Security Gaps Deep Dive #4: If Incident Response Exists... But Only in People's Heads

Most SMEs have a rough idea of what they’d do if something serious happened. Someone would call IT. Systems would be checked. Backups would be mentioned. The cyber insurer might come into the conversation. On the surface, that can feel reassuring. The problem is that a real incident never arrives as a calm discussion. It arrives with uncertainty, pressure and incomplete information, often when people are already busy. Without a simple written plan, businesses lose time and make avoidable mistakes just when speed matters most.

The scale of that gap is bigger than many businesses realise. The UK Government’s Cyber Security Breaches Survey 2025 found that 43% of businesses identified a cyber security breach or attack in the previous 12 months. Yet only 23% had a formal incident response plan in place, and only 32% had a business continuity plan that covered cyber security. In other words, a large number of businesses are facing real cyber incidents without a clear, documented framework for how to respond.

That matters because the first hour of an incident is usually where the most expensive confusion happens. Who makes the call to isolate systems? Who speaks to your IT provider or security partner? Who contacts the insurer? Who decides whether customers need to be informed? What happens if email is part of the problem and your normal communication channel is unavailable? If those answers depend on the right people being reachable, remembering what to do, and agreeing it under pressure, the business is already behind.

That’s why a good incident response plan for an SME should be practical rather than impressive. It doesn’t need to be a 40-page policy document full of jargon and governance language. It needs to be something people can actually use on a bad day. In most businesses, that means a short first-hour plan covering who makes decisions, who can authorise action, who needs to be informed, where key contact details live, and what the immediate priorities are if core tools are unavailable.

There’s also a difference between technical response and business response, and SMEs need both. A provider may be able to isolate a machine, investigate a firewall issue or restore access to systems, but leadership still needs to make decisions about operations, customer communication and business continuity. That’s where many organisations discover they don’t really have a plan at all. They have a technical assumption. A proper response plan joins those things together so the business is not trying to invent responsibilities while the situation is unfolding.

The value of this kind of planning isn’t only in major worse-case scenarios like ransomware. It’s just as useful for the smaller incidents that still disrupt the working day: a failed firewall update, a locked-out user with critical access, a suspicious login, or a service outage that leaves teams unsure what to do next. A written plan reduces hesitation. It gives people confidence. It turns the response from “let’s work this out” into “we know the first steps, and we know who owns them”. That clarity is often what stops a difficult situation becoming a chaotic one.

Here’s an example of how that looks in action.

For SMEs, this is one of the most useful areas to strengthen because the improvement doesn’t have to be complicated. A short, sensible plan came make a significant difference. It can set out who is responsible, how the business communicates if core systems are affected, what gets prioritised first, and where essential information is stored if normal tools are unavailable. It can also be reviewed periodically so it still reflects the way the business actually works now, rather than how it worked two years ago.

If your current incident response plan still lives mainly in people’s heads, there’s a good chance it won’t hold up as well as you hope under pressure. Apex Computing can help you build a practical plan you could genuinely follow, not a document that looks good in a folder and never gets used. If you want a clearer first-hour response and better business continuity when something goes wrong, talk to us about our Business Continuity services and independent playbook support. That’s the real goal here: less improvisation, faster decisions and a business that knows what to do when it matters most.