9 Realms Cybersecurity
All Posts
best practices

Your Incident Response Plan Won't Save You If It's on the Network

Chuck Flynn
Your Incident Response Plan Won't Save You If It's on the Network

Every organization that has gone through a security audit in the last five years has an incident response plan. It lives in a shared drive somewhere, probably last updated when someone had bandwidth to think about it, and referenced occasionally when a compliance questionnaire asks whether one exists.

The problem is not that organizations lack incident response plans. The problem is that when an incident actually happens, the plan is often the first thing that becomes inaccessible.

What a Ransomware Incident Actually Looks Like

When ransomware hits, the sequence of events moves faster than most people expect. Files start encrypting. Systems go offline. The network share where the incident response plan lives becomes unavailable. The person who owns the IR process is on vacation, unreachable, or — in smaller organizations — is the same person whose workstation just got encrypted.

What happens next in most organizations is improvisation. People start making decisions based on what feels right in the moment, which means different people are making different calls, communication is fragmented, and the actions taken in the first two hours — which are the most consequential — are uncoordinated.

This is not a hypothetical. It is the pattern that plays out in almost every ransomware incident war room. Not because the organizations were careless, but because having a plan and being able to execute a plan under pressure are two completely different things.

The Three Gaps That Show Up Every Time

After sitting in enough incident response calls to see the patterns clearly, three gaps show up consistently regardless of company size or industry.

The first is the accessibility gap. The plan exists digitally, on systems that may be compromised or unavailable during the incident. Nobody has a printed copy. Nobody has tested whether they can actually get to it when they need it.

The second is the contact gap. The plan references roles rather than people, or references people without current contact information. When the incident happens at 11pm on a Friday, nobody knows who to call or has the number readily available. Insurance policy numbers, legal counsel contacts, and the IR retainer hotline number are buried in the document that nobody can open.

The third is the practice gap. The plan has never been walked through as a team. The people responsible for executing it have never done a dry run. The first time they work through the decision tree is during a live incident, under pressure, with incomplete information.

What Good Looks Like

Organizations that handle incidents well share a few common characteristics. They treat the incident response plan as a living operational document rather than a compliance artifact. They run tabletop exercises at least once a year, ideally with scenarios that feel uncomfortably realistic. And they maintain printed response plan binders — physical, analog, not dependent on any system being available — at the desk or home of every person who has a role in incident response.

Those binders should contain the response plan itself, the escalation matrix with personal cell numbers, the cyber insurance policy number and the claims hotline, legal counsel contact information, and the contact details for any IR retainer or MSSP relationship. Everything a person needs to start working the problem before any system is restored.

This sounds old-fashioned. It is also the difference between a two-hour response time and a twelve-hour response time when something goes wrong at midnight.

The Role of Tabletop Exercises

A tabletop exercise is not a technical drill. It is a structured conversation that walks your team through a realistic scenario — a ransomware attack, a business email compromise, a data exfiltration event — and surfaces the gaps in your plan before an attacker does.

The value is not in finding out whether your team knows the technical steps. The value is in finding out whether your team knows who makes which decision, how communication flows under pressure, and where the plan breaks down when real-world conditions do not match the assumptions it was built on.

Most organizations that run tabletops for the first time discover three things: the plan has gaps they did not know about, the communication structure does not hold under pressure, and there are key single points of failure in the response process. Better to find those in a conference room than at 2am.

The Practical Checklist

Before your next compliance review, ask yourself these questions. Does your IR plan exist in a form that is accessible when your network is down? Does every person with a response role have a printed copy with current contact information? Have you run a tabletop exercise in the last twelve months? Does your team know the IR plan well enough to execute it without reading it first?

If the answer to any of those is no, the plan is not ready. It is a document. There is a difference.

Tags:incident reponseransomwaretabletop exerciseIR PlanCybersecurityprepardnessSMB security