SMB Cyber Incident Response Checklist

For Businesses with Outsourced IT/Cybersecurity Services

---

This checklist is brought to you by Forward To Safety — cybersecurity built for real life.

Forward To Safety gives your business the tools and expertise to reduce risk, recognize threats, and respond with confidence.

Three capabilities. One trusted platform.

• Craig AI Library — On-demand cybersecurity training and awareness resources your team can actually use
• Website Safety Checker — Check any link or domain against threat intelligence, blocklists, and infrastructure signals before your employees click
• Forward To Safety Assure — Security visibility and compliance reporting that shows business leaders exactly where they’re exposed — and a prioritized roadmap to close the gaps

---

Table of Contents

• THE REALITY: It’s WHEN, Not IF
• YOUR PARTNERSHIP MODEL
• PHASE 1: PREPARATION (Complete These NOW)
• PHASE 2: DETECTION & ANALYSIS (When Something Goes Wrong)
• PHASE 3: RESPONSE (Containing and Neutralizing the Threat)
• PHASE 4: RECOVERY (Getting Back to Business)
• PHASE 5: POST-INCIDENT FOLLOW-UP
• ONGOING MAINTENANCE (Monthly/Quarterly/Annually)
• EMERGENCY CONTACT SHEET
• CRITICAL REMINDERS
• BUDGET CONSIDERATIONS
• ANNUAL IR PLAN REVIEW CHECKLIST
• FINAL THOUGHTS
• GET PROTECTED WITH FORWARD TO SAFETY

---

THE REALITY: It’s WHEN, Not IF

According to cybersecurity experts: It’s not a question of “if” your business will experience a cyber incident — it’s “when.” The average data breach costs SMBs $149,000, and 60% of small businesses close within 6 months of a successful cyber attack.

Having a plan NOW — before an incident occurs — is your best defense.

---

YOUR PARTNERSHIP MODEL

Success requires coordination between TWO teams:

YOUR INTERNAL TEAM (Business Leadership)

• Makes business decisions
• Manages stakeholder communications
• Handles legal, HR, and customer relations
• Authorizes emergency actions

YOUR IT/CYBERSECURITY PROVIDER (Technical Team)

• Detects and investigates threats
• Contains and neutralizes attacks
• Performs forensic analysis
• Executes technical recovery

This checklist defines WHO does WHAT and WHEN.

---

PHASE 1: PREPARATION (Complete These NOW)

STEP 1: VERIFY YOUR IT PROVIDER’S INCIDENT RESPONSE CAPABILITIES

□ Schedule an Incident Response Planning Meeting

• Request a copy of their IR procedures
• Understand their detection and monitoring capabilities
• Clarify response time commitments (24/7? Business hours?)
• Identify escalation procedures

□ Confirm Your IT Provider Has:

• 24/7/365 emergency contact number
• Documented incident response procedures
• Cyber insurance (Errors & Omissions coverage)
• Backup technicians available
• Forensic investigation capabilities or partnerships
• Experience with your industry’s regulatory requirements

□ Understand Service Level Agreements (SLAs):

• What is their guaranteed response time?
• What services are included in incident response?
• What triggers additional fees?
• Are they monitoring your systems 24/7?
• What is NOT covered in your agreement?

---

HAVING IT SUPPORT IS NOT THE SAME AS HAVING CYBERSECURITY COVERAGE

Most small businesses rely on someone for IT — an in-house tech person, a managed IT provider, or someone who handles things when systems need attention. They keep things running, fix problems, and manage the day-to-day. That’s genuinely valuable.

But IT and cybersecurity are different disciplines — and this distinction matters more than most business owners realize.

An IT generalist is focused on keeping your systems operational. A cybersecurity professional is trained to look for something different: software running on your network that hasn’t been updated in months and is leaving a known opening for attackers, settings that were misconfigured and are quietly exposing more than they should, user accounts that still have access they no longer need, or compliance gaps your business is expected to close before an audit finds them.

These are the kinds of things that often go unnoticed — by IT teams and business owners alike — until something goes wrong and the source becomes obvious in retrospect.

And if your business doesn’t have dedicated IT support at all — which is true for many small businesses — no one may be looking at any of this.

Forward To Safety Assure gives you that view, in plain language, without needing a technical background to read it.

Assure is a security visibility and compliance reporting platform designed for business leaders. It shows you what’s actually going on across your systems:

• Software and systems that need updating before they become an entry point
• Settings and access points that are open when they shouldn’t be
• User accounts with more access than necessary — or access that was never removed
• Where your business stands against compliance requirements like HIPAA, PCI-DSS, SOC 2, NIST, and GDPR

A regularly updated dashboard. Reviewed quarterly with a prioritized action plan using tools you already own. Written for leaders, not IT teams.

