It's 6:47 AM on a Tuesday. Your office manager arrives early and discovers that every computer in the building displays a red lock screen demanding $250,000 in Bitcoin. Your phones are ringing — patients, clients, and partners can't access their accounts. Employees are panicking. The local news has already picked up the story. What do you do in the next 60 minutes?
If you don't know the answer to that question, you're not alone. According to IBM's 2025 Cyber Resilience Report, 77% of organizations don't have a formal, tested incident response plan. For small and mid-size businesses in the Tri-Cities — where IT teams are lean and cybersecurity budgets are tight — the number is likely even higher. And what happens in those first critical minutes after a breach is discovered determines whether the incident costs your business thousands of dollars or millions.
What Is an Incident Response Plan?
A cyber incident response plan (IRP) is a documented, pre-approved set of procedures that tells your organization exactly what to do when a security incident occurs. It's the cybersecurity equivalent of a fire evacuation plan — you need it written down, practiced, and accessible before the emergency happens, because no one thinks clearly in the middle of a crisis.
The gold standard for incident response follows the NIST framework, which breaks the process into six phases:
1. Preparation
This is everything you do before an incident occurs: deploying security tools, training staff, establishing communication channels, identifying critical assets, and documenting procedures. Preparation is the most important phase because it determines how effectively you execute every subsequent step.
2. Identification
Detecting that an incident is actually occurring and determining its scope. Is this a single compromised workstation, a ransomware outbreak across the network, or a data exfiltration in progress? Accurate identification requires functioning monitoring tools, trained analysts, and clear escalation criteria.
3. Containment
Stopping the incident from spreading while preserving evidence. Short-term containment might mean isolating infected systems from the network. Long-term containment involves implementing temporary fixes that allow business operations to continue while the threat is addressed. This is where most unprepared organizations make critical mistakes — either acting too slowly (allowing the attack to spread) or too aggressively (destroying forensic evidence).
4. Eradication
Removing the threat completely from your environment. This means identifying every compromised system, eliminating malware, closing the vulnerability that allowed initial access, and resetting all potentially affected credentials. Incomplete eradication is the number one reason organizations experience repeat incidents.
5. Recovery
Restoring systems to normal operations from clean backups, verifying that the threat has been fully eliminated, and monitoring closely for any signs of reinfection. Recovery must be methodical — rushing to bring systems online before eradication is complete can reintroduce the threat.
6. Lessons Learned
Conducting a thorough post-incident review within 72 hours to document what happened, what worked, what didn't, and what changes are needed. This phase is frequently skipped under pressure to "move on," but it's essential for preventing future incidents and improving response capabilities.
Don't Have a Plan Yet?
Blue Ridge Security builds custom incident response plans for Tri-Cities businesses. We'll help you prepare before the crisis hits.
Build Your Response PlanWhy Generic Templates Don't Work
There are hundreds of free incident response plan templates available online. While they're useful as starting points, a template downloaded from the internet won't save your business when a real incident occurs. Here's why:
Your IRP must be specific to your business. It needs to name actual people, not generic roles. It needs phone numbers, not placeholders. It needs to account for your particular systems, your particular data, your particular regulatory obligations, and your particular business relationships. A manufacturing company in Kingsport has different critical assets, different compliance requirements, and different stakeholders than a dental practice in Johnson City or a law firm in Bristol.
A plan that says "contact the IT security team" is useless at 3 AM when you need to know that you should call Mike's cell phone at (423) 555-0147 and that the backup encryption keys are in the fire safe in the server room.
Key Roles Your Plan Must Define
Every incident response plan needs clearly assigned roles with contact information for primary and backup personnel:
- Incident Commander: The person who makes tactical decisions during the incident. This is usually the IT director or CISO, but for smaller organizations it might be the owner or a designated manager. This person has the authority to shut down systems, approve expenditures, and escalate to law enforcement.
- Communications Lead: Who talks to customers, employees, media, and regulatory bodies. In a crisis, uncoordinated communications create confusion and legal liability. One person should control the message.
- Legal Counsel: Your attorney (ideally one with cybersecurity experience) should be on speed dial. They'll advise on breach notification obligations, evidence preservation, regulatory reporting, and privilege protections for forensic investigations.
