75% of Small Businesses Have No Incident Response Plan — Are You One of Them?

Most small businesses don't have a written plan for what to do when something goes wrong. Not a ransomware attack, not a phishing compromise, not a data breach. When it happens, they improvise. And improvising during a cyber incident is one of the most expensive things a business can do.

An incident response plan doesn't require a security team, specialist software, or months of preparation. It requires clarity about who does what, when, and in what order — written down before the crisis, not worked out during it. This post explains what an incident response plan is, what the absence of one actually costs you, what a basic plan needs to cover, and how to put one together without it becoming a project.

What Happens Without a Plan

When a cyber incident hits an unprepared business, the same pattern plays out repeatedly. Someone notices something wrong — files are encrypted, a password stops working, a bank transfer lands in the wrong account. There's a moment of confusion about who should be told first. The wrong people get involved. The right people are unreachable. Evidence is accidentally destroyed. Communication goes out without the insurer having been notified. Decisions get made under pressure by people who lack the information to make them well.

According to IBM's Cost of a Data Breach report, businesses with no incident response plan incur breach costs that are on average 58% higher than those with a tested plan in place. The plan itself doesn't prevent incidents — it prevents incidents from becoming catastrophes.

The most common — and most avoidable — mistakes made during an unplanned incident response:

Continuing to use compromised systems while trying to understand what happened, allowing attackers to maintain their foothold or exfiltrate more data.
Notifying customers or the public before notifying the ICO, which reverses the legally required sequence under UK GDPR and can complicate both your regulatory position and any insurance claim.
Paying a ransom without first contacting your insurer, which frequently voids coverage — many policies require insurer approval before any payment is made.
Wiping and rebuilding systems immediately to restore operations, destroying the forensic evidence needed to understand how the breach occurred and what data was accessed.
Communicating via compromised channels — using the same email system or Slack workspace that has been breached to coordinate the response, potentially alerting attackers to your actions.

None of these mistakes happen because people are careless. They happen because in the absence of a plan, people are working from instinct under conditions of stress, incomplete information, and time pressure. The plan exists to replace instinct with procedure.

Why Most Small Businesses Don't Have One

The most common reasons are honest ones. Incident response planning feels like an enterprise concern — something for businesses large enough to have a security team, a CISO, and a dedicated IT function. The word "plan" implies a lengthy, formal document that requires specialist knowledge to produce. And most small business owners are optimistic: they know incidents happen, but they tend to believe they're less likely to be targeted than they actually are.

In the UK, 32% of businesses reported a cyber incident in the past 12 months, according to the 2025 Cyber Security Breaches Survey. For medium-sized businesses, that figure rises to 59%. The idea that small businesses are too small to be worth attacking is not supported by the data.

The other barrier is that incident response plans can become complicated quickly — particularly when they try to anticipate every possible scenario in detail. A plan that covers ransomware, insider threats, supply chain compromise, DDoS attacks, and physical theft in exhaustive detail is useful only if it's actually read and understood by the people who'll need to use it. A shorter, simpler plan that people have actually read is worth considerably more than a comprehensive document that lives in a folder no one can find.

What an Incident Response Plan Actually Needs to Cover

For a small business without a dedicated security function, a practical incident response plan covers six things. It doesn't need to be longer than four or five pages — the value is in specificity, not length.

Phase 1

Identify & Contain

Who decides an incident is happening? What's the threshold — a locked account, suspicious email, encrypted files? What do you isolate first, and how? Who has the authority to take systems offline?

Phase 2

Notify

Internal escalation chain (who calls whom, in what order). External contacts: cyber insurer, IT support, legal counsel. Regulatory obligations: ICO notification within 72 hours if personal data is affected.

Phase 3

Assess

What was affected? What data may have been accessed or exfiltrated? What systems are compromised? Can you determine how access was gained? Preserve logs and evidence before touching anything.

Phase 4

Eradicate & Recover

Remove the attacker's access. Restore from clean backups. Verify systems are clean before reconnecting them. Change all credentials. Confirm the attack vector has been closed before returning to normal operations.

Phase 5

Communicate

Who needs to be told, and what? Customers, suppliers, partners, staff. What can you say, and what should you not say until you have legal guidance? Agree messaging before it goes out — not during the incident.