See what’s actually going on in your business. Learn more at forwardtosafety.com

---

STEP 2: BUILD YOUR INTERNAL INCIDENT RESPONSE TEAM

□ Assign Clear Roles and Responsibilities:

ROLE	PERSON	BACKUP	24/7 CONTACT
Incident Commander (Final authority for all decisions)	_______	_______	_______
IT Liaison (Bridge between business and IT provider)	_______	_______	_______
Communications Lead (Internal/external messaging)	_______	_______	_______
Legal Counsel	_______	_______	_______
HR Representative	_______	_______	_______
Finance/Accounting Lead	_______	_______	_______
Customer Relations Lead	_______	_______	_______

□ Define Decision-Making Authority:

• Who can authorize shutting down systems/websites?
• Who approves public statements?
• Who authorizes ransom payments (if applicable)?
• Who contacts law enforcement?
• Who notifies customers/partners?
• What decisions require board approval?

---

STEP 3: CREATE YOUR INCIDENT RESPONSE CONTACT SHEET

Print and store in multiple secure locations (office, cloud, key personnel homes)

□ Emergency IT Provider Contacts:

• Primary emergency hotline: ___
• Secondary emergency contact: ___
• Account manager: ___
• After-hours escalation: ___

□ Critical Business Contacts:

• Cyber insurance provider: ___
• Cyber insurance policy number: ___
• Legal counsel: ___
• Business insurance agent: ___
• Bank fraud department: ___
• PR consultant (if applicable): ___

□ Regulatory/Law Enforcement Contacts:

• FBI Internet Crime Complaint Center (IC3): www.ic3.gov
• State Attorney General: ___
• Industry regulator (if applicable): ___
• Local FBI field office: ___
• Local police non-emergency: ___

□ Key Vendor/Partner Contacts:

• Payment processor: ___
• Cloud service provider: ___
• Website hosting: ___
• Critical suppliers: ___

□ Alternate Communication Methods:

• If email is compromised: ___
• If phones are down: ___
• If building is inaccessible: ___

---

STEP 4: DOCUMENT YOUR CRITICAL BUSINESS ASSETS

Work with your IT provider to create and maintain this inventory:

□ Critical Systems Inventory:

• Customer database location and backup status
• Financial systems and data
• Email systems
• Website and e-commerce platforms
• Cloud services (list all)
• Line-of-business applications
• Employee information systems

□ Data Classification:

• Identify regulated data (HIPAA, PCI-DSS, GDPR, etc.)
• Document where customer data is stored
• Map employee personal information locations
• Identify intellectual property/trade secrets
• Note financial records locations

□ Business Impact Assessment:

• What systems are essential to daily operations?
• What is maximum tolerable downtime for each system?
• What data loss is acceptable (Recovery Point Objective)?
• What is the revenue impact per hour of downtime?
• Which customers/contracts have notification requirements?

---

STEP 5: ESTABLISH REGULATORY COMPLIANCE REQUIREMENTS

□ Identify Your Notification Obligations:

• Which regulations apply to your business?

• [ ] HIPAA (Healthcare)

• [ ] PCI-DSS (Payment cards)
• [ ] GDPR (European customers)
• [ ] State breach notification laws
• [ ] Industry-specific regulations
• [ ] Contractual obligations

□ Document Notification Timelines:

• Customers: _ (days/hours after discovery)
• Regulators: _ (days/hours after discovery)
• Law enforcement: _ (if required)
• Credit bureaus: _ (if identity theft)
• Media: _ (if required by regulation)

□ Confirm Cyber Insurance Coverage:

• Policy number: ___
• Coverage limits: ___
• Deductible: ___
• Incident reporting requirements: ___
• Pre-approved vendors (forensics, PR, legal)
• Does coverage include business interruption?
• Does coverage include ransomware payments?

---

STEP 6: PREPARE COMMUNICATION TEMPLATES

Work with legal counsel to pre-draft these templates:

□ Internal Communications:

• Initial incident alert to employees
• Ongoing status updates
• Return-to-normal-operations announcement
• Lessons-learned summary

□ External Communications:

• Customer breach notification letter
• Vendor/partner notification
• Media statement (if applicable)
• Regulatory reporting templates
• Website/social media holding statements

□ Customer Service Talking Points:

• What to say when customers call
• How to handle angry customers
• What information can be shared
• Where to direct media inquiries

---

STEP 7: CONDUCT INCIDENT RESPONSE TRAINING

□ Leadership Training (Quarterly):

• Review incident response roles
• Walk through decision-making scenarios
• Practice using emergency contact list
• Update contact information

□ Employee Awareness (Monthly):

• How to recognize and report security incidents
• Who to contact if something seems wrong
• Importance of immediate reporting (no blame culture)
• Common attack methods (phishing, ransomware, etc.)

