Guide

Developing a cyber incident plan

Once you have embedded cyber security measures to protect your business, you must plan how to detect and respond to any cyber incidents.

In this section

  1. 1. Why do you need a cyber incident plan?
  2. 2. Understanding types of cyber attacks
  3. 3. Preparing for incidents
  4. 4. Testing your cyber incident plan
  5. 5. Cyber insurance
  6. 6. Next steps

Guide 7 min read

1. Why do you need a cyber incident plan?

While having a robust approach to cyber security will protect your business, no business can be sure it is always 100% secure. Therefore, you must develop an incident plan to help you identify and respond to any cyber security breach. This will build the next layer of cyber resilience for your business. 

Hacking is a criminal enterprise. Large businesses are more likely to be attacked by nation states and professional criminal groups, whereas SMEs are more likely to be indiscriminately targeted. While a motivated attacker with significant resources may eventually succeed, the steps outlined in Cyber security: the basics can help defend against the majority of attacks. 

The other part of business resilience is being able to recover from attacks with minimum disruption to your business. This is where a cyber incident plan is essential. It will often be included as part of your broader business continuity plan which also covers other possible disruptions.

2. Understanding types of cyber attacks

First it helps to be aware of the type of threat and attack you might face. 

Attackers use a range of methods to access or break into your systems, including:

  • hacking into accounts 

  • exploiting public wifi to intercept information

  • phishing by sending fraudulent emails, messages or phone calls to convince the recipient to click a dangerous link or provide sensitive information - this may be a widespread general attack, or tailored to your organisation.

Another technique is a denial of service attack, where your network is overwhelmed with traffic, leading it to shut down so your legitimate users cannot access it. 

Once your security has been breached, the impact will depend on the motivations of the attacker e.g.:

  • infecting devices and systems with malware (malicious software) - such as spyware or viruses, or even ransomware to lock and encrypt files and demand payment for their release

  • hijacking devices - such as cameras to spy on users

  • stealing data - such as user credentials and passwords, personal information or trade secrets

  • fraud - such as encouraging you to pay fraudulent invoices

  • general business disruption - to prevent your business operating.

3. Preparing for incidents

A cyber incident response plan should help you:

  • prepare for a quick response

  • triage incidents so you know how to prioritise

  • decide who should be involved to manage and mitigate the incident.

Cyber Incident Response Pack

CyberScotland provides a Cyber Incident Response Pack produced by the Cyber and Fraud Centre Scotland, which you can use to create a cyber incident plan.

It includes detailed information on the importance of communications and legal implications, and provides a checklist and templates for your business to work through.

The first steps include:

  • identifying your most valuable assets

  • reviewing your IT service contracts 

  • checking your insurance policies. 

Then it focuses on people and communication, such as:

  • who will form your cyber incident response team and the roles they will have

  • how you will train staff so they know what’s expected of them

  • how you will communicate if your business cannot function online

  • what steps you need to take to manage your reputation, e.g. by ensuring your CEO is visibly leading the response and you are prepared with clear and honest information.

Finally, it looks at routine protection, for example:

  • weekly security checks and updates

  • testing back ups are effective and can be restored

  • ensuring your incident plan and key documents are easily accessible in a hard copy.

There is a handy template for logging emergency contacts e.g. your bank, insurance, legal adviser, regulators, PR support, key staff, customers and suppliers.

NCSC guidance

The National Cyber Security Centre (NCSC) also has a step-by-step guide to preparing for incidents and how to identify what is happening to prevent it becoming worse.

4. Testing your cyber incident plan

Once you have a plan on paper, it’s important to test it to check:

  • can it be easily understood by those who need to use it?

  • can you quickly and effectively communicate to the right people?

  • do your current staff have the skills and capability to implement it - for example, you might know you need to restore back-ups you’ve taken of your data, but do you know how to do that under pressure? 

The NCSC offers a free online resource called exercise in a box, which helps small businesses practice their response in the event of a cyber attack.

These include micro exercises such as:

  • identifying and reporting a phishing email

  • responding to a ransomware attack

  • securing a video conference.

There are tabletop discussion sessions covering the likes of:

  • mobile phone theft and response

  • threatened leaks of sensitive data

  • attacks from unknown wifi networks.

NCSC also offers guidance on how to design your own exercises for the most likely threats you will encounter.

Cyber Fraud Centre Scotland has a chargeable service where they can simulate a live incident to help you test your incident response plan.

An important part of testing is gathering lessons learned and using it to update your incident plan or overall approach to cyber security, or identify any training needs across your organisation. It may also help you decide if there are other elements of your plan that need to be tested.

5. Cyber insurance

When reviewing your business insurance, consider if you may need specialist cyber insurance to help you respond and recover from any unauthorised IT system incident.

This type of insurance may cover:

  • costs incurred when dealing with a security breach 

  • loss of income from business interruption 

  • damage or loss of digital assets and data recovery costs

  • resolving cyber extortion incidents

  • legal costs in the event of privacy breaches.

It may also provide rapid post-incident or cyber forensic support from technical specialists.

The ABI has an overview of what to look for when choosing cyber insurance and common exclusions to be aware of. It also explains how to buy cyber insurance and the sort of information you will need to have to hand.

6. Next steps

When developing your incident response plan, you may identify ways you need to update your approach to cyber security.

You should ensure that reviews and testing of your plan are fixed in the diary to ensure it is kept up to date.

Last updated: 13/11/2025