Phase 6

Review

Once the incident is resolved: what happened, what was the root cause, what worked in your response, and what didn't? Document it. Update the plan. Brief the team. Close the gaps that were exposed.

The Contacts Section Is the Most Important Part

Of everything in your incident response plan, the most immediately useful section is a simple, up-to-date list of contacts — kept somewhere accessible that doesn't depend on the systems that may be compromised. A printed copy matters. A PDF on a shared drive that's been encrypted by ransomware is not accessible when you need it.

Cyber insurer. Policy number, 24-hour claims line, and the specific requirement for what you must do before spending money on incident response services. Many policies void coverage if you pay a ransom or engage a forensic firm without prior approval.
IT support or managed service provider. Out-of-hours contact number. Do they have a security incident capability, or will they refer you to a specialist? Know the answer before the incident.
Legal counsel. Especially relevant if personal data is involved. Legal privilege over incident communications can be valuable if regulatory action follows.
ICO reporting portal. ico.org.uk — UK GDPR Article 33 requires notification within 72 hours of becoming aware of a personal data breach (where the breach is likely to result in risk to individuals). The clock starts when you become aware, not when the breach occurred.
NCSC Cyber Incident Reporting. For significant incidents, the NCSC operates a reporting and response service at ncsc.gov.uk. Reporting is encouraged and treated in confidence.
Key staff personal contact numbers. If your email is down, how do you reach the people who need to be involved? A personal mobile list, held offline, is not optional.

What Cyber Insurance Requires

If your business holds a cyber insurance policy — or is considering one — the incident response plan is directly relevant to your coverage. Most policies include specific requirements about what you must do (and must not do) in the event of an incident. Common requirements include:

Notifying the insurer or their designated incident response service as soon as practically possible after becoming aware of an incident — often within 24 to 72 hours.
Obtaining written approval before making any ransom payment.
Not making public statements about the incident without insurer sign-off where reputational or liability implications exist.
Engaging only insurer-approved forensic or legal firms where the policy covers those costs.

These requirements are not suggestions. Failing to follow them — even if done with good intentions in the chaos of an active incident — can invalidate your claim. Your incident response plan should reference your policy requirements explicitly, with the insurer's incident response number visible at the top of the contacts list.

How to Build One Without It Becoming a Project

The goal is a document that exists, is findable, and is understood by the people who'll use it. Here's the fastest path to getting there.

Block two hours. That's genuinely enough to produce a first version. Sit down with whoever is responsible for IT and whoever is responsible for the business — in a small business, that's often the same person — and work through the six phases above. Write down what you'd actually do, who you'd call, and where things live. Don't try to cover every scenario; focus on the two or three most likely ones: ransomware, phishing compromise of a staff account, and accidental data exposure.

Decide on your out-of-band communication method now. If your email is down, how do you coordinate? A WhatsApp group, a Signal channel, a personal email account — the choice doesn't matter much, but making the choice in advance matters a great deal. Nominate it, tell the relevant people, and note it in the plan.

Print it and store it physically. A laminated copy in a drawer, a printed sheet in a binder. It sounds old-fashioned. It's the only version that's guaranteed to be accessible when your systems are down.

Review it once a year, or after any significant change to your systems, staff, or suppliers. The contacts list goes stale fastest — check it every six months. A plan with an out-of-date insurer contact number or an old IT support number is meaningfully less useful than one that's current.

Businesses that test their incident response plan at least annually recover from incidents significantly faster and at lower cost than those that have a plan but never test it. A 30-minute tabletop exercise — walking through a hypothetical scenario with key staff — is enough to surface gaps and build familiarity before the real thing.

The Honest Summary

An incident response plan will not prevent you from being attacked. What it will do is give you a fighting chance of containing the damage, meeting your legal obligations, preserving your insurance coverage, and resuming normal operations in days rather than weeks. The businesses that handle incidents well are rarely the ones with the most sophisticated security — they're the ones that had a clear, simple plan and followed it.

If your business doesn't have one, the time to build it is before you need it. After is too late.

Understand Your Risk Before an Incident Forces You To

Faradome RisQ assesses your current security posture and identifies the gaps most likely to turn a minor incident into a major one — before it happens.

Start Your RisQ Assessment → Talk to Us