Most small businesses have no written incident response plan. When a ransomware attack or data breach occurs, decisions get made in a panic - often the wrong ones. A one-page written plan that answers 'who does what in the first hour' is enough to dramatically reduce the damage. Here is a starting template.
Why a Simple Plan Beats a Complex One
Enterprise incident response plans run 50 pages. Nobody reads them in a crisis. For a small business, a laminated one-page reference card with five to eight steps and the right phone numbers is more valuable than a binder gathering dust on a shelf.
Your plan needs to answer four questions: How do we detect that something is wrong? Who decides whether it is a real incident? What do we do first? Who do we notify and when? The rest is operational detail that can be handled after the immediate crisis is contained.
Phase 1: Detection and Classification
List the signals that indicate a potential incident: user reports strange pop-ups or locked files, helpdesk sees unusual login alerts, your EDR platform generates a critical alert, a vendor notifies you of suspicious activity involving your account. Any of these is a trigger to start the classification process.
Classify the incident on a simple scale. P1: systems are down, data may be exfiltrated, business operations halted. P2: suspicious activity confirmed but systems still operational. P3: anomaly detected, investigation needed. Classification determines the urgency of your next steps.
Phase 2: Containment
Containment means stopping the spread before you understand the full scope. For most SMB incidents, this means: disconnect affected machines from the network (pull the cable or disable Wi-Fi, do not power off), reset passwords for affected accounts from a clean device, revoke active sessions in Microsoft 365 or your identity provider, and notify your IT provider immediately.
Do not try to clean or recover the affected machine before your IT provider has assessed it. Forensic evidence is lost when systems are wiped. Your insurer and, if applicable, the OIPC will want a chain of custody for incident evidence.
Phase 3: Communication
Establish in advance who speaks for the company during an incident. The owner or a designated manager should be the single point of contact for all external communication. Staff should be instructed not to discuss the incident on social media or with clients until the designated spokesperson has approved a statement.
Internal communication should use a channel that is not affected by the incident. If your email is compromised, use phone or a personal messaging app. Have mobile numbers for key staff written down somewhere offline.
Notification Obligations
Under PIPEDA, if a breach creates a real risk of significant harm to individuals, you must notify the Privacy Commissioner of Canada and affected individuals as soon as feasible. Under Alberta PIPA, similar obligations apply. Document the breach details immediately: what data was affected, when the breach was discovered, and what steps were taken.
Your cyber insurance carrier also needs to be notified promptly - most policies have notification windows of 24 to 72 hours. Read your policy before an incident so you know the requirement.
Phase 4: Recovery and Post-Incident Review
Recovery starts only after containment is confirmed. Restore from backups, rebuild affected systems from clean images, and verify that the attack vector has been closed before reconnecting systems to the network. Run a full credential reset for all users, not just the ones directly affected.
Within two weeks of the incident, run a post-mortem. Document the timeline, what controls failed, what worked, and what changes will be made. Update your incident response plan with lessons learned. The goal is not to assign blame but to improve your defences.