Often, when a cyber incident occurs, the response is ad hoc—a reactive, seat‑of‑the‑pants scramble. After all, every incident is different, so how can you plan for what you don’t know?
But just as every building fire is different, there are still universal responses—like exiting the building safely—that are broadly understood. The same principle applies to cyberattacks. The role of the MSP is to help customers understand what a right‑sized incident response (IR) plan looks like, especially for small and midsize businesses (SMBs).
The cost of not being prepared
The data makes the risk clear. According to a 2025 Guardz report, only 34 percent of SMB owners have a formal incident response plan developed with a cybersecurity professional—and among those that do, 80 percent were able to avoid major damage during an attack.
IBM data further reinforces the value of preparedness. Organizations without a formal incident response plan face an average breach lifecycle of 258 days, compared to 189 days for those with a plan in place. A tested incident response plan also reduces breach costs by an average of 232,000 dollars.
Why incidents spiral—and how MSPs can prevent it
“I’ve been in cybersecurity long enough—since 2006—to know most incidents don’t spiral because the attacker was brilliant,” said Rudy Ricci, Vice President of Global Sales at Binalyze. “They spiral because the response is slow, unclear, or improvised. That’s especially true in SMB environments.”
According to Ricci, a right‑sized incident response plan isn’t a scaled‑down enterprise playbook—it’s one that works in real time.
“People know their role, decisions don’t require debate, and there’s no delay figuring out what happens next,” Ricci said. What often gets overlooked, he added, is that effective response depends on visibility.
“If you can’t quickly understand what’s happening across endpoints, you’re guessing—and that’s where time is lost. The longer it takes to get answers, the harder containment becomes.”
Ricci emphasized that the first 30 minutes are critical.
“If a team can quickly establish ownership, isolate affected systems, and understand the scope of impact, they’re already ahead of where most organizations are when an incident starts,” he said, pointing out that MSPs are uniquely positioned to make this happen.
“The real value isn’t just in deploying tools—it’s in making response faster, more predictable, and something customers can rely on when things get messy.”
Four non‑negotiables for SMB incident response
Jordan Blake, Director of Communications and Operations at Shoreline Public Adjusters, LLC—a firm that represents policyholders (not insurers) in complex insurance claims, including cyber losses—said a right‑sized IR plan for SMBs comes down to four essentials.
1. Know your crown jewels
“Before you can even start to respond to a breach, you need an up‑to‑date asset inventory,” Blake said. That inventory should include what data the business holds, where it lives, and who has access to it.
“Most SMBs skip this step and pay for it later,” he added.
2. Define roles before the crisis
“Incident response events are typically chaotic—and that only gets worse when ownership isn’t clearly defined,” Blake said. Even a ten‑person company, he noted, needs a documented answer for who makes decisions, who calls legal counsel, and who contacts the insurer—typically in that order.
3. Prepare communications in advance
“Customers, regulators, and cyber insurers all have defined notification timelines, which can vary by state or country,” Blake said. Drafting those messages during an active incident is how deadlines get missed and coverage is jeopardized.
4. Test the plan at least once a year
Having a plan that’s never been tested can be just as risky as having no plan at all, Blake said.
“A tabletop exercise doesn’t require a big budget. Walk through a ransomware scenario with all relevant stakeholders, including the MSP and leadership,” he explained. The goal isn’t perfection—it’s identifying gaps before they show up at two a.m. in the middle of a real incident.
“The cold reality is that most SMBs have cyber insurance but no incident response plan,” Blake said. “That’s like having car insurance with no idea how to pull over safely. MSPs are in the best position to close that gap before an event or a claim—not after.”
Keep it simple—and make it work under pressure
Himanshu Agarwal, co‑founder of IT consultancy Zenius Ventures, said he often sees small businesses adopt overly rigid rulebooks during security incidents.
“But that approach can add pressure and make procedures harder to follow in high‑stress moments,” Agarwal said. SMBs don’t need enterprise‑grade playbooks; they need simplicity.
That simplicity allows teams to focus on what matters most: clear response ownership, a first‑steps checklist, and isolating sensitive systems.
“When plans are easier to understand, employees act faster,” Agarwal said. As businesses grow, they can expand their incident response plans to include additional contacts and processes—but starting simple is what makes the plan usable when it matters most.
Photo: Mongta Studio / Shutterstock
This post originally appeared on Smarter MSP.