An IT outage can disrupt a digital business as much as a fire can, but many SMEs don’t have an incident management plan in place for when disaster strikes. Here’s why they should.
What we will cover
Recent events such as the COVID-19 pandemic and subsequent supply chain backup, amongst other business disruptions in Canada, have shown that businesses should prepare for the unexpected —and this can take many forms. Small to midsize enterprises (SMEs) should already have critical safety procedures in place for incidents such as a fire or extreme weather. And if your business deals with large and dangerous equipment, you may also have plans that cover explosions, gas leaks, or other machinery malfunctions that could put human lives in danger and disrupt business operations.
But for other businesses, especially those that mainly operate online, incidents in the virtual realm can be just as disruptive. Server outages, denial-of-service attacks, ransomware, and other cyberattacks threaten to stop transactions altogether and bring revenue to a halt.
In this article, we explore how IT incidents affect online SMEs and explain why these companies should have an incident management plan in place. We also discuss how incident management software can help these firms put a plan together and execute it in an emergency.
What is an incident response plan?
An incident response plan (IRP) is a document that outlines actions, responsibilities, and contingencies for a business in the event of an incident. For the purposes of this guide, we are focusing on IT incidents, defined by the US National Institute for Standards and Technology Computer Security Resource Centre as:
“An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
It may be tempting to think of such incidents as only affecting larger organizations, but SMEs are just as vulnerable. Capterra’s Business Disruptions Survey in 2022, which interviewed managers and owners at Canadian businesses with 250 employees or less, found that email-related incidents had happened in over a third of the companies surveyed. 12% had had an account taken over by hackers, and 8% had experienced a ransomware attack within the last 12 months.
It’s not just malicious cyberattacks that can cause such incidents. Natural disasters, outages from suppliers, equipment failure, and simple human error can all cause systems to go offline or not work correctly. The study above revealed that careless employees were the most common risk in SMEs, cited as a top-three vulnerability by 28% of managers surveyed.
Having an incident response plan in place helps an organization detect problems, identify what is happening, quickly mitigate any harm to resume normal operations, and put procedures in place to strengthen defences. An IRP may also contain instructions about communications before, during, and after an incident, which helps all stakeholders understand what’s going on and enables them to act quickly when required.
What are the most important steps in creating an incident response plan?
- Creating your incident response plan starts with a full inventory of the systems that may be affected by an IT incident. You should outline what information these systems store and/or process and determine what value this information has to your business. If these systems (and the information in them) were affected by an incident, what would be the operational, regulatory, and financial impact?
- You will also need to look at the threats or risks that would cause incidents. These might be cyberattacks, natural disasters, employee negligence, or problems with a supplier, for example. In laying out these risks, you may identify single points of failure that can be addressed, or controls you can put in place to reduce some of the risks altogether.
- It is important to clearly specify roles and responsibilities in your IRP, ideally creating a Cyber Incident Response Team (CIRT). When an incident occurs, the right people need to act quickly to get the company operating again, since time spent debating whose job it is can cost you dearly. As part of this, you may also want to think about employees being ‘on call’ to handle incidents that happen outside of working hours. Usually this involves compensating staff members for being contactable in their free time.
- Then your plan needs to outline the responses for various incident types. Often, these look like a recipe with various steps to be taken. For some incidents, a flow chart may be more appropriate, providing guidance for the different scenarios that occur. These processes should be clear and specific, so that responders can move fast. They should contain all the information that might be needed during the response, which might include how-tos, links, or contact information. Of course, this information must be kept up to date and should be reviewed regularly.
- Finally, you will need to communicate your IRP to the relevant stakeholders so they know what to expect. They may need to find alternative ways to work, notify clients, or be part of the response to an incident. You don’t want any surprises when the time comes, so ensure that everyone understands the role they have to play.
What are the benefits of an incident response plan for your business?
An incident response plan isn’t just a box-ticking exercise to satisfy your CIO. Creating one can have a positive impact on your ability to trade and boost the overall value of your business.
Make your business more attractive to investors
SMEs that are seeking funding will know that investment decisions are all about risk. Investors want as good a return as possible on their capital, and will be put off by businesses that don't have safeguards in place to protect revenue. An online business without an incident response plan is admitting that it has not thought about risk and, even worse, it has no business continuity strategy for when something takes it offline.
Ensure more business as usual
IT incidents are as good as guaranteed in any business, but they have the biggest impact on fully digital organizations. An outage —whether that’s caused by a cyber attack, power failure, or network issue— can stop people working, take down your website, and put a complete stop to online transactions (and your revenue streams).
An incident response plan systematically defines how to get back to normal as quickly as possible, so you can resume trading. Some organizations can function without their digital systems, but online businesses can’t. Your IRP will guide you by outlining how to restore data, bring systems back online, and neutralize any threats as soon as possible.
Protect your reputation
Reputation matters, especially to online shoppers. When buying from you remotely, they need to be able to trust your company with their sensitive data, including personal information and payment details. Online shoppers have several ways to gauge trust, and they are keen to see that companies are clear and transparent about how they protect data.
An incident response plan is a crucial tool in any SME’s ‘trust toolkit’. It shows customers that you actively defend their data against breaches, will act fast to mitigate the effects of any attacks, and will communicate openly about the steps you take if an incident occurs.
Show regulators that you take data protection seriously
Data protection legislation is getting stricter around the world. In Canada, businesses must already comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Those who deal with overseas customers may already be familiar with the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). And there are additional rules focusing on specific areas like payments (the Payment Card Industry Data Security Standard, or PCI DSS) and healthcare (such as Ontario’s Personal Health Information Protection Act [PHIPA]).
Complying with these pieces of legislation may require an incident response plan. But even if an IRP is not mandated outright, having such a plan can help prevent breaches, data loss, and data unavailability. IRPs can also help SMEs maintain an audit trail, so if regulators ask about previous activity relating to certain pieces of data, your business will be able to show who has accessed what information and when.
Tips for creating a good incident response plan
1. Don’t reinvent the wheel
Incident response plans are used in thousands of businesses already, and they anticipate most of the typical IT incidents that an SME might encounter. Cybersecurity organizations offer advice to help businesses draw up their IRP. The Canadian Centre for Cybersecurity has useful guidance here, for example. Whatever incident you can imagine, there’s a good chance that someone else has written a response plan for it. So do your research, and build on the experience of others.
2. Put it to the test
Just like a fire drill, it pays to test your incident response plan. In fact, testing is an integral part of many IRPs. Doing this at regular intervals will ensure that the plan remains valid even as your IT environment and business change. You can also employ external companies who will carry out these tests for you and provide recommendations for improvement.
3. Consider how software can streamline a response
Digital tools exist to help you prevent, detect, and respond to incidents. Incident management software provides a central platform to log information relating to service issues so that responders have a common understanding of the situation and the steps to be taken. This prevents confusion during what can be a stressful time and helps teams resolve incidents more quickly.