Your Incident Response Plan: The Playbook You Need Before Things Go Sideways

Years ago, the Canadian Centre for Cyber Security published guidance on how to build an incident response plan. A federal cyber certification program later went a step further and released a fillable template small businesses could adapt instead of starting from scratch.

Not exactly front-page news. But those two pieces of guidance have quietly become the backbone of what lawyers, insurers, and regulators expect when they ask, "So, what's your incident response plan?"

In other words, the bar has been publicly set for a while now.

What Is an Incident Response Plan, Really?

Forget the buzzwords. An incident response plan is a written set of steps your team follows when something bad happens to your systems or data.

The goal, as the Cyber Centre puts it, is simple: detect, respond, and recover as quickly as possible, while limiting damage.

You're not writing a novel. You're writing:

• Who does what
• In what order
• Who gets called
• What gets turned off
• How you talk to staff, customers, and maybe regulators

Legal and industry guidance to small organizations in Canada all say some version of the same thing: have a plan, test it, update it.

Why "We'll Just Wing It" Is Not a Plan

When I talk to owners around Hamilton and Burlington, I often hear: "If something happens, we'd get our IT person in, restore from backup, and move on."

That works only if:

• You notice the incident in time
• You know which systems are hit
• You know which backups are clean
• Nobody is asking hard questions (insurer, big client, regulator)

StatCan's 2024 numbers showed 16% of Canadian businesses reported cyber incidents in 2023—and that's just the ones who noticed and admitted it.

Law firms and insurance advisors have been warning small organizations that showing up to a breach with no documented plan and no logs is a fast way to make a bad situation worse.

The Simple 6-Part Structure

Most reputable guidance lines up on six core stages:

1. Prepare
2. Identify
3. Contain
4. Eradicate
5. Recover
6. Learn

Let's map this to an SMB that lives somewhere between the Escarpment and the QEW.

1. Prepare

This is the work you do before anything breaks:

• Inventory key systems and data (servers, cloud apps, laptops)
• Set up basic logging (firewalls, email, critical apps)
• Make sure backups exist and have been tested

Decide who's on the incident team:

• Owner / GM
• IT or MSP
• Finance (if payments / fraud involved)
• HR / communications if staff or customers are affected

Write their names and contact details down. That's your "call list."

2. Identify

When something looks wrong—ransomware note, weird email rules, bogus wire transfer—you need to answer:

• What happened?
• When did it start?
• Which systems are affected?
• Is it still ongoing?

Your plan should say:

• Who takes the first report (front desk? IT? manager?)
• Where they log it (simple incident log is fine)
• Who they must contact immediately

Federal and legal guidance stress this early triage step because it drives everything that follows.

3. Contain

This is where you stop the bleeding.

Examples:

• Take affected machines off the network
• Disable compromised accounts
• Block malicious IPs or domains at the firewall or DNS level
• Shut down exposed services if they're being abused

Your plan should include:

• Clear authority: who's allowed to power things down or block traffic
• A reminder to preserve evidence where possible (don't wipe everything instantly if you might need forensic help later)

4. Eradicate

Once you've stopped the immediate damage:

• Remove malware
• Close the vulnerability (patch, configuration fix, password change)
• Check other systems for the same issue

If you work with an MSP, this is where they'll earn their keep. Make sure your plan spells out how and when you call them in.

5. Recover

Now you bring systems back, carefully:

• Restore from known-good backups
• Reconnect isolated machines
• Monitor for any signs the attacker is still around

Your plan should define:

• Which systems come back first (usually the ones that get you billing and payroll back online)
• Who signs off that it's safe to go live
• How you communicate status to staff and key customers

The Cyber Centre and various Canadian small-org guides stress that recovery is as much about communication and continuity as it is about technology.

6. Learn

After things are stable:

• Document what happened
• Identify root causes

Update:

• Your security controls
• Your backups
• Your training
• The plan itself

Many legal and insurance writeups now effectively treat this "lessons learned" stage as part of due diligence.

Use the Free Canadian Templates

Good news: you don't have to start with a blank page.

• The Cyber Centre has open guidance on incident response planning
• The CyberSecure Canada program hosts a fillable template and example plan oriented to smaller organizations
• Several Canadian law firms have published checklists tuned to small and medium organizations, including calls to build and test an incident response plan

Grab those, replace the generic pieces with your reality (Hamilton, Burlington, Oakville, Stoney Creek, your actual systems), and you're 80% of the way there.

How to Get This Done in 30–60 Days

Here's a realistic approach that won't eat your entire quarter.

Week 1–2:

Download a Canadian IRP template. Fill in:

• Contact list
• Critical systems list
• Your MSP and key vendors
• Your insurer / broker contact

Week 3–4:

Run a tabletop exercise:

• Pick a scenario (ransomware, payroll email hack, stolen laptop)
• Spend 60–90 minutes walking through "What would we do?" with the playbook
• Note gaps and confusion

Week 5–8:

Fix the obvious gaps:

• Update backup procedures
• Increase logging where it's missing
• Clarify who can make "shut it down" decisions
• Update the plan based on what you learned

Make it a habit to review the plan once a year—ideally after you read the latest Canadian threat assessments or hear about the next big incident that hits closer to home.

Because when that worst Monday finally arrives—and for some businesses it will—you don't want to be making it up as you go. You want a binder, a call list, and a team that's already walked through the play by play, at least once, while the coffee was still hot and nothing was on fire.