A cyber incident response plan (CIRP) is a clearly defined strategy that outlines the steps an organisation needs to take to detect, respond to, contain and recover from a cyber security incident. The purpose of a cyber incident response plan is to minimise the damage of a cybersecurity breach, reduce down time and ensure compliance with legal obligations.
Why is it important to have a cyber response plan?
A well-prepared cyber incident response plan is designed to help an organisation identify and stop a potential cyberthreat. If the worst should happen, and a cybersecurity breach occurs, then the CIRP enables the company to contain the incident as quickly as possible. In turn, this ensures that the cyber incident recovery process is as smooth and fast as possible, mitigating financial and reputational damage.
As well as protecting a company’s operations and profitability, a business may also have a legal obligation to create a CIRP according to new Australian privacy laws.
One of the key updates of the new privacy laws, which were introduced in 2024, is the introduction of stricter data security requirements. The update requires an organisation to take reasonable steps to protect information, which includes implementing measures at a technical and organisational level.
Understanding the phases of a cyber incident response
A well-structured incident response plan follows a phased approach to mitigate risks, contain threats, and help you recover more efficiently. These five phases of an incident response plan should help you build your own CIRP.
Phase 1: Preparation
Taking proactive steps to prepare for a cyberattack will help businesses handle a cyber incident if and when it happens. A few basic steps you can take as a small business include:
- Establish clear cybersecurity protocols. This might include things such as acceptable use of technology and data handing procedures.
- Invest in cybersecurity tools, like antivirus and antimalware software, firewalls and multi-factor authentication (MFA).
- Educate employees to help them understand how to identify threats like phishing scams, malware and deep fakes.
- Conduct regular risk assessments to identify vulnerabilities in your network and fixing these security gaps before they can be exploited.
Phase 2: Detection
Early detection is key to limiting the impact of a cyber breach. But how do you recognise a cyberattack? If something looks odd or doesn’t feel right, then follow it up. Unusual network activity, unauthorised access attempts and unexpected data transfers may all indicate a security breach.
Phase 3: Analysis
Once a potential cybersecurity breach is detected, an analysis should be undertaken to determine just how to deal with it.
An analysis will help to understand the severity of the incident, the size, the affected systems and data, and the method of attack used by the cybercriminals.
Use this hypothetical case study of a cyber incident as an example:
- Who: Small accounting firm.
- Incident: Multiple failed login attempts from an unknown location.
- Analysis: A contracted cybersecurity specialist is hired to investigate system logs and identify unauthorised access to sensitive files. They are then able to verify which accounts and data were compromised. From this, the specialist can tell that the cyberattack originated from a phishing email.
Phase 4: Containment, eradication and recovery
Once a cyberattack has been successfully detected and analysed, businesses need to act as quickly as possible in limiting the damage caused, removing the threat and restoring usual business operations.
It’s possible to contain a cyberthreat by isolating compromised systems to prevent it spreading further – like simply disconnecting infected devices or blocking user access.
Then, the threat must be eliminated. This means getting rid of any malicious software, fixing security weaknesses, and ensuring hackers can’t get back in.
If we continue with the same hypothetical example of the small accounting firm, Phase 4 of the cyber incident response plan might look like this:
- Containment: The contracted cybersecurity specialist disconnects the compromised computer from the network and temporarily disables affected accounts to stop unauthorised access.
- Eradication: They then remove the phishing email from all inboxes and run a full security scan to check for malware. Any compromised passwords are reset.
- Recovery: The firm restores affected files from a secure backup and monitors systems for any signs of possible reinfection.
Phase 5: Post-incident review
After a cyber incident is resolved, businesses should conduct a thorough review to ascertain what went wrong and how they can stop it from happening again. This includes documenting the cyberattack, as well as how it was detected, analysed and dealt with. Then, once this information has been collated, it should be assessed to see if the action taken was effective or if it could be improved.
Sticking with our hypothetical accounting firm, the owner of the business could take a number of steps to ensure this incident does not occur again. These include:
- Debriefing staff after the event to discuss lessons learned.
- Holding regular staff training sessions on cybersecurity, and how to better detect social engineering attacks.
- Improving email filtering security to prevent spam and malicious emails getting through.
- Reviewing cybersecurity policies to ensure they are still fit for purpose.
Make Cyber Liability insurance part of your response plan
If you use smart devices or the internet to conduct business, then you may wish to consider Cyber Liability insurance.
Cyber Liability insurance covers losses from claims arising from data breaches, business interruption and remediation costs following an actual or threatened data breach. Examples of the types of risks Cyber Liability insurance can assist with are unintended loss or release of customer personal information, cyber crime, cyber extortion/ransomware and business interruption due to a cyber event.
Compare and get Cyber Liability insurance tailored to your business online or call us 1300 920 847 today for a customised coverage.
© 2025 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769
