Incident Response Essentials for SMBs (Episode 6)

Building Your Incident Response Plan

Noel G Alexander: Alright, welcome back to “How Secure Is Your Business – Really?” I’m Noel Alexander, and if you’ve been following along, you know we’ve covered just about everything from managing your digital assets to toughening up your access controls—actually, last episode, we spent a TON of time breaking down what strong data protection really looks like for SMBs. But here’s the thing: No matter how good your governance, your backups, your passwords—I gotta say this—sooner or later, something’s gonna slip past your defenses. It’s not about ‘if’, but ‘when’. And today, we’re tackling exactly that: What do you actually do when an incident happens?

Noel G Alexander: —So, incident response planning—let’s make this less intimidating, OK? The best way I describe it is… it’s like a fire drill for your business, but instead of running for the exit, you’re mobilizing your team, making calls, shutting down just the right systems, all so you can contain and recover from a cyber attack as painlessly as possible.

Noel G Alexander: —Every plan starts by setting clear roles. I’m talking who’s the incident commander—sometimes it’s the IT manager, sometimes it’s the boss themselves. Who’s wrangling the technical details, who’s communicating with staff, maybe even handling the media if things get messy, and—this is one folks skip—who’s looped in from legal? And all this is useless without predefined escalation paths. You gotta know the difference between, like, spam and something that calls for the CEO. I always say, “Don’t have your junior IT guy call the police unless you’re certain!”

Noel G Alexander: —Communication channels, big deal here. And I hope this doesn’t surprise anyone, but email probably isn’t your best friend in a cyber crisis. Always plan for an alternative, because if your mailbox is the one getting ransomed, you’re outta luck. Use secure messengers, even phone trees if you gotta go old school.

Noel G Alexander: —I remember—this was years ago—a financial services client dealt with a nasty phishing campaign where nobody had a clue who was supposed to take charge. IT’s rebooting servers, execs are panicking, customers are blowing up the phones. By the time they sorted it out, the attack had already spread. That pain led to them building a solid plan, and next time, it took them hours, not days, to contain the threat. Amazing what a little clarity can do.

Noel G Alexander: —And you know, my first hands-on experience with helping an organization map out their IR plan—this was a local nonprofit, super lean team, not techies at all. We sat in a room, whiteboarded out “Who does what”, how to talk to staff, what steps to follow. Suddenly, everyone, even the ones who barely check their email, understood they could help steer the ship in a crisis. That’s what you want: simple, accessible plans written in plain language, and stored somewhere you can reach them if, say, your server just went “poof”.

Detecting and Containing Incidents

Noel G Alexander: —So let’s talk detection and containment. This is, honestly, where most SMBs stumble—not because they don’t care, but because they don’t know what to look for or how to tell “something’s weird” from “oh wow, bad guys are already inside.” The key is early detection. If you don’t spot an incident fast, your response plan doesn’t even matter—you’ll just be mopping up a much bigger mess.

Noel G Alexander: —I like to break it down: You need to know your network’s normal—what apps talk where, who logs in at what hours, how much traffic you see flying around. Start simple. Indicators of Compromise—those little “clues” like repeated failed logins at 2 a.m., files getting accessed that shouldn’t, odd data spikes in the logs… They’re like smoke signals, telling you something’s cooking.

Noel G Alexander: —Now, it doesn’t need to be an expensive SIEM system—but a logging platform, some endpoint detection, that’ll help highlight the noise. But don’t automate everything and tune out—automated tools are great, but you still want a set of human eyes to review those critical alerts before pulling the fire alarm.

Noel G Alexander: —I’ll give you two quick stories here—a tale of two breaches. First, an e-commerce company picks up strange spikes in late-night database queries. Luckily, their analyst recognized it as a possible SQL injection, jumped in, and blocked it before real harm was done. Contrast that with a regional hospital that got hit with ransomware. Instead of pulling the plug on everything, they followed their IR playbook, isolated the infected areas, swapped to—get this—paper for a bit, and restored from clean backups. Boom, back up in just three days, which in healthcare, is miraculous. Both cases? Early notice, decisive action.

Noel G Alexander: —It always comes back to the question: does your staff know what “normal” looks like? Can they spot weird behavior fast enough? This is why training really matters—it’s not about knowing every technical detail, but just knowing something’s off so alarms get raised sooner. And by the way, if you don’t have a playbook for things like ransomware or insider threats—start now. The more you prep, the less panic when something actually goes down.

Practice, Metrics, and Continual Improvement

Noel G Alexander: —Alright, so you’ve got a plan, you’ve got some monitoring. Now comes the part too many folks skip: actually practicing what’s on paper. Honestly, a written plan is only as good as your last test. Reading the binder won’t cut it—walking through real scenarios is what transforms “theory” into “muscle memory.”

Noel G Alexander: —Tabletop exercises—these are like, “Hey, what would we do if someone tricks the receptionist into clicking a bad link?” You walk it through, step by step, right in the conference room. Then you move up to red team drills—like simulated hacks—and blue team drills for defenders. And let me say, I ran a surprise tabletop at a client’s board retreat once. Fun fact: senior leaders often think they’ll ace it, but some of the best responses actually came from admins and, believe it or not, the facilities guy who remembered how to manually disconnect the Wi-Fi. You’d be shocked what you learn when the pressure’s on.

Noel G Alexander: —Then, metrics. Two you hear a lot: MTTD—Mean Time to Detect. MTTR—Mean Time to Respond. It’s how you figure out if you’re actually getting better. I saw a SaaS company move from a dismal 10-day response down to 36 hours in under two years, and they did that by doing after-action reviews on every incident and tweaking what didn’t work. Sometimes, it’s about tightening up communication. Other times, simple automation—like auto-blocking known phishing domains—gave them a win.

Noel G Alexander: —If you take nothing else from this, let it be this: keep testing, measure everything you can, and when you blow it? Document what happened, fix it, and share those lessons with everyone. It’s not about having a perfect plan on day one—it’s getting better, one incident, one drill at a time. And, hey, don’t forget, continuous improvement is a team sport. If someone else in your organization finds a better way—run with it!

Noel G Alexander: —So, there you have it: real incident response is about readiness, not perfection. More details can be found in my book A Simple Guide to Cybersecurity for Small and Medium-sized Businesses, available on Amazon. For a complimentary copy, send an email request with your name, phone number, and company name to noelga@vastmanagementcorp.com. We’ll keep digging even deeper in our next episodes—security awareness and training. Thanks for listening.