□ Tabletop Exercises (Every 6 Months):

• Simulate a cyber incident with your IT provider
• Practice coordinated response
• Test communication channels
• Identify gaps in procedures
• Update plan based on lessons learned

---

SECURITY THREATS CHANGE CONSTANTLY — MOST EMPLOYEE TRAINING DOESN’T

Most businesses do security training once a year. That worked better when threats were more predictable. Today, scam emails are updated constantly — and an employee who completed their training in January may not recognize what’s circulating in September.

Here’s what that gap looks like in practice: a new type of scam email starts making the rounds — one that looks like a routine invoice or vendor payment request, formatted to appear completely normal. An employee gets one and isn’t sure if it’s real.

With Forward To Safety, they don’t have to guess. They forward it to [email protected] — or use the Forward To Safety extension — and in less than 30 seconds they get a detailed verdict: exactly what was found, why it’s suspicious, and what to watch for. Forward To Safety analyzes emails, texts, PDF files, QR codes, voicemails, and virtually anything sent through technology — not just email.

That verdict is also real-time training. Because the explanation is tied to an email the employee actually received — not a hypothetical in a classroom — it sticks. Do this enough times and something more valuable happens: your team stops second-guessing and starts building the habit of checking before trusting. That habit, repeated daily, is more effective than any annual training session.

And the everyday questions that come up beyond that? “What does this security warning mean?” “Should I be concerned about this popup?” “My IT provider mentioned something I didn’t understand — what does that actually mean for us?” That’s where the Craig AI Library comes in.

Built by cybersecurity expert Craig Peterson, the Craig AI Library is your team’s go-to resource for plain-language answers to the technical questions that come up day to day — without waiting for the next training session or bothering the IT provider for every small question.

Use it for:
- Everyday security questions employees don’t know who to ask
- Understanding what security terms and warnings actually mean in plain language
- Helping new hires navigate common security situations from day one
- Keeping awareness current throughout the year without scheduling another training session

Give your team knowledge that stays current. Access the Craig AI Library at forwardtosafety.com

---

STEP 8: VERIFY BACKUP AND RECOVERY CAPABILITIES

□ Confirm with Your IT Provider:

• What backup solution is in place?
• How often are backups performed?
• Where are backups stored? (offsite? cloud?)
• Are backups encrypted?
• Are backups tested regularly?
• What is the Recovery Time Objective (RTO)?
• What is the Recovery Point Objective (RPO)?

□ Request Backup Testing:

• Schedule quarterly restoration tests
• Verify critical systems can be recovered
• Document actual recovery times
• Identify any gaps in backup coverage

□ Maintain Offline Backups:

• Critical business documents (paper or offline drive)
• Customer contact information
• Vendor/supplier lists
• Employee emergency contacts
• Financial records

---

DO YOU KNOW ENOUGH TO EVALUATE WHAT YOUR IT PROVIDER TELLS YOU ABOUT BACKUPS?

The questions above are the right ones to ask. But knowing whether the answers you receive are actually adequate — that’s a different challenge. Most business leaders ask and then accept whatever they’re told, not because they don’t care, but because they don’t have the background to push back when something doesn’t add up.

What does a good backup schedule actually look like for a business your size? What’s a reasonable recovery time? What’s the difference between having a backup and having a tested backup? When an IT provider says “we’re covered,” what does that really mean?

The Craig AI Library gives you the background to evaluate those answers — plain-language explanations of backup and recovery concepts, what to look for, and what questions to ask when an answer feels incomplete. No technical background required.

Go into your next IT review prepared — not just with a checklist, but with enough understanding to know when the answers you’re getting are the right ones.

Explore the Craig AI Library at forwardtosafety.com

---

PHASE 2: DETECTION & ANALYSIS (When Something Goes Wrong)

COMMON WARNING SIGNS

Train all employees to immediately report these indicators:

□ System/Network Anomalies:

• ✖ Unusual system slowdowns or crashes
• ✖ Cannot access files or systems
• ✖ Files encrypted or renamed
• ✖ Ransom message on screen
• ✖ Antivirus or security software disabled
• ✖ Pop-ups or unexpected error messages

□ Account Compromise Indicators:

• ✖ Unexpected password reset notifications
• ✖ Locked out of accounts
• ✖ Unusual login attempts or locations
• ✖ Accounts sending messages employees didn’t create
• ✖ New users or permissions appearing

□ Business Operations Disruptions:

• ✖ Customers reporting suspicious emails from your company
• ✖ Website defaced or inaccessible
• ✖ Point-of-sale systems malfunctioning
• ✖ Unable to process payments
• ✖ Phone system issues
• ✖ Email delivery problems