- Technical Lead: The person or team responsible for hands-on containment, eradication, and recovery. For many Tri-Cities businesses, this is their managed IT provider or cybersecurity partner.
- Law Enforcement Liaison: The designated contact for reporting the incident to appropriate authorities. This should not be ad hoc — your plan should include specific contact information.
Tri-Cities-Specific Considerations
Your incident response plan should account for local resources and requirements that are specific to operating in Northeast Tennessee:
Law enforcement contacts: The FBI's Knoxville Field Office handles federal cyber crime investigations in our region. The Tennessee Bureau of Investigation (TBI) Cyber Crimes Unit investigates state-level offenses. Your local police department should also be notified for incidents involving threats, extortion, or physical security concerns. Build these contacts — with direct phone numbers, not main switchboards — into your plan before you need them.
Tennessee breach notification requirements: Tennessee Code Annotated § 47-18-2107 requires businesses to notify affected residents "in the most expedient time possible and without unreasonable delay" following a breach of personal information. If more than 1,000 residents are affected, you must also notify all three major credit reporting agencies. Healthcare organizations have additional HIPAA breach notification obligations with strict 60-day timelines. Your plan must include templates and procedures for these notifications.
Regional interdependencies: Many Tri-Cities businesses share vendors, service providers, and even physical infrastructure. A breach at one organization can cascade through supply chain relationships. Your plan should identify critical vendor contacts and include procedures for notifying and coordinating with business partners.
Tabletop Exercises: Practice Before the Real Thing
A plan that lives in a binder on a shelf is only marginally better than no plan at all. Tabletop exercises are facilitated walkthroughs where your team practices responding to simulated scenarios. The facilitator presents a realistic attack scenario, and participants work through their response step by step, identifying gaps, confusion, and communication breakdowns in a low-pressure environment.
We recommend conducting tabletop exercises at least twice per year, with scenarios tailored to the threats most relevant to your industry. A ransomware scenario for a healthcare practice. A data theft scenario for a manufacturing company. A business email compromise scenario for a financial services firm. Each exercise should end with documented findings and a commitment to address identified gaps before the next exercise.
Common Mistakes That Make Incidents Worse
Through our work with Tri-Cities businesses, we've seen the same critical mistakes repeated:
- No offline copies of the plan: If your incident response plan is stored on the same network that just got encrypted by ransomware, you don't have a plan. Print physical copies and store them in a known location.
- Missing vendor contacts: Your plan needs current contact information for your internet provider, cloud hosting vendor, cyber insurance carrier, forensics firm, and legal counsel. During an incident, discovering that your insurance carrier's claims number has changed wastes critical hours.
- Untested backups: "We have backups" is not a recovery strategy. When was the last time you actually restored a full system from backup and verified it works? Organizations routinely discover during an incident that their backups are corrupted, incomplete, or encrypted by the same ransomware that hit production systems.
- No communication plan: Employees start posting about the incident on social media. Customers hear about the breach from a competitor. The local news calls and no one knows what to say. Every incident response plan needs a crisis communications component.
The Cost of Not Having a Plan
IBM's research consistently shows that organizations with a tested incident response plan reduce breach costs by an average of $2.66 million compared to those without one. They also contain breaches 54 days faster. For a Tri-Cities small business, the difference between a $50,000 incident and a $500,000 catastrophe often comes down to whether someone had thought through the response before it was needed.
Beyond direct costs, the regulatory consequences are real. HIPAA, PCI DSS, and Tennessee state law all impose more severe penalties on organizations that demonstrate negligent preparation. Having no incident response plan is itself a compliance violation under multiple frameworks.
Build Your Plan with Blue Ridge Security
At Blue Ridge Security, we help businesses across Johnson City, Kingsport, Bristol, and the surrounding Tri-Cities region build, test, and maintain incident response plans that actually work when it matters. Our process starts with understanding your specific business, identifying your critical assets and regulatory obligations, and then building a customized plan with named personnel, tested procedures, and local contacts.
We conduct tabletop exercises tailored to your industry, provide ongoing plan maintenance as your business evolves, and offer 24/7 incident response support through our Security Support Contract so you're never facing a breach alone.
The best time to build an incident response plan was yesterday. The second best time is today. Contact Blue Ridge Security to get started.