Article Read Time
Incident response (IR): iAn organization’s structured approach to detecting, managing, and recovering from cybersecurity threats and data breaches aims to limit attack damage, minimize business disruption, and prevent future incidents.
The owner of a family-run building supply company in a Kentucky town of about nine thousand got to the store a little before seven. She turned on the front computer to pull the day’s delivery list. Instead of the usual screen, she found a black box with white letters and a number to call. Every file the business ran on, customer accounts, payroll, open invoices, supplier orders, sat locked behind it. This is ransomware, which is software a criminal uses to scramble your files and then charge you to unscramble them.
Her stomach dropped. That part is human, and it never fully goes away. But within ninety seconds, she was not guessing what to do. She reached into a drawer under the register, pulled out a printed binder, and turned to the first page. The company had practiced this. Twice a year, on a quiet afternoon, the owner and her two key employees would walk through the exact scenario they were currently experiencing. This practice embodies the purpose of an incident response plan, which is a written set of steps designed for handling the worst possible day.
I want to walk you through that plan, because it is not complicated, and because the calm she felt came entirely from having one.
Incident Response Step One: Stop the spread
The first instruction in the binder was not “call us.” It was “unplug.” Ransomware spreads across a network the way a grease fire spreads across a stove. The faster you cut the connection, the fewer burns. The owner pulled the network cable from the front computer and the one in the back office, and she shut off the store Wi-Fi at the router. She did not completely turn off the infected computers because investigators sometimes need access to a running machine’s memory later.
A good plan names this step first for a reason. Minutes matter, and panic makes people do the wrong thing in the wrong order. The binder did the remembering so she did not have to.
Step Two: Call the people on the list
Page two was a phone tree. Not a vague “get help” line, but actual names and numbers, printed on paper, because the email and the saved contacts were now behind the lock. She called her business partner, the company’s outside security partner, and the business’s insurance carrier because most cyber insurance policies require you to report quickly, and a delayed call can cost you the coverage you already paid for.
She also reported it to the FBI. Ransomware is a federal crime. The Bureau’s Internet Crime Complaint Center, which can be found online at ic3.gov, serves as the main platform for reporting such incidents.I spent years inside that world. Agents would far rather hear from you on the first morning than the third week.
Incident Response Step three: do not pay, do not negotiate alone
The binder was blunt on this point. No one at the store was authorized to email the criminals or transfer money.. That decision belongs to the owners, the lawyers, the insurer, and law enforcement, together. Paying is not illegal in most cases, but it is a serious choice with no guarantee. Plenty of victims pay and still do not get their files back. A plan keeps a scared employee from making that call alone at 7:15 in the morning.
Incident Response Step Four: Bring the backups home
Here is where the practice paid off. The company kept backups, which are spare copies of every important file, stored separately from the main network so the ransomware could not reach them. Once a week, a copy was sent to a drive, then the drive was disconnected and locked in the safe. A backup that stays plugged in gets scrambled, too, so the disconnecting was the part that mattered.
Because of those copies, the owner never seriously considered paying. She had her customer accounts, payroll, and open invoices, which were the company’s cash flow. “Are our files gone? was never the question. It was “how many days to restore them,” and they had rehearsed the answer.
Incident Response Step five: write down everything, then tell people the truth
Throughout the morning, the owner kept a simple log: what she saw, what time, what she did. That record helps investigators and the insurer and protects the business later. When customers and suppliers asked why orders were slow that week, she told them plainly. No spin. People trust the business that levels with them, and they remember the one that does not.
The part most owners skip
The company was back up in four days. The recovery was not luck. It was a binder, two practice runs, and a set of backups someone bothered to unplug.
Most small businesses I sit down with do not have that binder. Or they have one that a vendor wrote years ago that nobody has opened, let alone practiced. A plan you have never run is a guess, and the morning the screens go dark is the wrong time to find out your guess was wrong.
If you are not sure your business has a real plan, or you have one and cannot say with confidence that it would hold up, that is worth an honest conversation before you need it. At Commonwealth Sentinel, we help small businesses, local governments, and non-profits build response plans and then practice them, so the steps become muscle memory rather than a hope. You can reach us at 502-234-5554.
The owner closed the binder a little after noon. The files were coming back. She told me later that the worst day she had imagined for years turned out to be a long morning, and then it was over. That is what a plan buys you. Not a day without trouble, but a day you already know how to survive.