□ Financial Red Flags:

• ✖ Unauthorized wire transfers or ACH
• ✖ Fraudulent vendor invoices
• ✖ Changed bank account information for vendors
• ✖ Unexpected credit card charges
• ✖ Customer payment disputes you didn’t anticipate

---

WHAT YOUR EMPLOYEES DON’T KNOW CAN HURT YOUR BUSINESS

How Hackers Hide Inside Legitimate Websites — Without the Owner Ever Knowing

One of the most dangerous threats your business faces isn’t a shady link or an obvious scam email. It’s your vendor’s website. Your industry news site. Your supplier’s invoice portal. Legitimate, familiar websites that have been quietly compromised — and the owners have no idea.

Here’s how it works:

Silent Code Injection
Attackers exploit vulnerabilities in a website’s software — outdated plugins, unpatched content management systems, or insecure third-party scripts — and inject malicious code that runs invisibly in the background. The site looks completely normal to everyone: visitors, employees, and the website owner. Nothing appears wrong because nothing visible has changed.

You Don’t Have to Click Anything
When an employee visits a compromised legitimate site, malicious code can execute automatically — downloading malware, harvesting credentials, or quietly redirecting to a fake login page — all while the real website displays normally in the foreground. The attack happens without a single suspicious click.

Watering Hole Attacks Target YOUR Industry
Sophisticated attackers identify which websites their intended victims visit regularly — trade publications, association portals, supplier websites, industry forums — and deliberately compromise those specific sites to reach them. Your business gets targeted through the sites your employees trust most.

Malicious Ads on Legitimate Sites
Even websites that haven’t been directly hacked can serve threats. Attackers inject malicious code into legitimate advertising networks, which then deliver that code to visitors through normal ad placements on reputable websites — a technique called malvertising. The site’s owner is completely unaware.

Why “Stick to Trusted Sites” Is Dangerous Advice
The most common — and most wrong — advice in cybersecurity is to simply avoid “sketchy” websites. The reality: legitimate websites get compromised every single day. Site owners are often the last to find out, sometimes only learning of the infection when customers or security researchers report it. By then, thousands of visitors may already be affected.

The bottom line: your employees cannot tell a compromised site from a safe one just by looking at it.

---

WHEN AN EMPLOYEE ISN’T SURE ABOUT A LINK, WHAT DO THEY DO?

Read the section above. Now consider this: when someone on your team gets an email with a link they’re not quite sure about — a vendor invoice, a payment request, a supplier portal — what’s their actual next step?

For most employees, the honest answer is: click it and hope, or skip it and possibly miss something important. “Use your judgment” is the most common guidance given. But as you just read, judgment alone can’t catch a website that looks completely normal but has been quietly compromised. The page loads fine. The address looks right. There’s nothing visibly different.

The Forward To Safety Website Safety Checker gives your team a simple way to check before clicking.

Before visiting any link, employees can run a quick check — the tool looks at the site’s history, reputation, security certificate, whether it appears on known threat lists, and where the link actually leads. Free to use, no account needed, takes about 10 seconds.

Paid accounts add checks across 35+ additional security sources and AI-powered review of the page content itself.

Build it into a simple habit:
- Check any link that arrives unexpectedly in an email, invoice, or payment request
- Verify a vendor or supplier site when accessing it from an unfamiliar URL
- Any time something feels a little off — take 10 seconds to check before clicking

Free to use, no account required. Try the Website Safety Checker at forwardtosafety.com/check

---

IMMEDIATE REPORTING PROCEDURES

Create a simple, clear reporting process:

□ Employee Discovery Process:

1. DO NOT attempt to fix it yourself
2. DO NOT click on anything suspicious
3. DO NOT delete anything
4. IMMEDIATELY report to: ___ (IT Liaison)
5. PRESERVE evidence (take photos, screenshots)
6. DISCONNECT affected device from network (if instructed)

□ IT Liaison Actions (First 15 Minutes):

1. Document initial report (who, what, when, where)
2. Contact IT provider emergency hotline
3. Alert Incident Commander
4. Begin incident log
5. Do NOT alert entire company yet (avoid panic)

IT PROVIDER INITIAL INVESTIGATION

Your IT provider should immediately:

□ Triage the Incident (30-60 Minutes):

• Confirm an incident has occurred
• Assess initial scope and severity
• Identify affected systems/data
• Determine threat type (ransomware, breach, etc.)
• Provide initial briefing to Incident Commander

□ Classify Incident Severity:

LEVEL 1 — CRITICAL (Activate Full Response):

