Here’s a statistic that should make every small business owner uncomfortable: according to the Australian Cyber Security Centre’s Annual Cyber Threat Report, a cybersecurity incident is reported every six minutes in Australia. And those are just the ones that get reported.

Yet when I talk to SMB owners about their incident response plan, the most common answer is a blank stare followed by “we’d call our IT guy.” That’s not a plan. That’s a hope.

Let me be blunt: if your business relies on digital systems (and whose doesn’t in 2026?), you need a documented incident response plan. Not a 200-page enterprise framework. Not something that requires a dedicated security operations center. A practical, right-sized plan that tells your people what to do when — not if — something goes wrong.

What an Incident Response Plan Actually Is

An incident response plan (IRP) is a documented set of instructions that tells your organisation how to detect, respond to, and recover from security incidents. Think of it as the fire evacuation plan for your digital assets.

Just like you wouldn’t expect employees to figure out fire exits during an actual fire, you shouldn’t expect them to figure out cybersecurity response procedures during an actual breach.

The Six Phases Every Plan Needs

The framework most professionals follow comes from NIST’s Computer Security Incident Handling Guide. Here’s how it breaks down for a smaller organisation:

1. Preparation

This is everything you do before an incident happens. It includes:

• Identifying your critical assets. What data and systems would cause the most damage if compromised? Customer records? Financial systems? Your e-commerce platform?
• Setting up basic monitoring. You can’t respond to what you can’t see. Enable logging on firewalls, email systems, and cloud services at minimum.
• Establishing communication channels. Who gets called first? What if your email is compromised and you can’t use it to coordinate? Having backup communication methods (a WhatsApp group, a phone tree) matters more than people think.
• Training your team. Everyone should know what a phishing email looks like and who to report suspicious activity to. Annual training isn’t enough — quarterly refreshers make a measurable difference.

2. Identification

How do you know you’ve been breached? Sometimes it’s obvious — ransomware announces itself. But many incidents are subtle: unusual login patterns, unexpected data transfers, systems running slower than normal.

Your plan should define:

• What constitutes a potential incident
• Who is responsible for initial triage
• What monitoring tools and alerts are in place
• How to document what you’re seeing

3. Containment

Once you’ve identified an incident, the priority is stopping it from spreading. This is where having a plan really pays off, because containment decisions made under pressure are often bad ones.

Short-term containment might mean isolating an affected machine from the network, disabling compromised user accounts, or blocking a malicious IP address.

Long-term containment involves setting up temporary fixes that let the business keep operating while you work on the actual problem. Maybe that means spinning up a backup system or rerouting traffic.

The key decision in containment is always the same: how do we stop the bleeding without destroying evidence we’ll need later?

4. Eradication

Find and remove the root cause. If it was malware, make sure it’s gone from every system. If it was a compromised account, reset credentials and check for persistence mechanisms. If it was an unpatched vulnerability, patch it — and check whether the same vulnerability exists elsewhere.

5. Recovery

Bring systems back to normal operations. This means restoring from clean backups, verifying system integrity, monitoring closely for any signs the attacker is still present, and gradually returning to full production.

The emphasis here is on “gradually.” Rushing recovery is how you end up dealing with the same incident twice.

6. Lessons Learned

This is the phase most organisations skip, and it’s arguably the most important. Within a week of resolving an incident, get everyone involved in a room (or a video call) and ask:

• What happened?
• What went well in our response?
• What went poorly?
• What should we change in the plan?

Document it. Update the plan. Then actually implement the changes.

Building Your Plan: Practical Steps

Start with a template. The Australian Cyber Security Centre offers free incident response plan templates designed for Australian businesses. Don’t reinvent the wheel.

Assign roles, not just names. Your plan should define roles like Incident Commander, Communications Lead, and Technical Lead. Then assign specific people to those roles, with backups for each. What happens if your IT manager is on holiday when an incident occurs?

Include contact lists. Your plan should have current contact information for:

• Internal response team members
• Your IT service provider or managed security service
• Your cyber insurance provider (call them early, not late)
• The Australian Cyber Security Centre (1300 CYBER1)
• Legal counsel
• A forensics provider (identify one before you need them)

Define severity levels. Not every incident is a five-alarm fire. A phishing email that got caught by your filter is different from ransomware encrypting your file server. Having defined severity levels helps you scale your response appropriately.

Test it. A plan that sits in a drawer is worthless. Run tabletop exercises — walk through a scenario as a team and see where the plan holds up and where it falls apart. You’ll find gaps you never considered. Do this at least annually, ideally twice a year.

The Cost of Not Having a Plan

IBM’s Cost of a Data Breach Report 2025 found that organisations with an incident response team and a tested plan saved an average of USD $2.66 million per breach compared to those without. For SMBs, the numbers are smaller in absolute terms but potentially more devastating as a percentage of revenue.

Beyond the financial impact, there’s the regulatory angle. The Notifiable Data Breaches scheme under the Privacy Act requires eligible breaches to be reported to the Office of the Australian Information Commissioner. If you don’t have a plan, you won’t even know you need to report until it’s too late.

Don’t Overcomplicate It

I’ve seen businesses avoid creating an IRP because they think it needs to be perfect. It doesn’t. A simple, four-page document that your team has actually read and practised is infinitely better than a comprehensive 50-page plan that nobody knows exists.

Start today. Write down who you’d call, what you’d do first, and where your critical data lives. That alone puts you ahead of the vast majority of small businesses in Australia.

Because the question isn’t whether you’ll face a cybersecurity incident. It’s whether you’ll be ready when it happens.