Incident Response Plan: A Practical Guide for UK SMEs

Most UK SMEs discover they need an incident response plan only when they need one. By then, the window for containing damage has already closed.

The average time to identify a data breach is over 200 days. For ransomware, the gap between initial access and encryption can be under two hours. In both cases, organisations without a pre-documented response procedure spend critical time figuring out what to do instead of doing it.

An incident response plan is not a luxury for enterprises. It is the difference between a manageable incident and a catastrophic one for a business of any size. This guide shows you how to build one that is proportionate to your size and actually usable when you need it.

What is an Incident Response Plan?

An incident response plan is a documented set of instructions that tells your team how to detect, respond to, and recover from an IT security incident. It covers who does what, when, in what order, and who needs to be told.

Without one, incident response tends to be ad hoc: whoever is around when something happens makes it up as they go. That approach works for minor incidents. For anything serious — a ransomware attack, a data breach, a compromised account with access to customer data — it produces delays, missed notifications, and preventable damage.

The goal of an incident response plan is to replace panic with process. Not to anticipate every possible scenario, but to ensure your team knows how to act quickly and correctly even when the situation is unclear.

Why UK SMEs Are Especially Vulnerable

Small and medium-sized businesses face higher risk than most realise. SMEs are the most common target of cyber crime precisely because they have fewer resources dedicated to security than large organisations, but still hold data worth compromising.

The Notifiable Data Breaches scheme under UK GDPR requires you to report certain incidents to the Information Commissioner's Office within 72 hours. Failure to do so — or to even know you need to — carries reputational and financial consequences that can be existential for a smaller business.

Ransomware attacks have disabled businesses of all sizes. The businesses that recover fastest are the ones that had a plan, tested it, and knew exactly who to call and what to do in the first hour.

The Six Phases of Incident Response

A structured approach to incident response follows six phases. Not every incident will require all six — some will be resolved in containment — but understanding the full framework means you can scale your response to the severity of the incident.

1. Preparation

Preparation is the phase most SMEs skip because it feels like overhead. It is the most important phase. What you do before an incident happens determines how fast and how effectively you respond when one does.

Preparation includes:

Documented response procedures. Not a forty-page manual — a concise runbook that answers: who is the first point of contact, what are the escalation criteria, who has authority to take systems offline, who notifies the ICO if needed, and who contacts external legal counsel.

Contact list. A current list of everyone who needs to be reached in an incident — internal IT leads, external IT support, legal counsel, insurance broker, ICO (for UK GDPR breaches), and your cyber insurance provider's incident response line.

Backup verification. Confirm that your backups are clean, tested, and not accessible from the primary network. Many ransomware attacks encrypt backups because they are mapped to the same network as primary systems.

Legal counsel on retainer. Finding a solicitor who specialises in cyber incidents at 2am during an active breach is not the time to discover they are unavailable. Establish the relationship before you need it.

The NCSC's Cyber Incident Response scheme lists certified incident response providers. For SMEs, the Smaller Organisations Cyber Incident Response service is a free alternative worth knowing about before an incident occurs.

2. Identification

The first sign of an incident is not always obvious. It might be a user reporting they cannot log in. A finance team member flagging a suspicious invoice. An antivirus alert. An unexpected file being modified at 3am.

Identification is about recognising that something abnormal is happening and treating it as a potential incident until you know otherwise.

Key indicators that warrant investigation:

• Unexpected system behaviour or performance degradation
• Unauthorised access attempts or successful logins from unusual locations
• Unusual outbound network traffic
• Files modified or deleted without a known cause
• Users locked out of accounts they did not change
• Ransom notes or encryption warnings on any system

When something looks wrong, the instinct is to try to explain it away. Train your team to err on the side of escalation. The cost of investigating a false alarm is low. The cost of missing a real incident is not.

3. Containment

Once you have confirmed an incident is in progress, containment is the immediate priority. Stop the spread.

Short-term containment actions:

• Isolate affected systems by disconnecting from the network (not just shutting down — that can trigger data destruction)
• Revoke compromised credentials immediately
• Block suspicious IP addresses or accounts at the firewall
• Preserve evidence by imaging affected systems if you have the capability

Longer-term containment:

• Apply patches or configuration changes to prevent re-entry via the same vector
• Reset all credentials for affected accounts and any accounts with similar privilege levels
• Notify neighbouring systems that may share the same exposure

The goal of containment is to stop the incident from spreading while you assess the full scope. Do not try to fully resolve the incident during containment — move fast and stop the bleeding.

4. Eradication

With the incident contained, you can work on removing the threat from your systems.

Eradication means eliminating the root cause — removing malware, closing the vulnerability that allowed access, closing compromised accounts, and ensuring the attacker can no longer re-enter through the same path.

