Why Your Organization Needs a Cybersecurity Incident Response Plan (And What to Include)

Your website goes down at 2 PM on a Tuesday. Your communications director — who also manages IT because everyone wears many hats in your organization — assumes you’re under attack. Hours pass as you scramble to figure out who to call and what to do.

Here’s the plot twist: Your domain expired because Google transferred its services to Squarespace, and the billing notifications went to a former employee’s inbox, which nobody was monitoring. What looked like a cyberattack was actually an administrative oversight that could have been resolved in minutes. 

This scenario highlights a critical truth: every organization faces the threat of cybersecurity incidents—regardless of size, mission, or profile. The question isn’t whether your organization is a target for bad actors. It’s whether you’ll be ready with the right plan in place when it does.

What organizations run the highest risk of a cybersecurity breach?

You might think cybercriminals only focus on big corporations or high-profile organizations, but that’s not an accurate picture of the security landscape. Most incidents are financially motivated, and any legal entity with digital assets can be a target. Your 501(c)(3) status or comparative low profile doesn’t protect you from cyberattacks.

Typical cybercriminals aren’t necessarily after your organization specifically; they’re after any organization that might pay a ransom, have valuable donor data to exploit, or provide access to financial systems. If your organization has ever published information about receiving a grant, or if funders have listed you as a grantee, you’ve likely appeared on some bad actor’s list. 

The reality is sobering: the technically adept staffer who handles IT as well as their daily responsibilities doesn’t have the time to identify and handle a security incident. When a sinking feeling hits because someone clicked on the wrong link or gave their password to a suspicious site, you need more than good intentions to protect your organization. You need a plan.

Building your incident response foundation

Creating an effective incident response plan starts with mapping your vulnerabilities and potential incidents. Different types of incidents require different expertise and points of contact to resolve. 

Your most critical first step to developing an incident response plan is defining who owns specific issues if they arise. The person on your team who has admin access for your website may not be the same as who should investigate a security alert from Google.

If your organization relies on third-party vendors or internal team members to manage your digital infrastructure, you need to ensure it’s in their job description to check these alerts. Just as importantly, they need to be properly resourced to fulfill these duties. Staff at smaller nonprofits or companies often wear many hats, and you need to ensure these points of contact know enough about the platform to start putting the puzzle pieces together in resolving an incident. 

The domain expiration scenario described above demonstrates how expertise matters during a crisis. We don’t manage websites for clients, but when a site goes down, we know from experience to look up a domain on ICANN and check if it’s expired. If it has, that kicks off an investigation into  a potential billing issue and not a DDoS attack.

When incidents do occur, you should start your investigation without assumptions. If you don’t know how to investigate or contain a problem, you need a documented process in place to call someone who does. 

Why speed is essential when addressing security incidents

For many security issues, a timely response makes all the difference. If someone on your team enters credentials on a phishing site and reports what happened immediately, you can secure their account before an attacker causes further damage. These quick responses can turn what could have been a major breach into a minor incident.

However, even when you can’t disrupt an incident immediately, early detection matters. Discovering a breach after 10 days versus 10 weeks gives attackers vastly different opportunities, and increases the amount of time it takes just to identify everything the attacker has accessed and assess the damage they have caused..

The cascading effect of security incidents can be devastating. What starts as one person’s email account can spread to your organization’s data, then to your donor database, and eventually to your partners’ systems. However, with the help of specialized IT support, these issues can be resolved quickly and with minimal disruption to your operations.

Seven steps of a comprehensive incident response

Below, we’ve outlined the seven steps of our response plan to a security incident. With the right internal resources, your organization can at least reach the containment stage in Step 3, which is crucial to addressing the immediate threat.

1. Identification

The first step is simply a matter of someone recognizing a potential security issue. This might be an employee reporting a suspicious email, monitoring software detecting unusual activity, or service disruptions in your website or other tools.

2. Assessment

The individuals you’ve designated to respond to issues work to figure out what actually happened. This phase requires a systematic approach to problem-solving to avoid jumping to conclusions. 

3. Containment

Your team takes steps to ensure the incident doesn’t escalate. For example, if your administrator suspects the issue may be related to a specific Google account, they can reset the password and all login sessions.

4. Investigation

Designated specialists confirm the details of what happened and why. This phase typically requires specialized expertise most organizations lack internally.

5. Eradication

Your team completely removes the threat from your systems to avoid repeat incidents.

6. Recovery

Everyone returns to work with normal operations.

7. Lessons learned

Your team discusses and implements recommendations to prevent future incidents. This phase often reveals gaps in training, procedures, or technology while helping your organization to consistently improve.

The advantage of expertise beyond your internal team

While digital security incidents demand time and resources to investigate and resolve, you don’t have to face these challenges alone — even if you don’t have an IT or cybersecurity vendor partner. NGO-ISAC provides a community where cybersecurity professionals from nonprofits across the country share information and support each other. When you’re dealing with an unfamiliar incident, this community can provide guidance from peers who’ve faced similar challenges.

Cyber volunteer programs offer another layer of support. These programs connect organizations with cybersecurity professionals who donate their time to help nonprofits and advocacy groups. While availability and eligibility varies, and volunteer assistance may not be appropriate for all organizations, these resources could be worth exploring.

Preparation and experience pays dividends in cybersecurity

Every organization faces security risks, making your investment in preparation — identifying contacts, training staff, and establishing basic procedures — invaluable when incidents arise. You can’t prevent every security issue. But you can control how effectively you respond.

Proper preparation can mean the difference between an inconvenience and a major crisis. Working with an agency like Personified amplifies your internal capabilities: immediate response capacity and expert-level investigation and remediation when you need it most.

Working with our team provides your organization with professional cybersecurity support to transform your incident response capabilities.

The question isn’t whether your organization will face a cybersecurity incident. The question is whether you’ll be ready to respond effectively when it happens. Ready to make a plan? Let’s connect and talk about what’s next.

Currently dealing with a security incident?

And if you found this article because you’re dealing with an active incident, don’t wait to seek help. Reach out to Personified, even if you’re not sure about the scope or severity of your situation. Even if we can’t help, we can guide you to trusted experts who can.