Most small businesses have no written incident response plan. When ransomware hits or a data breach occurs, decisions get made under panic, often the wrong decisions. A written plan that answers "who does what in the first hour" is enough to dramatically reduce the damage. Below is a working template to adapt and keep accessible.
Version: 1.0 | Date: [Date] | Owner: [Operations Lead / IT Contact]
Print this and keep a physical copy offsite, your systems may be unavailable during an incident.
Phase 1: Detection and Classification
Trigger events, Start the IR process if any of the following occur:
- A user reports locked files, strange pop-ups, or a ransom note
- Your EDR platform generates a critical or high-severity alert
- Multiple failed login attempts on admin accounts, especially outside business hours
- A vendor or partner notifies you of suspicious activity involving your account
- Unusual data transfer volumes observed in network monitoring
- Email delivery failures suggesting domain compromise
Classification:
| Priority | Definition | Example |
|---|---|---|
| P1, Critical | Systems down; data may be exfiltrated; operations halted | Active ransomware; confirmed data breach |
| P2, High | Suspicious activity confirmed; operations still running | Suspicious logins; malware detected and contained |
| P3, Medium | Anomaly detected; investigation needed | Unusual email rules; single failed phishing attempt |
Decision point: Classification is made by [IT Contact / MSP on-call]. For P1: immediately proceed to Phase 2. For P2/P3: investigate and escalate if evidence of active compromise.
Phase 2: Containment
Immediate containment actions, do these before investigating:
For a P1 incident (ransomware, active breach):
☐ Isolate affected systems, Physically disconnect affected machines from the network (pull the Ethernet cable; disable WiFi). Do NOT simply shut them down unless instructed to do so, live memory may contain forensic evidence. ☐ Disable compromised accounts, In Microsoft 365 / Entra ID, disable accounts you believe have been compromised. Do not delete them. ☐ Revoke active sessions, In M365 Admin > Users, use "Revoke sign-in sessions" on compromised accounts. ☐ Preserve logs, Do not clear event logs. Export and preserve logs from M365, firewall, and any other systems you can access. ☐ Do not pay ransom without legal and IR firm advice, Contact your IT provider and cyber insurance carrier first.
Containment decision: cloud systems only If you are a cloud-first business (no on-premises servers), containment means disabling accounts and revoking sessions, not disconnecting hardware. Your MSP can do this remotely.
Phase 3: Communication
Internal Communication
☐ Notify [Owner / Operations Manager] immediately for any P1 incident ☐ Brief staff on what they should and should not do (do not attempt to restore files themselves; do not share information externally until instructed) ☐ Activate business continuity plan if primary systems are unavailable
External Communication, Notification Obligations
Cyber insurance carrier, Call your broker immediately for P1 incidents. Most policies require you to notify the carrier promptly. Failure to notify promptly can affect your coverage.
PIPEDA / BC PIPA obligations:
- Under PIPEDA: Notify the Office of the Privacy Commissioner of Canada if the breach poses a "real risk of significant harm" to individuals. This includes most ransomware incidents where client data was potentially accessible.
- Under BC PIPA: Notify the BC OIPC. BC has mandatory breach reporting under PIPA.
- Notification must occur "as soon as feasible", in practice, within 72 hours of determining a notifiable breach has occurred.
- Maintain a record of every breach, whether or not it requires notification.
Affected individuals: Notify directly if the breach poses a real risk of significant harm.
Key external contacts:
| Contact | Name | Phone | Notes |
|---|---|---|---|
| IT MSP / IR partner | |||
| Cyber insurance broker | |||
| BC OIPC | 250-387-5629 | If PIPA breach | |
| OPC Canada | 1-800-282-1376 | If PIPEDA breach | |
| Legal counsel |
Phase 4: Recovery
☐ Confirm the threat is fully contained before restoring from backup ☐ Restore from the clean backup copy (your immutable or air-gapped tier, see 3-2-1-1-0 backup post) ☐ Reset all passwords and rotate service account credentials before reconnecting systems ☐ Apply all outstanding patches before restoring production ☐ Verify restored systems are clean using EDR before reconnecting
Post-incident review (within 5 business days): ☐ Document the incident timeline: when detected, what happened, what was affected ☐ Identify the root cause (phishing? unpatched vulnerability? compromised credential?) ☐ Identify what controls, if they had been in place, would have prevented or limited the incident ☐ Update the IR plan based on what you learned ☐ Brief leadership and, where appropriate, affected staff
This template is a starting point. Have your IT provider and legal adviser review it. Test it with a tabletop exercise annually.
Talk to a Prince George-based IT team about incident response planning, call 672-983-1174 or book a free assessment at northstarit.ca.
Do not wait for an incident to build a plan.
North Star can build and test a custom incident response plan for your business, including tabletop exercises and runbooks. Get started with a free assessment.
Book a Free Assessment Read more InsightsServices mentioned in this post.
Frequently asked questions
What is an incident response plan small business owners should have?
An incident response plan for a small business is a formal document that outlines how your organisation will detect, respond to, and recover from cybersecurity incidents. It serves as a playbook to ensure your team reacts quickly and efficiently to threats like ransomware or data breaches. By having a structured approach, you reduce the risk of permanent data loss and significantly decrease the time it takes to return to normal operations in Western Canada.
Why is an IRP template small business specific important?
Most enterprise templates are too complex for smaller teams to manage effectively. A dedicated IRP template for small business focuses on the most common threats faced by SMBs in Alberta and BC, such as phishing and local hardware failure. It simplifies the reporting structure and prioritises the most critical business functions, making it easier for a smaller IT team or a managed service provider like Northstar IT to execute the plan under pressure.
How often should we update our incident response plan?
You should review and update your incident response plan at least once a year or whenever there is a major change in your IT infrastructure or business operations. Regular testing, often called tabletop exercises, helps identify gaps in the plan. For businesses in Prince George or Calgary, staying current with local regulatory requirements and evolving cyber threats is vital to ensure your defensive strategies remain effective and your team stays prepared.
What are the key phases of an incident response process?
The standard process includes preparation, identification, containment, eradication, recovery, and post-incident activity. Preparation involves training and tools, while identification confirms a breach has occurred. Containment stops the threat from spreading, and eradication removes it from your systems. Recovery restores operations to normal, while the final phase involves documenting lessons learned to improve your future response. Northstar IT helps SMBs navigate each of these critical steps with professional guidance.