Incident Response Plan Small Business | Northstar IT
HomeInsightsCybersecurity

Create an Effective Incident Response Plan for Small Business

Most small businesses have no written incident response plan. When a ransomware attack or data breach occurs, decisions get made in a panic - often the wrong ones. A one-page written plan that answers 'who does what in the first hour' is enough to dramatically reduce the damage. Here is a starting template.

Cybersecurity 2026-05-21 7 min read

Most small businesses have no written incident response plan. When a ransomware attack or data breach occurs, decisions get made in a panic - often the wrong ones. A one-page written plan that answers 'who does what in the first hour' is enough to dramatically reduce the damage. Here is a starting template.

Why a Simple Plan Beats a Complex One

Enterprise incident response plans run 50 pages. Nobody reads them in a crisis. For a small business, a laminated one-page reference card with five to eight steps and the right phone numbers is more valuable than a binder gathering dust on a shelf.

Your plan needs to answer four questions: How do we detect that something is wrong? Who decides whether it is a real incident? What do we do first? Who do we notify and when? The rest is operational detail that can be handled after the immediate crisis is contained.

Phase 1: Detection and Classification

List the signals that indicate a potential incident: user reports strange pop-ups or locked files, helpdesk sees unusual login alerts, your EDR platform generates a critical alert, a vendor notifies you of suspicious activity involving your account. Any of these is a trigger to start the classification process.

Classify the incident on a simple scale. P1: systems are down, data may be exfiltrated, business operations halted. P2: suspicious activity confirmed but systems still operational. P3: anomaly detected, investigation needed. Classification determines the urgency of your next steps.

Phase 2: Containment

Containment means stopping the spread before you understand the full scope. For most SMB incidents, this means: disconnect affected machines from the network (pull the cable or disable Wi-Fi, do not power off), reset passwords for affected accounts from a clean device, revoke active sessions in Microsoft 365 or your identity provider, and notify your IT provider immediately.

Do not try to clean or recover the affected machine before your IT provider has assessed it. Forensic evidence is lost when systems are wiped. Your insurer and, if applicable, the OIPC will want a chain of custody for incident evidence.

Phase 3: Communication

Establish in advance who speaks for the company during an incident. The owner or a designated manager should be the single point of contact for all external communication. Staff should be instructed not to discuss the incident on social media or with clients until the designated spokesperson has approved a statement.

Internal communication should use a channel that is not affected by the incident. If your email is compromised, use phone or a personal messaging app. Have mobile numbers for key staff written down somewhere offline.

Notification Obligations

Under PIPEDA, if a breach creates a real risk of significant harm to individuals, you must notify the Privacy Commissioner of Canada and affected individuals as soon as feasible. Under Alberta PIPA, similar obligations apply. Document the breach details immediately: what data was affected, when the breach was discovered, and what steps were taken.

Your cyber insurance carrier also needs to be notified promptly - most policies have notification windows of 24 to 72 hours. Read your policy before an incident so you know the requirement.

Phase 4: Recovery and Post-Incident Review

Recovery starts only after containment is confirmed. Restore from backups, rebuild affected systems from clean images, and verify that the attack vector has been closed before reconnecting systems to the network. Run a full credential reset for all users, not just the ones directly affected.

Within two weeks of the incident, run a post-mortem. Document the timeline, what controls failed, what worked, and what changes will be made. Update your incident response plan with lessons learned. The goal is not to assign blame but to improve your defences.

← Back to Insights Get a Free Assessment →

Do not wait for an incident to build a plan.

North Star can build and test a custom incident response plan for your business, including tabletop exercises and runbooks. Get started with a free assessment.

Book a Free Assessment Read more Insights

Related posts

MFA Rollout Guide for BC Small Businesses

Rolling out multi-factor authentication across your small business does not have to be painful. A step-by-step MFA deployment guide for BC SMBs using Microsoft 365.

The Microsoft 365 Security Baseline We Apply to Every Client

What a real M365 security baseline looks like in 2026: conditional access, identity protection, device management, mailbox rules, and data loss prevention.

Passkeys vs. Passwords in 2026: What BC Businesses Need to Know

Passkeys are replacing passwords across major platforms. Here is what BC SMBs need to understand about passkeys, when to adopt them, and what stays the same.
Related work

Services mentioned in this post.

Talk to us about your project

Frequently asked questions

What is an incident response plan small business owners should have?

An incident response plan for a small business is a formal document that outlines how your organisation will detect, respond to, and recover from cybersecurity incidents. It serves as a playbook to ensure your team reacts quickly and efficiently to threats like ransomware or data breaches. By having a structured approach, you reduce the risk of permanent data loss and significantly decrease the time it takes to return to normal operations in Western Canada.

Why is an IRP template small business specific important?

Most enterprise templates are too complex for smaller teams to manage effectively. A dedicated IRP template for small business focuses on the most common threats faced by SMBs in Alberta and BC, such as phishing and local hardware failure. It simplifies the reporting structure and prioritises the most critical business functions, making it easier for a smaller IT team or a managed service provider like Northstar IT to execute the plan under pressure.

How often should we update our incident response plan?

You should review and update your incident response plan at least once a year or whenever there is a major change in your IT infrastructure or business operations. Regular testing, often called tabletop exercises, helps identify gaps in the plan. For businesses in Prince George or Calgary, staying current with local regulatory requirements and evolving cyber threats is vital to ensure your defensive strategies remain effective and your team stays prepared.

What are the key phases of an incident response process?

The standard process includes preparation, identification, containment, eradication, recovery, and post-incident activity. Preparation involves training and tools, while identification confirms a breach has occurred. Containment stops the threat from spreading, and eradication removes it from your systems. Recovery restores operations to normal, while the final phase involves documenting lessons learned to improve your future response. Northstar IT helps SMBs navigate each of these critical steps with professional guidance.