, notify. The cost of over-notifying is far lower than the cost of regulatory penalties and reputational damage from under-notifying.

Document everything: what happened, when you discovered it, what you did, when you notified affected parties. That documentation is your defense in any future regulatory audit.

The Role of an Incident Commander

Every response needs a single decision-maker - someone with authority, accountability, and the technical context to direct the response without convening a committee. That is the incident commander.

In large organizations, this is typically the CISO or a designated deputy. In SMBs, it's often the IT lead or an external security partner. What matters is that the role is pre-assigned, not improvised.

The incident commander owns:

• Declaring incident severity level
• Activating the response plan and assembling the response team
• Communicating internally with leadership
• Coordinating with legal on notification obligations
• Approving public communications
• Closing the incident and calling the lessons-learned review

Without a named incident commander with clear authority, your incident response plan is a document, not a capability.

Your 3 Actions This Week

You don't need to build a perfect incident response plan in 48 hours. You need a functional one you can iterate on. Start here:

1. Name your incident commander. Write it down, tell the person, make sure leadership knows. If that role doesn't exist internally, identify who fills it.

2. Build your emergency contact list. Legal counsel, cyber insurance carrier, your MSP or security partner, executive leadership, and the CAI's contact information. One page, printed, kept somewhere your IT team can find it at 2 a.m.

3. Download and customize the full incident response playbook. It includes severity matrices, escalation timelines, a CAI notification checklist, and a forensic evidence preservation guide.