The Cyber Response Plan That Actually Works

ByNeil Richardson 6 minute read
People in a meeting

When a cyber incident hits, the glossy documentation is often useless. 

Not because people don’t care, or didn’t try. But because these plans are usually written in silos – driven by compliance checklists, borrowed templates, or sheer optimism.

We’ve seen it all. The over-engineered 52-page “strategy” no one’s read. The plan that names people who no longer work at the company. Or worse, no plan at all.

The reality? It’s not the document that matters. It’s the thinking behind it.

So, what actually works when the pressure is on?

The Problem With Over-Planning

Let’s be honest. Many organisations love the idea of covering every possible threat scenario. A playbook for every permutation of ransomware, phishing, insider threats, you name it.

But these often fall apart under real-world conditions.

Why?

Because they neglect the fundamentals: fast access to the right information, clearly defined roles, and rapid decision-making authority.

Imagine your security systems are like CCTV cameras. It’s not enough to install them. Are they turned on? Facing the right direction? Can you retrieve last Tuesday’s footage within minutes if something looks off?

That’s where most plans break down – not in the theory, but in the execution.

Why Speed Is Everything

During a real incident, time is your most limited resource. You’ll face questions like:

  • Who needs to know right now?
  • Can we access the affected systems?
  • How long will it take to review logs?
  • Who’s authorised to shut things down?

If the answer to any of those is “I’m not sure” or “we’ll figure it out”, you’re already on the back foot.

The organisations that respond well aren’t the ones with the fanciest paperwork. They’re the ones who’ve had honest, practical conversations ahead of time. Who’ve tested their response under realistic conditions. Who’ve rehearsed, refined, and reworked their plans for usability.

And here’s the good news, you don’t need a perfect plan. You need an actionable one.

Here’s how to build it.

1. Know What You’re Protecting

Before you can protect anything, you’ve got to be clear on what really matters.

Take stock of your critical assets – systems, data, tools, and processes. Then ask yourself: If this went down or got compromised, how much damage would it do?

You don’t need to wrap everything in bubble wrap. But the parts of your business that keep things running – like customer data, payment systems, or your main operational platform – those are the ones that need your focus.

Prioritise what’s essential. Link it to your recovery plans. 

And don’t treat it as a one-off exercise, revisit it regularly as your setup changes.

2. Assign Roles (And Backups)

When something goes wrong, you don’t want people hesitating or asking who’s in charge.

Assign clear roles now:

  • Who leads?
  • Who talks to customers?
  • Who makes the tough calls at 2am?

For every key role, assign a named individual – and a backup. Don’t leave it to chance or assume someone will “just handle it”.

Because here’s the thing: people go on holiday. They get ill. They might even leave the company. So your response plan needs to work even if your first-choice team is unavailable.

The best plans bake in that resilience by design, not after the fact.

3. Monitor the Right Alarms

You can’t respond to something you never saw coming. That means defining your threat detection sources now, not during a breach.

Start by understanding where threats are likely to show up. That could be:

  • Alerts from your antivirus or xDR system
  • A spike in login failures picked up by your SIEM
  • An email from a user saying, “This looks weird”
  • A partner flagging suspicious traffic to your systems

Whatever you use, make sure someone’s watching and knows when to escalate.

And one more thing: don’t overcomplicate it. You don’t need dashboards for the sake of it. You need visibility that drives action. 

Image 13 - the cyber response plan that actually works

4. Get Serious About Your Logs

When an incident hits, your logs are often the only way to answer the big questions:

What happened? When did it start? What systems were affected? How far did it spread?

Without that information, you’re left guessing. And in a fast-moving situation, guessing is dangerous.

Unfortunately, many companies don’t realise how messy or incomplete their logging is until it’s too late. Logs might be spread across systems, too old to be useful, or stored in ways that make them painfully slow to retrieve.

So, ask yourself:

  • Do we know where our logs are?
  • Are they centralised and easy to search?
  • How long do we keep them?
  • Can we get what we need quickly?

5. Prepare Emergency Controls 

In a real incident, you won’t have time to weigh up your options. You’ll need to act.

That’s why every response plan needs a shortlist of immediate containment actions you can take without hesitation.

Can you:

  • Shut down a compromised system quickly?
  • Revoke access for a suspicious user?
  • Disable a third-party integration?
  • Trigger a company-wide password reset?

These should be clearly documented and ready to execute. There’s no point having a process if only one person knows how to do it, or if it’s hidden away in a spreadsheet no one’s opened since 2019.

6. Run Real-Life Scenarios

Tick-box exercises don’t cut it.

Instead, simulate real incidents with your actual team. Try things like:

  • A key supplier’s systems go down
  • Your finance director gets phished
  • Ransomware locks your systems before payday

Walk through the full response, from detection to communication to recovery. 

See how people actually behave under pressure. You’ll quickly spot gaps: in knowledge, in tools, in handover points.

That’s where the real value is.

7. Sort Out Your Reporting Plan

Let’s talk about the bit no one wants to think about, what happens when you have to go public.

Whether it’s UK GDPR, regulatory obligations, insurance cover, or just basic customer trust, your external communication matters. And the way you handle it under pressure can make or break your reputation.

You should already know:

  • Who you need to inform
  • How fast you need to do it
  • What you’re going to say

Have a messaging template ready. You’ll likely need to tweak it depending on the situation, but you don’t want to start from scratch under stress.

Also, don’t forget your internal team. Staff shouldn’t find out about a breach from the BBC.

Get These Right, and You’re Already Ahead

A simple plan that actually works in a crisis is worth far more than a complicated one no one can follow.

Put these core steps in place, and you’ll be better prepared than most businesses out there. 

Need a Hand?

At Cyber Alchemy, we’ve helped companies of all sizes run live simulations, review their plans, and make real improvements that hold up in crisis conditions.

If you’d like help building or refining your own incident response plan, or just want to test how well your team would handle a real incident, contact us today.

Let’s build a plan that you can actually use.

Avatar of neil richardson

I am the co-founder and partner of Cyber Alchemy LTD and an associate lecturer in the computing department at both Sheffield Hallam University and The University of Warwick.

Similar Posts