The 2022 Air India breach exposed the data of 4.5 million passengers. The 2023 AIIMS ransomware attack disrupted patient care for weeks. In both cases, the absence of a comprehensive, tested incident response plan amplified the damage significantly. Organisations that have rehearsed their response are able to contain, eradicate, and recover from incidents faster and with substantially lower business impact.
The incident response lifecycle has six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Most organisations underinvest in preparation — the phase that determines how effective all subsequent phases will be.
Preparation includes assembling an incident response team with defined roles and contact information, establishing out-of-band communication channels (a Slack workspace or phone tree that operates independently of potentially compromised corporate infrastructure), documenting runbooks for the most likely incident types, and ensuring that logs and forensic data necessary for investigation are being collected and retained appropriately.
The incident response plan must define escalation criteria precisely. What constitutes a security event versus a security incident? What triggers executive notification? What triggers public disclosure? Ambiguity on these questions under the stress of an active incident leads to delayed decisions and compounded damage.
Tabletop exercises — structured simulations where the response team walks through a realistic incident scenario — reveal gaps in plans and communication before a real incident does. A ransomware tabletop that exposes an undocumented dependency on an encrypted backup system is an invaluable finding. Run tabletop exercises at least annually and update plans based on what you learn.
Business continuity and disaster recovery plans must be integrated with the incident response plan. The questions — "which systems are critical to business operations?", "what are our recovery time objectives?", "who authorises production system shutdown?" — should be answered in advance, not in the middle of a crisis.