• Ransomware encryption across multiple systems
• Active data exfiltration
• Complete system outages affecting operations
• Confirmed breach of regulated data (HIPAA, PCI, etc.)
• Public-facing compromise (website defacement)

LEVEL 2 — HIGH (Enhanced Monitoring):

• Isolated malware infection
• Suspected but unconfirmed breach
• Compromise of individual accounts
• Attempted attacks blocked by security controls
• Suspicious but unconfirmed activity

LEVEL 3 — MEDIUM (Standard Response):

• Phishing attempts (no successful compromise)
• Minor configuration issues
• Failed login attempts
• Routine security alerts

LEVEL 4 — LOW (Monitoring Only):

• Informational security events
• Planned security updates
• Routine vulnerability scans

EVIDENCE COLLECTION

Your IT provider should be collecting:

□ Technical Forensics:

• System logs and network traffic
• Memory dumps from affected systems
• Malware samples
• Timestamps of suspicious activity
• Attack vectors and entry points
• Indicators of Compromise (IOCs)

□ Business Documentation:

• Incident timeline
• Affected user accounts
• Systems and data impacted
• Estimated scope of compromise
• Initial root cause analysis

---

PHASE 3: RESPONSE (Containing and Neutralizing the Threat)

IMMEDIATE ACTIONS (First Hour)

YOUR ROLE (Business Leadership):

□ Activate Incident Response Team:

• Convene emergency conference call
• Brief Incident Commander on situation
• Authorize IT provider to take necessary actions
• Mobilize legal, HR, and communications leads
• Begin documenting all actions and decisions

□ Make Critical Business Decisions:

• Authorize system shutdowns if recommended
• Decide whether to suspend operations
• Determine customer notification strategy
• Authorize emergency spending if needed
• Contact cyber insurance carrier

□ Initiate Internal Communications:

• Brief executive team/owners
• Determine what to tell employees (limit details initially)
• Establish communication protocols (avoid compromised email)
• Set up war room or virtual command center

IT PROVIDER’S ROLE (Technical Response):

Your IT provider should be:

□ Containing the Threat:

• Isolate infected systems from network
• Disable compromised user accounts
• Block malicious IP addresses/domains
• Segment network to prevent lateral movement
• Preserve evidence before taking containment actions
• Document all technical actions taken

□ Stopping Active Attacks:

• Terminate malicious processes
• Close unauthorized remote access
• Block command-and-control communications
• Prevent data exfiltration
• Disable unnecessary services and ports

□ Assessing Damage:

• Identify all compromised systems
• Determine if data was stolen or encrypted
• Assess whether backups are intact and clean
• Identify attack timeline and entry point
• Provide regular updates to business leadership

---

HOURS 1-24: INVESTIGATION & CONTAINMENT

YOUR ROLE (Business Leadership):

□ Stakeholder Management:

• Notify cyber insurance carrier (within policy timeframe)
• Contact legal counsel for guidance
• Begin assessment of regulatory notification requirements
• Prepare holding statements for customers/partners
• Brief board of directors (if applicable)

□ Business Continuity:

• Activate business continuity plan
• Identify workarounds for affected systems
• Determine if operations can continue
• Assess financial impact
• Prioritize systems for recovery

□ HR Considerations:

• Determine if incident involves employee misconduct
• Prepare employee communications
• Brief managers on what to tell their teams
• Identify employees who need special access
• Consider whether remote work is necessary

□ Documentation:

• Maintain detailed incident log
• Record all decisions and who made them
• Track costs (for insurance claims)
• Preserve all evidence
• Document timeline for regulatory reports

IT PROVIDER’S ROLE (Technical Response):

Your IT provider should continue:

□ Deep Investigation:

• Conduct forensic analysis of affected systems
• Identify full scope of compromise
• Determine what data was accessed/stolen
• Map the attacker’s activities
• Search for additional compromises
• Collect evidence for law enforcement (if applicable)

□ Enhanced Monitoring:

• Deploy additional monitoring tools
• Watch for attacker returning
• Monitor for data appearing on dark web
• Scan for additional malware variants
• Review logs from all systems

□ Communication with Business:

• Provide regular status updates (at least every 4 hours)
• Explain findings in business terms
• Recommend next steps
• Estimate recovery timeline
• Identify costs for additional services

---

JOINT DECISIONS (Business + IT Provider):

□ Ransomware Scenarios:

• Can we recover from backups? (preferred option)
• If backups are unavailable, consider ransom payment:
• Consult cyber insurance carrier
• Engage legal counsel
• Consider law enforcement guidance
• Understand risks (no guarantee of recovery)
• Document decision rationale

□ Law Enforcement Notification:

