How to Create a Cyber Incident Response Plan in One Afternoon: A Template for Irish SMEs
What if a cyber-attack hit your business tomorrow? A 2023 report by Cyber Ireland revealed that 47% of Irish SMEs suffered a cyber-attack in the last year, with the average cost hitting €8,500, a figure that doesn't even account for reputational damage [1]. For a small business in Sligo, that could be catastrophic. The single most important factor determining whether your business survives a breach is not the sophistication of the attack, but the speed and effectiveness of your response.
The First Call: Who to Contact Immediately
When the worst happens, panic is the enemy. Your first hour is critical, and knowing exactly who to call is half the battle. Your incident response plan should have no ambiguity, just clear, sequential steps. The first page of your plan should be a simple contact sheet. This isn't the time to be scrolling through your phone; you need a printed list of emergency contacts.
This list must include your IT provider or internal IT lead, your solicitor (especially one with experience in data breaches), your insurance broker, and the relevant authorities. In Ireland, this means having the contact details for the National Cyber Security Centre (NCSC) for an early warning and the Data Protection Commission (DPC) for mandatory reporting. A solicitor in Donegal who understands the local business landscape can be an invaluable asset in these initial moments.
First Actions: Isolate, Don't Obliterate
The initial technical response can make or break the investigation. The most common mistake we see is well-meaning staff immediately shutting down an affected machine. This is the digital equivalent of wiping away fingerprints at a crime scene. Modern malware is designed to erase itself, and powering down a system can destroy volatile memory (RAM) which often holds the critical clues needed to understand the attack.
Instead, the first action should always be to isolate the affected system from the network. Disconnect the network cable or disable the Wi-Fi. This contains the threat, preventing it from spreading to other machines on your network. Your plan must state in bold letters: DO NOT POWER OFF AFFECTED SYSTEMS. This simple instruction can save your IT team—and any external forensic investigators—days of work and dramatically increase the chances of a successful recovery.
Communication Strategy: Who to Tell, and When
Once the immediate technical steps are underway, your focus must shift to communication. A poorly handled communication strategy can cause more long-term damage than the breach itself. Your plan needs two distinct communication streams: internal and external. Internally, you need to inform your staff quickly and clearly. They need to know what has happened, what it means for them, and what they should or shouldn't do. This prevents rumours and ensures your team presents a united front.
Externally, the situation is more delicate. Depending on the scale and nature of the breach, you may need to inform customers, suppliers, and potentially the press. For customer-facing businesses, like a popular Donegal hotel that suffers a booking system breach, proactive and honest communication is vital. Your plan should have pre-drafted templates for these communications. Transparency, guided by legal advice, is your best policy. It builds trust and demonstrates that you are in control of the situation, even when facing a significant challenge.
Not sure where your business stands on cyber risk? Download the Irish SME Cyber Survival Guide — a free, plain-English guide to the 10 controls every Irish business needs. No jargon, no sales pitch.
The Recovery Phase: Restoring and Rebuilding
Containing the threat is only the beginning. The next phase is recovery, and this is where your investment in backups pays off. Your incident response plan must detail the process for restoring data and rebuilding affected systems. This isn't just about having backups; it's about having tested them. A common and painful discovery for many businesses is that their backups were incomplete, corrupted, or not configured correctly.
Your plan should specify the location of your backups, the steps to restore them, and who is responsible for this process. It should also outline the process for verifying that the restored systems are clean and secure before they are brought back online. A tested backup is the only backup you can truly rely on. For a business in a remote area like Sligo, where on-site IT support might take longer to arrive, having a robust, well-documented, and tested remote recovery process is a critical lifeline.
| Common Mistake | The Pragmatic Solution |
|---|---|
| Powering down infected systems | Isolate from the network; keep the system running for forensic analysis. |
| No clear contact list | Create a one-page printed contact sheet with all key internal and external contacts. |
| Untested backups | Regularly test your backup restoration process to ensure data integrity. |
| Delayed reporting to authorities | Know your legal obligations: NCSC (24h early warning), DPC (72h notification). |
| No communication plan | Prepare internal and external communication templates in advance. |
Reporting Obligations: The Ticking Clock
In the aftermath of a cyber incident, Irish businesses operate under a strict legal timeline. Failure to comply can lead to significant fines from the Data Protection Commission, adding financial injury to the operational insult of the breach. Your incident response plan must have a dedicated section on these reporting obligations, because the clock starts ticking the moment you become aware of a potential breach.
Under the GDPR, if personal data is involved, you have a 72-hour window to notify the DPC. For organisations falling under the NIS2 Directive, there's an even tighter 24-hour deadline to submit an early warning to the NCSC. Your plan needs to clearly outline the criteria for reporting and the exact steps to take. Assigning a specific person the responsibility for making these reports is essential to ensure it gets done. This isn't a task to be delegated in the heat of the moment. For more on key terms, see our glossary.
Download Your One-Page Template
To help you get started, we've created a simple, one-page Incident Response Plan template for Irish SMEs. It covers the essential first steps and provides a framework you can adapt to your specific business needs. You can download it here: One-Page IRP Template (PDF). For more articles and insights, visit our blog.
References
[1] Cyber Ireland. (2023). Cyber Ireland Annual Report 2023. Available at: https://cyberireland.ie/wp-content/uploads/2023/11/Cyber-Ireland-Annual-Report-2023.pdf
Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.
Share this article
Related Articles
What Happens to a Small Business After a Serious Cyber Attack? The Honest Answer.
A Sligo Hotel Was Offline for Three Days After a Cyber Attack. Here Is What the Owner Wishes They Had Done.
What Does a Ransomware Attack Actually Cost a Donegal Business? We Did the Maths.
Ready to strengthen your security?
Get expert vCISO guidance tailored to your business needs.