If your company hasn’t fallen prey to a cybersecurity incident, you’re one of the fortunate ones. Unfortunately most organizations will face a cybersecurity incident at some point. This could be something “small” like sending an email with private information to the wrong person, or it could be a serious incident like being held ransom and seeing your company’s private information posted online. Due to the high risk of cybersecurity incidents, your business should have appropriate plans and strategies in place to deal with these kinds of situations.

Most companies that experience a cybersecurity incident find out that it can be traced back to your own employees – they may be saving their passwords on their personal devices, clicking on phishing links, opening unauthorized email attachments, etc. You can be ready and equipped to handle a cybersecurity incident the moment it occurs, as every second matters. 

Malware infections spread rapidly, ransomware can cause severe damage to the business, and compromised accounts lead hackers to more sensitive information like personal, client, and financial data of the company. It doesn’t matter on the size of your organization or what kind of business you are in you should have an incident response plan and be ready to take immediate action when incidents occur. 

A Managed IT Support Services provider like Tier 3 IT Solutions can help guide you through the incident response planning process but it is something that must be designed internally by each company.  To help you get started, here are some key considerations for your Cybersecurity Incident Response Plan.

Cybersecurity Incident Response Plan

  • Set up an Incident Response Team

It’s crucial to have the right people with the right skills, along with related technical knowledge. Select a group of skilled individuals for your cybersecurity incident response team. For a start, collect data and make an inventory of the programs you use every day, the information stored in these programs, and any personal information linked to these programs. Next, assign every member of the incident response team, a particular role and set of responsibilities which takes precedence over their normal duties. This team needs to look into this inventory and identify the data linked to the programs used and how sensitive it is. They then need to work together with your IT team to ensure the proper protections, restrictions, and recovery procedures are in place to meet your expectations.

Tier 3 IT Solutions has assembled a team of Cybersecurity consultants who can help answer questions, design risk reduction plans, and support you in developing and executing these plans.

  • Identify the Type and Extent of an Incident

Before your cybersecurity incident response team can resolve any incident, they must evaluate the damage to determine a proper response. For example, if the incident involves a computer virus that can be swiftly and proficiently identified and eliminated without affecting any internal or external party, the appropriate response would be to document the incident and save it in your records. 

If, however, the incident includes the theft of sensitive data then you must consider the risk to the organization if that information were made public, sold to a competitor, or otherwise used against the company. This is an unfortunate reality that many businesses discover after a Ransomware infection compromises their data and it is not easily resolved after the data has been stolen.

  • Report Incidents When Necessary

The Government of Canada introduced mandatory breach reporting legislation in 2017 that requires any company to report incidents that put personally identifiable information at risk.  This means that you could be liable for significant damages if you try to hide an incident that affects your clients’ personal information on your systems.  You can read more about these requirements here:  https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/

There are also certain departments of the company that need to be informed of computer security incidents right away, which include the incident response team, the IT team, and the breach coach. These teams should bring up these incidents as priority to the cybersecurity incident management team. If an incident results in damage or a targeted attack, it needs to be highlighted immediately. This comprises phishing scams used to direct employees to enter credentials or wire money to fake accounts; ransomware or cyber surveillance campaigns targeted to hold onto company sensitive data or assets hostage; or disruptions in business networks that may result in suspicious exposures or unexpected downtime. Avoid falling prey to ransomware attacks and let your cybersecurity insurance team handle this situation.

  • Alert Affected Parties and External Organizations

It is critically important that you have a communication plan for informing third parties of a cyber incident that has affected them or their data that was in your care. Your legal team will be able to advise you on specific language that you should or should not use. One example is that you do not want to tell clients that you have “experienced a breach” as that implies a serious incident and instead you would want to tell them that you “are investigating a cyber incident”.  It might not seem significant, but our choice of words is critically important in a crisis situation. One member of the cybersecurity incident response team should be responsible for handling communication to affected parties i.e. investors, third-party vendors, etc. Depending on the seriousness of the incident, the selected cybersecurity associate will act as the link between the organization and law enforcement.

  • Gather Evidence

Your insurance provider is going to want to know what happened so that they can pay (or not) based on the circumstances. This means you need to preserve as much of the “current state” as possible and one of the major failings in recovering from a breach is that companies often rush to restore their data and in the process they overwrite the compromised servers. This could make filing a claim more difficult for your company and should be done only as a last resort. Think of it like a crime scene – don’t’ go trampling on the evidence. If you’re not sure, talk with your breach coach that the insurer designated to your account.  The cybersecurity incident management team is accountable for recognizing and collecting both physical and electronic evidence as part of the investigation. 

  • Minimize Risk and Exposure

The role of a Cybersecurity team like Tier 3 IT Solutions is to help companies identify potential risk and to develop plans to lower the exposure you face. We would also provide proactive monitoring solutions to watch your systems for changes and vulnerabilities, as well as installing patches and upgrades to keep you current and protected.  Lowering your risk is your best response to the cybersecurity threats that exist today.

We also recommend that every business carries an appropriate Cyber Insurance package that includes coverage for Cyber Liability and Cyber Crime. Many insurance packages include proactive services and recommendations on how you can reduce your risk and liability and we recommend you review those with your insurer. Putting in place these plans before you need to access them will help you lower your risk, and recover more quickly in the case of a breach.


Cybersecurity is not a one size fits all solution and must be designed in a way that is not overwhelming for you and your company. Tier 3 IT Solutions has worked with hundreds of businesses to develop and implement IT Security and server support measures to lower risk and maintain business operations. Reach out today to chat with one of our experts to see how we can help you prepare and avoid being a statistic of cyber crime.