For ransomware, this often means rebuilding affected systems from known good backups rather than attempting to clean infected machines. For data breaches, it means identifying and closing the access vector and ensuring no additional data is at risk.

Eradication is complete when you are confident the attacker no longer has access. This can take hours or weeks depending on the complexity of the incident.

5. Recovery

Recovery is the process of restoring normal operations. This is where a tested backup policy pays off — businesses with clean, tested backups can recover from ransomware in hours rather than weeks.

Recovery priorities:

• Restore systems in order of business criticality
• Verify restored systems are clean and not re-infected
• Monitor closely during the restoration period — attackers sometimes leave dormant access for re-entry
• Restore data integrity — confirm that recovered data is complete and uncorrupted
• Resume normal operations gradually, not all at once

For incidents involving UK GDPR personal data, do not consider recovery complete until you have assessed whether the incident requires a data breach notification to the ICO and, where necessary, notified the affected data subjects.

6. Lessons Learned

The final phase is the review. What happened? How did the response perform? What would you do differently?

Lessons learned is where your incident response capability improves. Without a structured review, the same gaps that allowed the incident to occur — or that slowed your response — will persist.

A lessons learned session should happen within two weeks of the incident, with all key responders present. Focus on what worked, what did not, and what needs to change in your documented procedures or technical controls.

Even if the incident was minor, treat the lessons learned seriously. Near-misses are learning opportunities.

Building Your Plan: What to Include

A useful incident response plan for an SME does not need to be long. A concise document — five to ten pages — that covers the essentials is better than a complex plan that no one reads.

Include at minimum:

Incident classification. Define what constitutes a critical, major, and minor incident. This determines who is activated and how urgently.

Escalation criteria. Who is the first point of contact? When does the incident get escalated to senior leadership? When does legal counsel get involved? When is the ICO notified?

Contact list. Current, tested contacts for IT leads, external support, legal counsel, insurance, and the NCSS Smaller Organisations incident response service.

Response procedures by incident type. Ransomware, data breach, compromised account, DDoS — each has different immediate actions.

ICO notification checklist. If personal data is involved, the 72-hour UK GDPR clock starts when you become aware of the breach. The checklist should include what to capture for the notification (nature of breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed).

Evidence preservation guidance. What to do (and not do) with affected systems before forensics begin.

UK GDPR and the 72-Hour Notification Requirement

This deserves its own section because it is the requirement most SMEs are least prepared for.

Under UK GDPR, if a personal data breach is likely to result in a risk to individuals, you must notify the ICO without undue delay, and where feasible within 72 hours of becoming aware. If the risk is high, you must also notify the affected individuals.

"Within 72 hours of becoming aware" is the critical phrase. The clock starts when you — as the data controller — have a reasonable degree of certainty that a breach has occurred. Not when the attacker is identified, not when the full scope is known. When you first become aware.

This means your incident response plan needs a pathway to escalation that reaches someone with authority to notify the ICO within hours of an incident being detected, not days.

If in doubt, notify. The ICO's guidance is clear that over-reporting is preferable to under-reporting, and the 72-hour clock pauses once you submit a notification while you gather more information.

Common SME Mistakes

No plan at all. The most common mistake. Most SMEs discover their gaps in incident response only when an incident forces the issue.

Plan is not tested. A plan that has never been walked through is not a plan — it is a document. Run a tabletop exercise annually at minimum. Use realistic scenarios, not theoretical ones.

Not keeping contact lists current. The most common failure during an active incident is trying to find a contact number at 2am.

Assuming backups will work. Test your restore process quarterly. A backup that has never been restored is not a backup — it is a hope.

Delaying ICO notification to avoid reputational damage. An incident response plan tested alongside your IT governance framework forms the foundation of cyber resilience. This is a serious misunderstanding of the regulatory landscape. The ICO's approach to small organisations is proportionate. Delayed or absent notification is treated far more seriously than the breach itself.

No insurance or no clarity on what the policy covers. Cyber insurance policies vary significantly in what they cover. Read your policy before an incident. Know whether it covers incident response costs, legal fees, regulatory fines, and business interruption.

When to Bring in Help

An incident response plan for an SME should include a relationship with an external incident response provider before you need one. The NCSC's Smaller Organisations Cyber Incident Response service is free for organisations that meet their criteria. Cyber insurance policies typically include access to panel incident response firms.

The value of external help is speed and expertise. A good incident response firm can identify the scope of a breach faster, contain it more effectively, and navigate the ICO notification process more confidently than an SME working from a plan alone.

If you have cyber insurance, call the incident response line at the first sign of a serious incident — before you attempt containment yourself. The insurer will dispatch a response team at no additional cost.

---

If your business needs a documented incident response plan, or if you want to stress-test your current procedures through a tabletop exercise, get in touch to discuss how that works in practice.