• Determine if reporting is required or recommended
• Contact FBI (IC3.gov or local field office)
• Understand they may not investigate all cases
• Decide whether to cooperate with investigation
• Balance investigation needs vs. business recovery

□ External Forensics:

• Determine if third-party forensic investigation needed
• Consider for: major breaches, regulated data, litigation risk
• Your IT provider should coordinate with forensic firm
• Engage through legal counsel (attorney-client privilege)
• Budget for $15,000–$100,000+ for forensics

---

PHASE 4: RECOVERY (Getting Back to Business)

DAYS 1-3: ERADICATION & RESTORATION

YOUR ROLE (Business Leadership):

□ Approve Recovery Plan:

• Review IT provider’s recovery roadmap
• Prioritize which systems to restore first
• Authorize recovery timeline
• Approve necessary expenses
• Set expectations with stakeholders

□ Business Continuity Management:

• Implement workarounds for unavailable systems
• Communicate status to employees
• Update customers on service availability
• Manage supplier/vendor relationships
• Monitor financial impact

□ Begin Regulatory Compliance:

• Determine notification requirements with legal counsel
• Prepare customer notification letters
• Draft regulatory reports
• Coordinate with PR team (if needed)
• File cyber insurance claim

---

IT PROVIDER’S ROLE (Technical Recovery):

Your IT provider should:

□ Eradicate Threats:

• Remove all malware and malicious tools
• Close all attack vectors
• Patch vulnerabilities that were exploited
• Reset all compromised credentials
• Rebuild severely infected systems
• Verify threat actor cannot return

□ Restore Systems:

• Restore from clean, verified backups
• Rebuild critical systems first
• Test restored systems before production use
• Verify data integrity
• Confirm backups weren’t compromised
• Implement enhanced security controls

□ Enhance Security Posture:

• Deploy additional monitoring tools
• Implement new security controls
• Strengthen access controls
• Enable multi-factor authentication (MFA) everywhere possible
• Update firewall rules
• Improve logging and alerting

---

DAYS 4-14: VALIDATION & MONITORING

YOUR ROLE (Business Leadership):

□ External Notifications (if required):

• Send customer breach notifications (within legal timeframes)
• File regulatory reports
• Notify credit bureaus (if identity theft)
• Provide notification to business partners
• Issue public statement (if necessary)
• Offer credit monitoring (if personal data exposed)

□ Customer Relations:

• Establish dedicated hotline for customer inquiries
• Prepare FAQ document
• Brief customer service team
• Monitor social media sentiment
• Address customer concerns proactively

□ Financial Management:

• Track all incident-related costs
• Submit insurance claims
• Assess business interruption impact
• Review contractual obligations
• Evaluate potential liability

IT PROVIDER’S ROLE (Technical Validation):

Your IT provider should:

□ Verify Security:

• Conduct post-incident vulnerability scan
• Perform penetration testing
• Verify all systems are clean
• Confirm monitoring is working
• Test incident detection capabilities
• Validate backup integrity

□ Enhanced Monitoring (30-90 Days):

• Increased scrutiny of all systems
• Daily security reviews
• Threat hunting activities
• Watch for attacker returning
• Monitor for new indicators of compromise

---

PHASE 5: POST-INCIDENT FOLLOW-UP

WEEK 3-4: LESSONS LEARNED

JOINT ACTIVITIES (Business + IT Provider):

□ Post-Incident Review Meeting:

• Incident Commander facilitates
• Include all response team members
• Invite IT provider leadership
• Review complete timeline
• Assess what worked and what didn’t
• Identify improvement opportunities

□ Document Lessons Learned:

• What was the root cause?
• How was it detected?
• What was the total impact?
• Were response procedures adequate?
• What took longer than expected?
• What resources were lacking?
• What would we do differently?

□ Update Incident Response Plan:

• Revise contact lists
• Update procedures based on experience
• Add new scenarios to playbook
• Clarify any confusing elements
• Document new tools or resources needed

---

YOUR ROLE (Business Leadership):

□ Strategic Review:

• Assess overall security posture
• Determine if additional investment needed
• Review cyber insurance adequacy
• Evaluate IT provider performance
• Consider additional security measures
• Brief board/ownership on outcomes

□ Organizational Changes:

• Update policies and procedures
• Enhance employee training
• Implement new security controls
• Review vendor security requirements
• Strengthen contract language
• Improve third-party oversight

□ Long-term Monitoring:

• Offer affected individuals credit monitoring (12-24 months)
• Monitor for identity theft claims
• Watch for lawsuits or regulatory action
• Track long-term business impact
• Assess customer churn/retention

IT PROVIDER’S ROLE (Technical Improvements):

Your IT provider should:

□ Implement Security Enhancements:

