SecurıdigmA new paradigm for small-business cybersecurity ← All insights
Playbook · Checklist

The 30-minute incident-response readiness check

You don't need a tabletop to find your biggest gaps. Five honest questions will do it — and most small businesses fail at least one.

Securidigm · 2026 · ~5 min read

When a cyber incident hits, the difference between a contained problem and a catastrophe is usually decided in the first hour — long before any expert arrives. That hour goes badly when no one knows who's in charge, who to call, or whether the backups work. The good news: you can find your worst gaps right now, without a formal exercise. Sit down with whoever runs your business and answer these five questions honestly.

1. Who's in charge in the first hour?

If you discovered ransomware on a Saturday morning, who makes the call to shut systems down, who talks to staff, who decides whether to bring in outside help? If the answer is "we'd figure it out," that's the gap. Name a single decision-maker and a backup, in writing, before you need them.

2. Who do you call — and is the list reachable offline?

Your IT provider or MSP, your cyber-insurance carrier (if you have one), your bank, your lawyer, and key staff. Now the catch: if that contact list lives only in the email or systems that just got encrypted, you can't reach it. Keep a printed or offline copy.

An incident-response plan that's saved on the network the attacker just locked is no plan at all. The first test of any plan is whether you can open it during the incident.

3. Could you actually restore from backup?

Not "do we have backups" — "have we restored from them, recently, and did it work?" If you've never tested a restore, you don't know whether your backups are complete, current, or even reachable by the attacker. Assume nothing until you've proven it.

4. Do you know what data you hold, and where?

If customer or employee personal data is exposed, you may have legal notification obligations — and you can't notify anyone if you don't know what was taken or where it lived. A basic inventory of your sensitive data, and where it sits, is the foundation for every decision after a breach.

5. Does your team know how to report something?

Most incidents are first noticed by an ordinary employee — a weird email, a locked file, a vendor acting strangely. If they don't know how to raise it fast, or fear getting blamed, you lose your earliest warning. Make reporting one obvious step, and make it blameless.

How did you do?

Any "no" or "not sure" is a gap worth closing now, while it's cheap. The fixes — a one-page plan, an offline contact list, a tested restore, a data inventory, and a simple reporting path — are inexpensive compared to learning them mid-crisis.

Turn the gaps into a plan

Securidigm builds a right-sized incident-response plan, tests your recovery, and can run a tabletop so your team has rehearsed the real thing before it happens.

Request a confidential conversation →

Securidigm provides advisory cybersecurity services and prepares draft documents. It does not provide an audit, a certification, or legal advice. This article is general information, not advice for your situation, and no outcome is guaranteed.