Incident Response Playbooks: Creating Simple Step-by-Step Guides for Common Crises.

A general incident response plan tells you the principles of how to respond to a cyber incident. It describes roles, escalation paths, and communication principles. It is a valuable document.

But when ransomware activates at 7am and the managing director is in the car park talking to staff who cannot get into the building, what they need is not a principles document. They need a numbered list: step one, do this. Step two, call this number. Step three, do not do this.

A playbook is that numbered list. It is specific to a single scenario, written in the simplest possible language, and designed to be followed by someone under pressure who may never have dealt with anything like this before. A good incident response programme has three to five playbooks, each covering a specific scenario, in addition to the general plan.

What Is a Playbook?

A playbook is a short, scenario-specific, step-by-step guide that tells a named person exactly what to do in a specific crisis — written for execution, not for reference.

Unlike a general incident response plan, a playbook does not explain why each step is taken. It does not describe principles. It does not allow for judgement calls at each step. It is a checklist, written at the right level of detail for the person who will follow it, covering the first two to four hours of the scenario.

The three to five scenarios most likely to require playbooks for an Irish SME are: ransomware or system encryption, business email compromise or payment fraud attempt, data breach or unauthorised data access, accidental data loss, and a physical security incident affecting IT equipment. Most Irish SMEs need playbooks for the first two or three of these.

The Ransomware Playbook

Who follows this: The person who discovers the incident or the first manager to arrive.

Step 1. Do not turn off any infected devices. Do not attempt to clean or restore them. Photograph the screen showing the ransom message.

Step 2. Physically disconnect all devices from the network — unplug the ethernet cables and disable Wi-Fi on affected devices. If you cannot identify which devices are affected, disconnect all devices from the network at the router level.

Step 3. Call [IT Provider Emergency Number] on [phone number stored here]. Use this number only, not the standard support email. Tell them ransomware has been detected, devices have been isolated from the network, and you need immediate assistance.

Step 4. Call [Cyber Insurer Claims Line] on [policy number stored here, claims number stored here]. Report a ransomware incident. Follow their instructions.

Step 5. Brief your [named crisis coordinator] who will manage staff communication and client notification. Do not allow any staff member to communicate externally about the incident until the crisis coordinator has approved the message.

Step 6. Do not pay any ransom without explicit instruction from your cyber insurer and legal adviser.

Step 7. Begin documenting: the time the incident was discovered, who discovered it, what was visible on affected systems, what isolation actions were taken and when.

That is a ransomware playbook. Seven steps. No jargon. Executable by a non-technical person at 7am under pressure.

Could your most likely first-responder — the person who arrives at the office first tomorrow morning — follow those seven steps without any additional guidance? If not, the playbook needs to be simpler or needs to be in the hands of the right person. Book a free 20-minute strategy call — we develop playbooks specifically calibrated for Irish SME scenarios.

The Business Email Compromise Playbook

Who follows this: The finance team member or manager who suspects or confirms a fraudulent payment instruction.

Step 1. Do not process the payment. Regardless of the apparent urgency of the request.

Step 2. Call the supposed sender of the instruction on a number you already have on file — not any number provided in the suspicious email. Confirm whether the instruction is genuine.

Step 3. If the call confirms fraud: notify [named finance manager] and [IT provider] immediately. Do not delete the suspicious email — preserve it as evidence.

Step 4. If a payment has already been processed to a fraudulent account: call your bank immediately on their fraud line. Request an urgent recall of the payment. Provide the transaction reference, the amount, and the destination account details. Time is critical — many banks can recall or freeze transfers if contacted within hours.

Step 5. Report to An Garda Síochána online at garda.ie or at your local station if a fraud has been completed.

Step 6. Notify [named management contact]. Assess whether any personal data was accessed or disclosed in the course of the compromise — if so, a GDPR breach notification assessment is required.

How to Create Playbooks for Your Business

Each playbook should be written by someone who understands both the scenario and the specific people, systems, and contact details of your business. A generic template is a starting point, not a finished playbook.

For each scenario, ask three questions: who is most likely to encounter this first? What are the first four actions they should take? What are the specific contact numbers and policy references they will need?

Write the playbook at that level of specificity. Test it by asking the intended first-responder to walk through the steps aloud. Identify the steps where they pause or ask questions. Revise those steps until they are clear.

Store each playbook: printed and laminated in the kitchen or reception area, as a card in the wallet of the crisis coordinator, and in a password-protected note in the business's password manager. Not only as a PDF on the server that may be encrypted when it is needed.

What Next

1. Identify the three scenarios most likely to affect your business. For most Irish SMEs these are ransomware, payment fraud, and data breach. Write a playbook for each.

2. Test each playbook with a five-minute walkthrough. Ask the intended first-responder to read it aloud. Note where they pause or ask questions. Revise accordingly.

3. Store playbooks somewhere accessible without digital systems. Laminated card in a physical location. The value of a playbook stored on the encrypted server is zero when the server is encrypted.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• How to Prepare for a Cyber Incident: Who Does What in the First 24 Hours
• Using Tabletop Exercises to Rehearse Cyber and Business Disruption Scenarios
• How to Build a Simple, Tested Business Continuity Plan

[^1]: An Garda Síochána — National Cyber Crime Bureau [^2]: NCSC Ireland — Incident Response Guidance [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.