What are the Critical Incident Response Phases?


At some point in the life of your organization, you’re likely to come face to face with a security incident. Cybercriminals might gain access to your company data or a colleague could lose a laptop containing sensitive customer information. 

When this happens, it is vital to observe the correct incident response phases: procedural tools you can use to identify the problem, minimize your losses, and correct any security deficits as rapidly as possible. 

In this post, we explain what these phases are and how you can deploy them in your organization. 

What is an Incident Response? 

Incidence response is a procedure designed to limit the damage from an adverse cybersecurity event and allow you to recover rapidly in terms of both time and cost.

The response involves detecting threats, prioritizing issues, and taking steps to prevent similar cybersecurity events from occurring in the future. Organizations able to issue quick responses can reduce the attack’s damage, protect their customer data and intellectual property, and reduce downtime. 

The need for comprehensive incident response is borne out by the statistics. Data show that: 

  • The average small business spends more than $955,000 in the aftermath of a successful cyberattack
  • Most small enterprises experience more than eight hours of downtime per attack
  • Last year, there was a 424 percent increase in small business cybersecurity breaches

What are the benefits of a Critical Incident Response plan?

In an ideal world, you would invest your resources mitigating all the risks that you face. But time and money are limited. So if you’re going to invest in a project, you need to know the benefits to assess whether it is worthwhile. 

A critical incident response offers a good cost-benefit ratio for the following reasons: 

  • Enhanced compliance: Incident response plans can help you stop data breaches that are already underway and prevent them from recurring in the future, allowing you to remain compliant. Currently, many organizations – especially in finance and healthcare – have to follow a set of strict data protection procedures. If they don’t, they could be subject to fines and lawsuits. 
  • Reduced downtime: According to a 2016 study, downtime costs the average US business more than $260,000 per hour. Having a critical incident response plan in place, therefore, allows you to quickly get the jump on your network issues and resolve them quickly before you incur additional revenue loss. 
  • Data protection: Intellectual property is at the core of your business and something you need to protect to remain competitive. Having a critical incident response procedure in place allows you to keep proprietary information safe and shields you against both internal and external threats to your organization. 

What are the phases of incident response for a security attack?

Professionals break down critical incident responses into six distinct phases to ensure that you cover all bases in the correct order. So what are these phases? 


Step one is preparation and involves preparing your team for the types of cyberattacks and incidents that you are likely to face. During this stage, you should define your definition of “incidents” and produce a step-by-step procedure for how to deal with them. 

Most companies begin by setting out acceptable uses of company data and penalties for not complying with internal policy. They then create a document describing how members of the team should handle breaches, communicate externally during a threat, and create records. 


The next step is to identify the nature of the incident. Enterprises have multiple tools available to achieve this, including: 

  • Gathering data from monitoring tools (either internally or third-party)
  • Staying up to date with the latest cybersecurity news (such as the advent of a new kind of malware)
  • Observing malicious activity on the network (such as deliberate employee sabotage)
  • Using insider information to identify potential breaches (such as vulnerabilities in internally-developed software code)

Identification involves categorizing incidents as either malicious or unintended. In many cases, employees and other network users will unintentionally generate a breach, but sometimes they’ll do it deliberately. Part of your response, therefore, is to figure out whether acts are intentional or not. What you discover will shape the kind of response you mount.


“Containment” is a term cybersecurity professionals use to describe the process of preventing additional damage following a critical incident. It is often possible to limit the damage of a breach by preventing data leakage or catching perpetrators in the act. 

Containment breaks down into two categories: short and long-term. 

Short-term containment involves all the things that you can do right now to stop the damage and prevent escalation of costs. Strategies include: 

  • Quarantining any malware on your network
  • Ensuring that you’ve backed up any data that you’ve lost
  • Initiating two-factor authentication across your systems to prevent unauthorized password access on third-party machines
  • Changing all your access credentials
  • Disconnecting your systems from the internet
  • Applying new security updates and patches

Long-term containment involves finding ways to eliminate the vulnerabilities that permitted the incident in the first place (such as backdoor exploits). Experts on your IT team (or from external agencies) should delve deeply to discover precisely what happened. At the end of the process, they should be able to tell a story about why your current security setup failed to protect you. 

Incident Removal

Stage four is “incident removal.” It involves identifying the compromised system, removing it, and trying to understand the root cause of the incident. 

Organizations can either use their internal resources or use third-party experts to complete this stage for them. 

This phase includes: 

  • Removing malware and ensuring that no malicious software remains on your network that could potentially leak additional data
  • Ensuring you apply all necessary patches and updates
  • Ensuring that your team receives further education on how to prevent security breaches and either disciplining or dismissing colleagues who deliberately sabotage your systems
  • Re-imaging systems to restore them to a previous configuration. 


The recovery phase is all about returning your systems to normal with new security measures in place. Usually, at this stage, you’ll change permissions and update all your account passwords. You may also wish to implement two-factor authentication and even VPNs to make it more difficult for hackers to target you. 

Recovery also requires evaluating the tools that you currently use to monitor your network and asking whether they require upgrading. 

Lessons Learned

After recovery, the final phase of effective critical incident response is to learn lessons so that a similar breach doesn’t occur in the future. 

In this phase, you and your team should go through everything that happened during the incident and find out where you went wrong. How you respond depends on the nature of the breach and what you discovered during your investigation. 

For some enterprises, it will mean changing security software or improving network monitoring. For others, it will involve additional employee training or enhanced vetting processes. 

Try to get your entire team together to patch together what went wrong. Get as much feedback as possible about the process – like what worked, and what didn’t. And take a look at your current protocols and ask whether you could improve them. 

Why does remote working require more security?

Remote working is becoming more popular, but it also poses unique cybersecurity challenges for organizations. With more network-connected computers outside of the office, the likelihood of a security breach is going up. Enterprises have to deal with an exponential increase in the number of endpoints, and cybercriminals are looking for ways to exploit the current situation. 

Fortunately, there are several ways that organizations can bolster their security, even in the face of vastly different working arrangements. 

These include: 

  • Providing security-minded IT support over-the-phone to employees. Vigilant support can encourage employees to regularly change their passwords and ensure that their firewall and antivirus software is up to date. 
  • Ensuring that cloud-based communication channels are secure. Slack, WhatsApp, and Microsoft teams are becoming more popular in business settings. But unfortunately, they’re an opportunity for hackers. Companies need to take full control of these platforms and ensure that they monitor who is in their groups. Anyone who shouldn’t be there needs to be removed. 
  • Regulating how employees can use their private devices (and which network resources they can access). Employees, for instance, might save sensitive work to their personal hard drives or send critical information via their personal email. Company policies should make it clear that this isn’t allowed. 
  • Setting up VPNs to hide colleague web and app activity. Virtual private networks foster “end to end” data encryption, making it more difficult for hackers to intercept company data. 


Critical incident response is a tool that your organization can use to reduce the cost of an ongoing breach and reduce the likelihood of another one occurring in the future. The phases provide a comprehensive protocol that you can use to bolster your defenses. 

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business