Why incident readiness matters
When a breach or ransomware event happens, the first 24–48 hours often determine containment, regulatory exposure, and reputational impact. Plans that exist only on paper—or that have never been tested with the people who would execute them—fail under pressure. Insurers and auditors increasingly ask for evidence of tested incident response; NCSC Exercise in a Box is widely recognised as a practical way to demonstrate due diligence.
Before an incident: your checklist
- Incident response plan is documented and accessible offline — So it can be read when systems are down. Include contact lists, escalation paths, and key decisions (e.g. when to involve legal, comms, regulators).
- Key roles are assigned and contact details current — Incident lead, comms lead, legal, board/exec escalation. Review quarterly; avoid single points of failure.
- Escalation path to board or executive is defined — Who decides "this is material"? Who informs the board, and within what timeframe? Document it.
- You have run at least one tabletop or drill in the last 12 months — NCSC Exercise in a Box is free and aligns with UK guidance. Document who took part and what was learned.
- Insurers and key suppliers are listed with contact details — Breach notification clauses and insurer contacts should be to hand; test that someone can reach them.
What good looks like vs common gaps
Good: A short, actionable plan (not a 50-page manual); roles named and contact details in an offline copy; tabletop run with IT, comms, and at least one exec; outcomes and follow-ups minuted.
Common gaps: Plan exists but is outdated or only in a shared drive that may be inaccessible; no recent test; escalation to board is vague ("we'd tell someone"); insurer contact only in a contract file.
When it happens: first 24 hours
Containment and evidence preservation come first. Notify your incident lead; preserve logs and don't shut down systems without advice if you need forensics. Activate comms and legal early; decide who speaks externally and when. Regulators (e.g. ICO for personal data) have notification timelines—know yours.
Discuss your readiness with our team—we facilitate NCSC-aligned exercises and document outcomes for auditors and insurers.
