Breaking News:
Education

Why incident response is a business priority

By Graham Regan, HLB Mann Judd Sydney

It’s early on a Saturday when your phone starts ringing. Not a text. Not an email. A phone call – the kind that rarely brings good news.

A staff member sounds panicked. They can’t access their files, email isn’t working, and a payment demand has appeared on their screen. This won’t fix itself before Monday.

You sit up and ask the only questions that matter: Who else knows? What do we shut down? Who do we tell?

In that moment, technical details matter far less than clear decision-making. The real issue isn’t just that systems are down; it’s that your business has no script, no clear leader, no agreed process and no shared understanding of what happens next.

That is exactly the moment an Incident Response Plan is built for.

What is an Incident Response Plan?

Many Australian businesses only think about cyber incidents once something has already gone wrong. An email account is compromised. Files become inaccessible. Customer information is sent to the wrong person.

The real problem isn’t just the incident itself – it’s the uncertainty that follows.

Who is in charge? What should be shut down? Who needs to be told? How serious is it?

An Incident Response Plan (IRP) exists to remove that uncertainty. It is not simply an IT document; it is a business tool that guides an organisation through digital disruptions that can affect operations, trust and compliance.

Just as a fire evacuation plan prepares staff for a physical emergency, an IRP prepares them for a digital one.

The power of responsibility

A strong IRP begins with clarity. When something goes wrong, there should be no hesitation about who leads and who supports. Senior management should be involved from the outset.

A plan should clearly identify:

  • who makes decisions
  • who communicates with staff and customers
  • who manages external parties such as insurers, legal advisers and regulators

Without this structure, businesses can lose valuable time simply working out who is meant to act.

What is an incident?

An IRP should define what counts as an incident. Some events require immediate escalation, including:

  • unauthorised access to systems
  • suspicious or unusual account activity
  • theft or loss of devices containing business information
  • accidental disclosure of customer data

By clearly outlining these triggers, and training staff on why they matter, organisations help employees understand when something must be escalated rather than quietly worked around.

Where do you start when something goes wrong?

In the first critical moments, the priority is not technical fixes but regaining control. A well-designed IRP should guide a team to:

  • preserve key information
  • contain the issue
  • alert the right decision-makers quickly

Many organisations unintentionally make incidents worse through rushed or uncoordinated actions. Others delay, hoping the problem will resolve itself. Both responses increase risk.

A written plan replaces guesswork with a clear process, and that sense of control can make a significant difference.

The importance of communication

Communication is where many businesses stumble. An IRP should specify how staff report concerns and who is authorised to speak externally. Templates and scripts help maintain consistency.

It should also outline what to do if primary communication channels are unavailable. If Outlook, Teams or other core systems go down, pre-agreed alternatives – phone trees, backup platforms or offline contact lists – help keep the response coordinated.

Clear communication reduces confusion, limits misinformation and protects reputation. The goal is calm, consistent messaging from a single trusted source.

Mandatory reporting

For Australian businesses, legal and regulatory responsibilities are as important as the technical response. If personal or client information is involved, there may be obligations to notify insurers, customers or government bodies.

An IRP does not need to include detailed legal guidance, but it should clearly state when professional advice must be sought and when escalation is required.

Including key contact points – insurers, legal advisers, cyber partners and regulators – ensures teams can act quickly and confidently when needed.

Getting the lights back on

Recovery isn’t just about restoring systems. A strong IRP guides a safe, staged return to normal operations and requires a structured review once the incident has passed.

Every incident is an opportunity to learn. Weaknesses can be identified, controls strengthened, and staff awareness improved. Without this step, organisations often repeat the same mistakes.

For major incidents, clearly defined escalation points within the IRP allow decisions to be made quickly when pressure is highest.

Testing times

One of the most important and most neglected parts of an Incident Response Plan is testing it. A plan that has never been tested is little more than a theory.

Testing does not mean trying to break your own systems. It means gathering the right people, walking through realistic scenarios and asking: What would we do?

For example:

  • What happens if customer records are exposed tomorrow?
  • What if your email system becomes unavailable without warning?

These exercises quickly reveal whether contact details are accurate, whether roles are understood and whether decisions can be made quickly enough. More importantly, they highlight practical improvements that can be made before a real incident occurs.

Testing also builds confidence. Staff become familiar with their responsibilities, and leaders gain assurance that the business can respond in an organised and disciplined way. It is always better to discover gaps in a planned exercise than during a real incident with customers waiting and systems down.

Why it matters for businesses

For small and medium-sized businesses, the impact of an incident can be particularly severe. There are fewer people, less spare capacity and a smaller financial buffer. Downtime affects revenue quickly, and reputational damage is harder to absorb.

An IRP will not prevent incidents, but it dramatically improves how they are managed.

Putting it all together

An Incident Response Plan is not about technology alone. It is about leadership, communication and clear decision-making under pressure. It is a core component of modern risk management.

If your business relies on systems, email or customer data, an IRP is no longer optional. And if you already have one, the real question is simple: has it been tested?

Because when a real incident happens, the quality of the response will matter far more than the cause of the problem.


Graham Regan is head of technology and security at HLB Mann Judd. He joined the firm in 2014 and has over 25 years experience in the IT sector. He holds a bachelor of Laws from the University of New England and a master of business administration from the Swinburne University of Technology. Visit their website HERE