Building a One-Page Incident Response Plan You'll Actually Use
Most small businesses have an incident response plan that lives in three places: a 40-page Word doc nobody has opened in two years, the IT person's head, and the moment-of-panic group chat. None of those work at 2 a.m. when ransomware hits. Here's how to build a one-page plan that actually gets used.
Why one page beats forty: When something breaks, no one reads a binder. They scan, call, and act. A one-pager forces clarity — you can't hide behind paragraphs. Aim for something a new hire could follow at 2 a.m. with no training.
Section 1: Detection (top of page). Define what counts as an incident. Examples: ransomware notice on a screen, suspicious wire-transfer email, account lockouts across multiple users, missing files, customer reports of fraud. Anything matching this list triggers the plan.
Section 2: First call. One name, one number, one backup. "Call Cody at 555-0142. If unreachable, call MSP at 555-0199." That's it. No decision tree. The first call's job is to escalate, not to fix.
Section 3: Contain (first 60 minutes). Three actions in priority order: (1) Disconnect affected machines from the network — unplug the cable or turn off Wi-Fi, do not power off (forensics need RAM). (2) Disable suspected user accounts in your identity provider. (3) Do not pay, do not delete, do not communicate with the attacker.
Section 4: Notify. List who must be told and when: leadership (immediately), cyber-insurance carrier (within 24 hours — most policies require it), legal counsel (before any external comms), affected customers (per regulation, often within 72 hours).
Section 5: Recover. Point to where backups live, who restores them, and the order of restoration (identity first, file servers second, applications third). Include the last known-good backup date so you know how much data you might lose.
Section 6: Contacts box. Name, role, mobile, alternate. Insurance carrier, MSP, legal, executive lead, communications lead. Keep it printed and posted — if email is down, you can't pull contacts from email.
Test it twice a year. A 30-minute tabletop — "ransomware on the file server, what do we do?" — will reveal more gaps than any audit. Update the page after each test. Want a fillable one-page IR template tailored to your business? Contact Longsword Security and we'll send one over.
Authored by Cody West, Owner and Cybersecurity Manager at Longsword
Cody is a father, husband, man of God, and home project destroyer. With one boy, and almost three girls, he leads a busy life. Starting Longsword to help protect small-businesses from evil-doers, he writes these blogs and even this “About the author” to help drive traffic to the company’s website and hopefully help someone along the way. With a passion for people and a deep-rooted desire to keep bad people from doing bad things to good people, he spends a great deal of his time worrying about people he has never met.