• Deploy recommended security improvements
• Upgrade monitoring capabilities
• Implement additional controls
• Enhance backup procedures
• Improve vulnerability management
• Strengthen access controls

□ Update Security Roadmap:

• Prioritize security projects based on incident
• Recommend budget for improvements
• Create timeline for implementation
• Identify quick wins vs. long-term projects

---

ONGOING MAINTENANCE (Monthly/Quarterly/Annually)

MONTHLY TASKS

□ Review Security Alerts:

• IT provider briefs on security events
• Review any minor incidents
• Discuss threat landscape changes
• Update contact information if needed

□ Employee Awareness:

• Send security tips/reminders
• Share recent attack examples
• Recognize good security behavior
• Test phishing awareness

---

MONTHLY SECURITY REMINDERS WORK BETTER WHEN THEY’RE SPECIFIC AND CURRENT

A quick reminder to “stay vigilant” is easy to send — and easy to ignore. What makes monthly security awareness actually land is specific, timely information: here’s something going around right now, here’s what it looks like, here’s what to do if you see it.

The Craig AI Library gives you that material. Clear, plain-language cybersecurity guidance from Craig Peterson — covering what’s relevant right now, explained in a way anyone on your team can follow.

Use it for team briefings, lunch-and-learns, or a quick read between quarterly exercises. Real examples. Current topics. No technical background required.

Keep your team’s awareness current all year. Access the Craig AI Library at forwardtosafety.com

---

QUARTERLY TASKS

□ Incident Response Team Meeting:

• Review and update contact lists
• Confirm roles and responsibilities
• Update communication templates
• Review regulatory changes
• Conduct tabletop exercise

□ IT Provider Review:

• Assess SLA compliance
• Review security metrics
• Discuss threat intelligence
• Validate backup testing results
• Review and update asset inventory

---

ANNUAL TASKS

□ Comprehensive IR Plan Review:

• Full review of entire plan with legal counsel
• Update based on business changes
• Incorporate lessons from any incidents
• Review and renew cyber insurance
• Update regulatory compliance requirements

□ Full-Scale Incident Simulation:

• Conduct realistic cyber attack scenario
• Include all stakeholders
• Test technical and business response
• Identify gaps and improvement areas
• Update plan based on findings

□ Security Posture Assessment:

• Conduct comprehensive risk assessment
• Perform vulnerability assessment
• Review access controls
• Audit user accounts and permissions
• Assess third-party vendor security
• Update business continuity plan

---

EMERGENCY CONTACT SHEET

PRINT AND STORE IN MULTIPLE LOCATIONS

TIER 1: IMMEDIATE CONTACTS (Call First)

CONTACT	NAME	PHONE	EMAIL	NOTES
Incident Commander	___	___	___	Final decision authority
IT Provider Emergency	___	___	___	24/7 hotline
IT Liaison (Internal)	___	___	___	Primary tech contact
Backup IT Liaison	___	___	___

TIER 2: RESPONSE TEAM

CONTACT	NAME	PHONE	EMAIL	NOTES
Legal Counsel	___	___	___
Cyber Insurance	___	___	___	Policy #: _
Communications Lead	___	___	___
HR Representative	___	___	___
Finance Lead	___	___	___

TIER 3: EXTERNAL RESOURCES

CONTACT	PHONE	WEBSITE	NOTES
Forward To Safety Support	___	forwardtosafety.com	24/7 incident support
FBI IC3	N/A	www.ic3.gov	Internet crime reporting
FBI Local Office	___	___	For major incidents
Business Insurance	___	___	Policy #: _
Bank Fraud Dept	___	___
PR Consultant	___	___	If needed

ALTERNATE COMMUNICATION METHODS

IF THIS FAILS	USE THIS INSTEAD
Email	Personal cell phones: ___
Office phones	Personal mobile: ________
VoIP	Conference line: ________
Building inaccessible	Meet at: __________

---

CRITICAL REMINDERS

DO:

• Report incidents immediately — every minute counts
• Preserve evidence — don’t delete anything
• Follow the chain of command
• Document everything in writing
• Keep IT provider informed of all business decisions
• Trust your IT provider’s technical recommendations
• Maintain calm, professional communication
• Focus on business continuity and recovery

DON’T:

• Attempt technical fixes without IT provider guidance
• Pay ransom without consulting legal/insurance
• Make public statements without legal review
• Panic or blame employees
• Ignore regulatory notification requirements
• Assume everything is fine without verification
• Rush recovery at the expense of security
• Forget to update the plan based on experience

---

BUDGET CONSIDERATIONS

Plan for potential incident costs:

One-Time Expenses:

• Forensic investigation: $15,000–$100,000+
• Legal counsel: $250–$600/hour
• Public relations: $5,000–$50,000+
• Hardware replacement: Varies
• Customer notification: $5–$50 per customer
• Credit monitoring services: $10–$20 per person/year

Ongoing Expenses:

• Enhanced security tools: $1,000–$10,000/month
• Increased IT monitoring: May affect MSP fees
• Cyber insurance premiums: May increase 20–200%
• Compliance costs: Ongoing

Recommendation: Budget 2–5% of annual revenue for cybersecurity, including incident response capabilities.

