A Ransomware Attack Every 11 Seconds — and Most Victims Had No Plan

When Colonial Pipeline got hit in May 2021, the company paid a $4.4 million ransom within hours. Their CEO later told a Senate committee that the decision was made under extreme pressure, without a well-rehearsed playbook. If a company operating critical U.S. infrastructure can get caught flat-footed, imagine what happens to a 50-person accounting firm or a regional hospital.

That's why you need an incident response plan template — not a dusty binder on a shelf, but a living document your team has actually practiced. I've helped organizations of all sizes build these plans, and the difference between having one and not having one is measured in millions of dollars, weeks of downtime, and sometimes the survival of the business itself.

This post gives you a practical, section-by-section framework you can adapt today. It's based on NIST's Computer Security Incident Handling Guide (SP 800-61 Rev. 2) and what I've seen actually work in the field.

What Is an Incident Response Plan (and What It's Not)?

An incident response plan is a documented, step-by-step set of procedures your organization follows when a security incident occurs — whether that's a data breach, ransomware infection, credential theft, or insider threat. It defines who does what, when they do it, and how they communicate.

It is not a disaster recovery plan. It's not a business continuity plan. Those are related but separate documents. Your incident response plan focuses specifically on detecting, containing, eradicating, and recovering from cybersecurity events.

The $4.88M Reason You Can't Skip This

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. But here's the number that should grab you: organizations with an incident response team and a tested plan saved an average of $2.66 million per breach compared to those without.

That's not a rounding error. That's the difference between weathering a storm and closing your doors. The Verizon 2024 Data Breach Investigations Report (Verizon DBIR) found that 68% of breaches involved a human element — phishing, social engineering, stolen credentials. Your plan needs to account for these realities.

Your Incident Response Plan Template: Six Core Phases

NIST breaks incident response into four phases. I expand it to six because, in practice, you need dedicated sections for preparation and post-incident review. Here's the full framework.

Phase 1: Preparation

This is where 90% of the value lives. Preparation means you've already done the hard work before a threat actor ever touches your network.

  • Assemble your incident response team (IRT). Name specific people: IT lead, legal counsel, communications/PR, executive sponsor, and an external forensics contact. List names, phone numbers, and backup contacts.
  • Inventory your assets. You can't protect what you don't know about. Document critical systems, data repositories, and third-party integrations.
  • Deploy detection tools. EDR, SIEM, network monitoring — make sure they're configured and actively monitored.
  • Train your people. A comprehensive cybersecurity awareness training program ensures employees recognize phishing, social engineering, and suspicious activity before it becomes an incident.
  • Run phishing simulations. Enroll your organization in phishing awareness training to test and reinforce employee readiness against credential theft attacks.
  • Establish communication channels. Encrypted messaging, out-of-band communication methods (in case email is compromised), and pre-drafted notification templates.

Phase 2: Detection and Identification

You can't respond to what you don't see. This phase defines how your organization detects incidents and classifies their severity.

  • Define what constitutes an incident. A single phishing email isn't the same as confirmed data exfiltration. Create a severity matrix: Level 1 (low — isolated malware), Level 2 (medium — compromised user account), Level 3 (high — active data breach or ransomware).
  • Establish detection sources. SIEM alerts, employee reports, threat intelligence feeds, third-party notifications, law enforcement tips.
  • Document initial indicators of compromise (IOCs). IP addresses, file hashes, unusual login locations, unexpected data transfers.
  • Assign a triage lead. One person makes the initial severity call. Decision by committee during a breach wastes critical hours.

Phase 3: Containment

Speed matters here. The goal is to stop the bleeding without destroying evidence.

  • Short-term containment: Isolate affected systems from the network. Disable compromised accounts. Block malicious IPs at the firewall. If ransomware is spreading, segment the network immediately.
  • Long-term containment: Stand up clean systems for business continuity while forensic analysis continues on compromised machines. Enforce multi-factor authentication across all accounts if credential theft is suspected.
  • Preserve evidence: Image affected drives before wiping. Log all containment actions with timestamps. This matters for law enforcement and potential litigation.

Phase 4: Eradication

Containment stops the spread. Eradication removes the threat entirely.

  • Identify the root cause. Was it a phishing email that bypassed filters? An unpatched vulnerability? A misconfigured cloud bucket?
  • Remove all malware, backdoors, and persistence mechanisms from affected systems.
  • Patch the vulnerability or close the attack vector that allowed initial access.
  • Reset all potentially compromised credentials — not just the ones you're sure about.

Phase 5: Recovery

Bring systems back online carefully and with verification.

  • Restore from known-good backups. Verify backup integrity before restoring — threat actors increasingly target backup systems.
  • Monitor restored systems closely for 30-90 days. Re-infection is common when eradication is incomplete.
  • Implement additional zero trust controls: network segmentation, least-privilege access, continuous verification.
  • Communicate status to stakeholders, customers, and regulators as required by your notification obligations.

Phase 6: Post-Incident Review (Lessons Learned)

This is the phase everyone skips and then regrets. Within two weeks of incident closure, hold a formal after-action review.

  • What happened? Build a complete timeline from initial compromise to full recovery.
  • What worked in your response? What failed?
  • What changes to detection, prevention, or response procedures are needed?
  • Update your incident response plan template with specific improvements. Document everything.

How Often Should You Test Your Incident Response Plan?

At minimum, twice a year. CISA (cisa.gov) recommends regular tabletop exercises where your IRT walks through realistic scenarios — a ransomware attack on your billing system, a compromised vendor credential, a phishing campaign targeting your C-suite.

I've seen organizations that test quarterly catch issues in their escalation paths, contact lists, and communication templates that would have cost them dearly during a real event. An untested plan is barely better than no plan at all.

Three Mistakes That Destroy Incident Response Plans

1. Vague Roles and Responsibilities

"IT handles it" is not a plan. Your incident response plan template must name specific individuals and their alternates. During a 2 a.m. ransomware attack, nobody should be Googling who to call.

Data breach notification laws exist in all 50 U.S. states. GDPR imposes a 72-hour notification window. If your legal team isn't part of your IRT, you're setting yourself up for regulatory penalties on top of the breach itself.

3. Ignoring the Human Element

Your plan addresses technical response, but does it account for the employee who clicked the phishing link? Does it include procedures for security awareness retraining? The best incident response plans loop back into ongoing employee education to prevent recurrence.

Your Next Step: Don't Wait for the Breach

Every organization I've worked with that had a tested incident response plan handled their breach better — faster containment, lower costs, fewer legal consequences. Every one that didn't wished they had.

Take this incident response plan template framework, customize it for your environment, and schedule your first tabletop exercise this quarter. Pair it with continuous employee training: start with a solid security awareness training program and reinforce it with hands-on phishing simulation exercises.

The threat actors aren't waiting. Neither should you.