Table of Contents
Part One: You've Been Told to Get an Incident Response Plan. Here's What It Actually Protects.
By Nate Olson, Fractional IT Director & vCIO | N.O. IT Strategy LLC
Chances are, somebody has already told you that you need an incident response plan (IRP).
Maybe it was your CPA, while you were inquiring about getting your company SOC 2 compliant. Maybe it came attached to your ISO 27001 certification application. Maybe your cyber insurance carrier is requiring it this year, or maybe a trusted advisor sat you down and told you it’s plain common sense to have one. (waves)
Either way, you get the message. You need one, but has anybody stopped to explain to you what the IRP actually means, what does it protect and how does it help you when it counts?
I bet some of you are thinking: “I already have one, if something like this happens, I’ll call my IT company.”
That’s not an incident response plan. Calling IT when something goes wrong may feel like the correct step, but in many high-stakes scenarios, it requires more than your typical IT response and many of the decisions that need to be made fall outside the scope of IT.
A plan is everything around that call: what even counts as an emergency, who has the authority to act, who gets notified and in what order, what you tell your customers, when you bring in your insurer and your attorney, and what your IT company is actually supposed to do once they pick up. So with that context, one phone call isn’t a plan. It’s hope attached to a prayer.
So let me show you what a plan really does for you. Not the standards language, not the audit checkbox, but what it actually protects.
The part that often gets skipped is this: an IRP isn’t built for one emergency. It’s built for several, even if they don’t look anything alike. Most of them are attacks on your data, the worst ones are where your IRP and your disaster recovery plan (DRP) both have to fire at the same time.
So I’m going to run this as a short series, one scenario at a time, and show you how your plan protects you in each:
- A ransomware attack, where someone locks up your data and demands payment
- Wire fraud, where a hijacked email account cons your team into sending money to a stranger
- A data breach, where your customers’ information gets out and the legal clock starts running
- And how all of that ties into your DRP, because responding to an attack is one job and getting your business back on its feet is another
Four very different bad days. One plan that’s supposed to get you through every one of them, and also knows exactly when to hand off to the plan sitting right next to it.
Part One: Ransomware
Picture a Monday morning. Your team arrives to find that some computers are locked out, others who can log in find that some of their files won’t open and there’s a message now showing with a countdown and a demand for payment. Your business has been forcibly stopped and somebody is holding it for ransom.
Here’s the difference a plan makes, and more importantly, the reasoning behind each move.
Without a plan, the next hour is chaos. Someone with access to the IT closet panics and unplugs your servers, thinking it will stop the attack. Maybe someone in fiscal reboots a compromised machine. While those two incidents are happening a third person who’s unaware of the attack starts deleting files on their slow computer to clean it up, and every one of those moves may have just destroyed the evidence you’ll need later. Nobody’s sure whether to call the police, the insurer, or a lawyer, so they call all three at once, or none of them. And somewhere in the panic, somebody floats just paying it to make it stop.
With a plan, that same hour looks completely different. Let me take you through the four decisions that actually determine how this ends.
Containment
Containment comes first, and how you contain it matters.
An IRP built off ISO/IEC 27035 guidance should tell you to isolate the infected machines from the network right away, but do not power them down unless your response lead, attorney, insurer or forensic team tells you otherwise.
That detail isn’t minor. A lot of the evidence about how the attacker got in and what they took may live in the machine’s memory, active sessions and logs that can vanish the second you cut power. Wipe that, and you may not be able to prove what was and wasn’t stolen. When that data isn’t available, the law often makes you assume the worst, which means more notifications, more cost and a harder insurance claim.
Isolating stops the spread. Powering down too early can destroy your proof. Your plan names one person with the authority to make that call, so it happens in minutes instead of after a meeting that never quite starts.
Do We Pay?
The “do we pay” question gets decided with facts, not fear.
This is the one you least want to answer in a panic. A IRP tells you to contact your IRP Lead, who then notifies your insurance agent, who starts the ball rolling on that end. Your IRP Lead gets the Incident Response (IR)Team and IR Counsel involved before anyone says a word to the attacker.
Two reasons that order matters. First, paying the wrong group can put you in violation of federal sanctions law, whether you knew who they were or not. OFAC has warned that ransomware payments can create sanctions risk and that civil penalties can apply even when the payer did not know they were dealing with a prohibited party.