Note: Forward To Safety Assure is priced for SMBs — a dashboard, compliance reporting, and quarterly advisory guidance at a fraction of what enterprise SIEM tools cost. Knowing where you’re exposed before an incident is far less expensive than discovering it during one. Learn more at forwardtosafety.com.

---

ANNUAL IR PLAN REVIEW CHECKLIST

Complete this review every 12 months:

□ Update all contact information

□ Review and test backup procedures

□ Verify cyber insurance coverage is adequate

□ Update regulatory compliance requirements

□ Review and update communication templates

□ Conduct full tabletop exercise

□ Review IT provider SLAs

□ Update asset inventory

□ Verify employee training is current

□ Review lessons from any incidents (yours or industry)

□ Update plan for organizational changes

□ Get executive/board approval on updated plan

Last Reviewed: _______

Next Review Due: _______

Approved By: _______

---

FINAL THOUGHTS

The Partnership Principle

Success requires active partnership between your business leadership and your IT/cybersecurity provider. Neither can succeed alone:

• You provide business context, make strategic decisions, and manage stakeholders
• Your IT provider delivers technical expertise, executes containment, and performs recovery

The Preparation Imperative

• 90% of incident response success depends on preparation
• Plans created during a crisis are rarely effective
• Regular testing reveals gaps before they become disasters
• Investment in preparation pays exponential dividends

The Living Document

This plan should be:

• Reviewed quarterly
• Updated after every incident
• Tested at least semi-annually
• Refined based on lessons learned
• Aligned with your business evolution

---

GET PROTECTED WITH FORWARD TO SAFETY

You just worked through a detailed incident response plan. Before you file it away, consider three questions:

As a business leader, can you see your own security status right now — what’s patched, what’s at risk, where you stand on compliance — without having to ask your IT provider to pull something together?

When an employee gets an email or link they’re not sure about, do they have a simple tool to check it — or are they left to their own judgment?

Is your team’s security awareness current as of this month, or based on the last training you scheduled?

If any of those feel like open questions, this checklist tells you what to do when something goes wrong — but it doesn’t fill those gaps before something goes wrong.

That’s what a Forward To Safety subscription is for.

---

START YOUR FORWARD TO SAFETY SUBSCRIPTION

Forward To Safety analyzes anything suspicious your team receives — emails, texts, PDF files, QR codes, voicemails, and any content sent through technology. Forward it to [email protected] and get a detailed threat verdict in less than 30 seconds — 6-tier analysis, 25+ attack categories, no software to install.

Business plans start at $1,962/year.

Subscribe now at forwardtosafety.com

---

Forward To Safety Assure

Know what’s actually going on in your business — without needing an IT background.

Most business leaders assume their IT provider has cybersecurity covered. But IT and cybersecurity are different disciplines — and the gaps often show up in places no one was specifically looking: software that needed updating months ago, settings that are open when they shouldn’t be, user accounts with access that was never removed.

Forward To Safety Assure surfaces those issues in plain language — a regularly updated dashboard showing where your software stands, what access controls have gaps, and how your business measures up against compliance requirements. Quarterly reports give you a clear, prioritized action plan using tools you already own.

You don’t need a technical background to read it. That’s the point.

Craig AI Library

Cybersecurity training your employees will actually remember.

Built by Craig Peterson — one of America’s most trusted cybersecurity voices — the Craig AI Library delivers clear, practical security education your whole team can use. Turn “security awareness” into year-round preparedness.

Website Safety Checker

Check any link before your team clicks it.

Forward To Safety’s Website Safety Checker runs 10 checks — DNS, SSL, domain age, blocklists, threat intelligence feeds, redirect chains — on any URL before anyone on your team visits it. Free with no account required. Paid accounts add 35+ security engine analysis and AI-powered page content scanning. Install the bookmarklet for one-click checking on any page.

Forward anything suspicious — emails, texts, PDFs, QR codes, voicemails — directly to [email protected] for a full 6-tier threat analysis and a verdict in less than 30 seconds.

---

Ready to protect your business?

Visit forwardtosafety.com to learn more or schedule a free consultation.

Your incident response plan is only as good as your preparation. The time to act is NOW — before you need it.

Brought to you by Forward To Safety — Protecting SMBs from the threats that matter.