Listen to this post: How to Build a Basic Incident Response Plan for Your Tiny Business
Picture this: you’re running a small corner shop in Manchester. It’s a quiet Tuesday morning when your till freezes. Ransomware locks your customer records. Panic sets in. Calls flood your phone from worried staff. What do you do next?
In the UK, 42% of small businesses faced cyber attacks in 2025. The average cost hit £3,398 per incident. Phishing topped the threats at 33.8%. Tiny firms like yours often lack defences. Now, in 2026, AI-driven phishing grows sharper, mimicking trusted voices with eerie accuracy.
A basic incident response plan changes that. It’s a straightforward guide. It tells you who acts first and what steps to take during hacks or breaches. You cut damage fast. You save cash. You gain calm amid chaos. This post walks you through it: pick leaders, rate risks, map phases, handle talk and reviews. No tech wizardry needed. Just simple actions for your team.
Photo by Markus Winkler
Pick Your Leader and Build a Contact List That Works
Chaos hits fast in a crisis. Without clear leaders, your tiny business stalls. Teams scatter like leaves in a gale. Name one incident commander. Add a backup. Build a contact list that everyone grabs in seconds.
This setup stops panic cold. Stats show 51% of small firms have no prep measures. They waste hours fumbling contacts. Your plan flips that. Think of the commander as your team’s captain in a storm. They steer the ship while waves crash. Staff know who calls the shots. Actions start quick.
A simple spreadsheet holds it all. Phones, emails, roles. Print copies. Stick one by the till or in desk drawers. Update it yearly or when staff change. Owner signs off first. This tiny step builds real muscle.
Name Your Incident Commander and Backup
The commander decides everything. They gauge the threat. They pick first moves. Choose someone reliable. They must answer day or night. Your IT whiz fits if they stay cool under fire. Or pick the manager who spots odd patterns quick.
Backup covers absences. Like the commander, list their full name, mobile, home phone, email. Test calls now. Get owner nod before launch. Write it bold in the plan: “Commander: Jane Doe, 07700 900123. Backup: John Smith, 07700 900456.”
This duo keeps wheels turning. No debates mid-crisis. Your shop reopens sooner.
Create Your Go-To Contact List
Start with commander and backup. Add IT support (internal or hired pro). Include the owner or boss. List key staff who handle cash or stock.
Step one: open a spreadsheet. Columns for name, role, mobile, email, home phone, secondary contact. Rows for each person.
Here’s a sample:
| Name | Role | Mobile | Home Phone | |
|---|---|---|---|---|
| Jane Doe | Commander | 07700 900123 | jane@shop.co.uk | 0161 1234567 |
| John Smith | Backup | 07700 900456 | john@shop.co.uk | 0161 7654321 |
| Alex Tech | IT Support | 07700 900789 | alex@fixit.co.uk | N/A |
| Owner Pat | Business Owner | 07700 900000 | pat@shop.co.uk | 0161 0000000 |
Best methods matter. Mobiles for alerts. Emails for records. Keep lists on phones too. Share via secure drive. Review every January. Test with mock calls. Now your team connects in seconds, not hours.
Rate Risks and Map Out Response Phases
Threats vary. A dodgy email differs from full system lockdown. Rate them by severity. Then map phases to follow. Half of small UK firms suffer hits yearly. Your plan matches speed to scale.
Picture a leaking pipe. Spot it quick (identify). Stem the flow (contain). Clear the clog (eradicate). Dry and test (recover). Miss a step, flood worsens. Same with cyber woes. Clear levels guide you. Phases keep focus sharp.
SEV-1 means catastrophe: ransomware shuts tills. SEV-4 is minor: spam slips through. Response times shrink with rank. Print this scale. Train staff to spot signs.
Set Up Your Severity Ranking
Four levels cover most hits. Tailor to your shop.
- SEV-1 Critical: Full shutdown. Ransomware encrypts files. Tills offline. Customers walk away. Respond in 15 minutes. Commander alerts all.
- SEV-2 High: Suspicious logs. Odd logins. Data leaks possible. Act in 30 minutes. Isolate fast.
- SEV-3 Medium: Phishing emails. Malware on one PC. Handle in 1 hour. Scan and clean.
- SEV-4 Low: Spam or weak passwords flagged. Review in 4 hours. Update rules.
Examples fit tiny ops. Weigh impact: cash flow halt trumps email glitch. Commander sets level first. Log it. This rank stops overkill on small fries.
Guide Through the Four Key Response Phases
Follow these in order. Checklists speed you up.
Identify: Spot the alert. Watch for slow systems, ransom notes, weird emails. Staff report to commander. Log time, signs, affected kit. Ask: “What’s broken? How long?”
Contain: Stop spread. Unplug infected PCs. Change passwords. Block bad IPs. Isolate networks. Short-term: use paper till. Goal: limit blast radius.
Eradicate: Hunt root cause. Run antivirus scans. Call IT pro. Delete malware. Patch holes. Test clean before next step. No shortcuts here.
Recover: Restore from clean backups only. Test small first. Monitor close for days. Go live slow. Change all passwords post-restore.
Print checklists per phase. Practice yearly. Backups? Test monthly on external drive. Clean copies save your bacon.
Plan Communication, Playbooks, and Lessons Learned
Words matter in crisis. Wrong ones spark fear or fines. Set channels clear. Phone for urgent. Chat apps like WhatsApp for teams. Email for records.
Tell staff first: “Systems down, work from home till notice.” Customers next: short sign on door. Suppliers if hit. Legal notifies if data lost: ICO within 72 hours.
Pre-write messages. “Dear customer, brief outage. No data risk. Back soon.” Playbooks shine here. One for phishing: “Step 1: forward email unsent…”
Email hack playbook: Isolate inbox. Scan devices. Notify sender. Change creds.
Post-incident: meet in 5 days. What went wrong? Log wins too. Assign fixes: “Jane trains on backups.” Update plan.
Fast start matters. Day one: call commander. Grab contacts. Run first checklist. What if your shop spills customer cards? Comms calm the storm.
Wrap It Up and Get Started Today
You now hold the blueprint. Name leaders. Build lists. Rank threats. Nail phases. Script talks and reviews. Tiny tweaks yield big shields. Response times slash. Costs drop below that £3,398 average.
Insurance quotes climb to 62% for unprotected firms. Don’t join them. Grab a spreadsheet now. List contacts today. Print phases tomorrow. Test in a week.
Imagine that Manchester shop again. Ransomware strikes. But captain Jane grabs the plan. Team contains fast. Back online by tea time. Storm passed. Your business stands tall.
Start small. Act now. Your till thanks you. Share your first step in comments.
