Incident Response Planning: A Vital Component of Your Cybersecurity Strategy

Cyber insurance providers and regulatory bodies require organizations to have a well-developed incident response program and demonstrate their readiness for potential cyber incidents. This means that having a solid incident response plan is crucial for organizations to mitigate the costs and damages of a possible data breach. A robust incident response plan can significantly reduce the impact of a breach and potentially save millions of dollars.

According to the IBM “Cost of a data breach 2022” report, organizations that have an incident response team and test their incident response plan can save an average of $2.66 million compared to those that do not. Therefore, it is essential for organizations to regularly test and update their incident response plan to ensure its effectiveness and compliance with industry standards.

One specific industry standard we assist our clients in complying with is the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which requires reporting of cyber incidents within 72 hours of their discovery. To satisfy this requirement, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2 publication provides guidance on safeguarding Controlled Unclassified Information (CUI) in non-federal systems. This includes specific requirements for incident response controls, such as establishing an incident-handling capability and reporting practice (as stated in Requirement 3.6.1). Additionally, organizations must test their incident response capabilities (as mandated by Requirement 3.6.3).

The Sikich Cybersecurity team has utilized guidance from this publication and other comparable resources to create incident response offerings that assist organizations in establishing efficient incident-handling programs. These programs can promptly detect and respond to security incidents, reduce the impact of such incidents, and ultimately prevent the occurrence of similar incidents in the future.

Incident Response Plan Development

As a part of the programs, we provide a vital service by creating an incident response plan for organizations as a component of their overall cybersecurity strategy. This plan outlines the necessary steps to be taken in the event of a security incident, such as ransomware or cyber attack. Organizations can respond quickly and effectively to these incidents by having an efficient incident response plan in place, minimizing the impact of the incident.

The following are some general steps that an organization should define within an incident response plan:

1. Identify the security incident

The first step is to identify that a security incident has occurred. This may involve monitoring alerts from security tools, receiving reports from employees or customers, or detecting unusual activity on the network or systems.

2. Contain the incident

Once a security incident has been identified, the organization should take steps to contain the incident to prevent further damage. This may involve isolating affected systems, disabling accounts or access, or blocking communication channels used by attackers.

3. Assess the impact

The organization should assess the impact of the incident by identifying the scope of the attack, the data or systems compromised, and the potential risks to the organization.

4. Investigate the incident

Conduct a thorough investigation to identify the source of the attack, the initial point of compromise, and the methods used by attackers to evade detection.

5. Eradicate the incident

Remove the attack from affected systems and restore them to a known good state. Identify any other systems that may have been compromised and take appropriate action to prevent further damage.

6. Recover data

Determine if any sensitive data was compromised during the attack and take appropriate action. Restore data from backup sources if available. Implement measures to prevent future attacks.

7. Communicate with stakeholders

Develop and implement a communication plan to keep all stakeholders informed throughout the incident response process. This may include notifying internal teams, external partners, customers, or users of the affected systems.

8. Document the incident

Document the incident, including all actions taken and evidence collected, to ensure that it can be used for further analysis or legal proceedings if necessary.

9. Review and improve incident response plan

Conduct a post-incident review to identify areas for improvement and incorporate lessons learned into future incident response planning and training.

10. Provide ongoing education and training

Provide ongoing education and training for employees on how to identify and report potential security incidents, as well as how to respond in the event of an attack.

It’s important to note that the specific steps that an organization should take in the event of a security incident will depend on the nature and severity of the incident, as well as the organization’s internal policies and procedures. The steps outlined above are general guidelines that can be adapted to meet the needs of any organization.

As a cybersecurity firm specializing in incident response, we feel it’s important to emphasize that having an incident response plan is not enough to guarantee your organization’s readiness for a potential cyber incident. To ensure that your incident response plan is current and efficient, our services include testing the plan to identify any gaps or areas for improvement. This testing involves simulating a security incident to evaluate your organization’s response and identify any shortcomings. Regular testing of your incident response plan is crucial to ensure that your organization can effectively manage a cyber incident, and that your plan remains effective over time.

Tabletop Exercise

In an effort to provide additional value to readers, the Sikich Cybersecurity team has created the following example of a tabletop exercise. The focus of this exercise is to simulate a realistic phishing attack scenario, providing a guideline for organizations to prepare for potential cyber threats related to phishing attacks. By participating in these types of exercises, organizations can gain insight into the possible consequences of an attack, identify gaps in their existing security measures, and develop strategies to enhance their overall security posture.


Your organization has experienced a phishing attack that resulted in the compromise of several employee email accounts. The attackers used these accounts to send further phishing emails to other employees, resulting in additional accounts being compromised.


Incident response team members, IT staff, senior management, other stakeholders


Two to three hours


  1. Introduction (15 minutes): Introduce the exercise and explain the scenario to the participants. Provide an overview of the incident response plan and the “Phishing Attack Playbook.”
  2. Initial Assessment (20 minutes): Ask the incident response team members to assess the situation and provide an initial report on the scope of the attack, the number of compromised accounts, and the potential impact on the organization’s systems and data.
  3. Mitigation Strategy (40 minutes): Ask the incident response team members to propose a mitigation strategy based on the information gathered in the initial assessment. The strategy should include steps to contain the attack, prevent further compromise, and restore the affected systems and data.
  4. Simulation (60 minutes): Conduct a simulation of the phishing attack by sending a series of phishing emails to a select group of employees. The emails should be designed to mimic the attack that occurred in the scenario. Monitor the response of the employees and the effectiveness of the organization’s defense mechanisms.
  5. Response Evaluation (30 minutes): Evaluate the response of the incident response team and IT staff to the simulation. Identify any gaps or areas for improvement in the incident response plan or the “Phishing Attack Playbook.”
  6. Debrief (15 minutes): Conduct a debrief session to discuss the lessons learned from the exercise. Document the findings and recommendations for future improvements to the organization’s incident response capabilities.


This high-level tabletop exercise can help an incident response team test their skills and knowledge in responding to a phishing attack and prepare to handle similar incidents in the future.

The steps followed by the incident response team should be systematic and comprehensive in order to effectively respond to an attack. This includes identifying the scope of the attack, containing the incident to prevent further damage, analyzing the attack to determine its source and potential impact, and developing a plan for remediation and recovery.

Furthermore, it’s important to ensure that the incident response team is well trained and equipped with the necessary tools and resources to respond to similar incidents in the future. This could include conducting regular tabletop exercises to test the team’s readiness, updating incident response plans and procedures, and providing ongoing training and education to team members.

By developing an incident response plan and performing scheduled tabletop exercises, organizations can better protect themselves from the risks associated with phishing attacks and other cyber threats and minimize the impact of any incidents that do occur.

As a leading technology firm, Sikich offers expert cybersecurity guidance and services to help organizations create an incident response plan that aligns with cyber insurance provider requirements, industry regulations and other obligations related to incident reporting. Given the potential risks and costs associated with a cyber attack, it is important for organizations to take proactive steps to prepare for such an event. Contact Sikich today to learn more about its incident response planning services and take an important step toward protecting your organization and customers from the consequences of an incident.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author