Second, most cyber policies require the carrier’s involvement before major response costs are incurred or before a ransom payment is considered. Paying without that coordination can put your claim at risk.
Paying is no guarantee anyway and with today’s double-extortion attacks the criminals may still hold a copy of your data and threaten to leak it whether you pay or not. That’s a big reason more organizations are now refusing to pay. IBM reported that 63% of ransomware victims refused to pay in 2025, up from 59% the year before.
Your plan makes sure you know all of that before the clock pressures you into a wire transfer.
Backups
Your backups decide whether you have leverage or you’re begging.
Here’s a detail no-one wants to hear: one of the first things a capable attacker does is hunt down your backups and try to destroy them, so paying starts to look like the only option left. It’s not rare, either. Sophos found that attackers tried to compromise the victim’s backups in 94% of ransomware attacks. That’s why two words in your plan matter more than almost anything else.
Immutable and offline.
A backup the ransomware can reach is a backup the ransomware can encrypt, right along with everything else. It also has to be regularly tested, because an untested backup that won’t restore is the same as no backup, discovered at the worst possible moment.
Here’s what that’s worth. Sophos surveyed organizations with 100 to 5,000 employees, so mid-sized businesses, not Fortune 500 giants. When backups were not impacted, the median cost to recover from the attack was about $375,000. When the attacker compromised the backups, that median jumped to roughly $3 million.
Eight times the bill.
That difference came down in large part to whether the backups were out of reach.
If you run smaller than that, scale the dollars down to your world, but the pattern doesn’t chance. Losing your backups roughly multiplies whatever recovery would have cost you, and it strips away the one piece of leverage you have against the attacker.
The good news is that recovery is possible when you still have options. Sophos found that 97% of organizations that had data encrypted were able to recover it, but only 54% restored using backups and 49% paid the ransom to get data back. That is exactly why protected, tested backups matter. They keep recovery from turning into negotiation.
Sophos also found that 53% of organizations were fully recovered within a week, up from 35% the year before. That improvement does not happen by accident. It happens when containment, insurance, legal, forensic response and disaster recovery are not being invented in the middle of the attack.
This is where your incident response plan and your disaster recovery plan start shaking hands, and it’s where this series ends up.
Communication
Who talks to staff so nobody posts about it online before you’re ready. Whether customer or employee data was actually taken, because that one fact decides whether the law requires you to notify people, and how fast. Who talks to customers, who talks to vendors, who talks to law enforcement and who talks to the insurer.
IBM’s 2025 Cost of a Data Breach report put the global average cost of a breach at $4.44 million. It also noted that effective crisis response means regularly testing incident response plans and backups, defining clear roles in the event of a breach and conducting crisis simulations.
The ransomware attack is the same either way. What changes is you. With a plan, you’re making decisions you already rehearsed, and the numbers say organizations are recovering faster when they are prepared. Without one, you’re improvising on the worst day your business has ever had, and the attacker is counting on exactly that.
That’s one scenario.
In Part 2, I’ll walk you through wire fraud, the one where no malware locks anything, your email just quietly betrays you, and the money is gone before anyone notices.
Part 3 is the data breach and the legal clock that starts the second customer information walks out the door.
Part 4 is where your incident response plan and your disaster recovery plan come together, so you’re not just secure, you’re back in business.
Don’t want to wait for the whole series?
You don’t have to. Building an incident response plan that actually holds up under pressure, the kind that makes these decisions before the attack instead of during it, is exactly the work I do. Not a binder that looks good in an audit and falls apart at 2 a.m., but a plan your team can actually run when the screens lock up.
Let’s talk.
Sources
- Canadian Centre for Cyber Security. Ransomware: How to prevent and recover (ITSAP.00.099). https://www.cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099
- U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC). Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, September 21, 2021. Available at ofac.treasury.gov.
- IBM. Cost of a Data Breach Report 2025. https://www.ibm.com/reports/data-breach
- Sophos. The State of Ransomware 2025, June 2025. https://www.sophos.com/en-us/content/state-of-ransomware
- Sophos. The Impact of Compromised Backups on Ransomware Outcomes, 2024. https://www.sophos.com/en-us/blog/the-impact-of-compromised-backups-on-ransomware-outcomes
