Curbing Attacks Early: Creating an Incident Response Plan for Your SaaS Business - Ascent Conference

Curbing Attacks Early: Creating an Incident Response Plan for Your SaaS Business

We are officially in an era where hybrid work environments are the norm — workforces worldwide are collaborating from both at home and the office, using different devices across different networks. With this combined setup also comes an increased reliance on cloud-based platforms to make all processes as efficient and seamless as possible.

These developments further underscore the importance of concrete cybersecurity policies in SaaS businesses regardless of size, because when connectivity widens, the risk of attack increases correspondingly. In fact, a bill has recently been proposed in Congress aiming to bolster the resilience of U.S. cybersecurity infrastructure and gather information on cyber threats using data from incident response reports.  

Conducting a Cybersecurity Risk Assessment

Network protection will always remain challenging for even the best-resourced companies, but adopting a mitigation plan is a critical step that all companies should take. But before creating one, it is critical to first perform a cybersecurity risk assessment:

  • Determine your scope: Specify the areas that the assessment would cover, such as whether you’ll run a check on the entire organization or on individual business units. You may employ the services of a third-party provider to gather input from stakeholders who fall within the boundaries you’ve set for the assessment.
  • Inventory your assets: Create an inventory of all your physical and digital assets, and take note of the most important ones  — these are the assets most likely to be targeted and the ones that will cause the most damage if successfully hijacked.
  • Gauge potential impact: This is where you determine the likelihood and severity of risks you’ve identified in your asset inventory. Using a scoring system to rate the probability of an attack and the severity of the disruption it might cause is an excellent way to create a “risk matrix” that empowers you to understand your company’s vulnerabilities. This matrix also defines an acceptable level of risk, so that your internal stakeholders can understand how to keep risk within acceptable levels.
  • Document risks: Data from risk assessments must be documented so you can regularly review risks, and define what is tolerable as the cybersecurity landscape continues to evolve.

Developing a Foolproof Cybersecurity Incident Response Plan

After you’ve run a thorough risk assessment, you may proceed to formulate your IRP. We’ve listed the basic steps to help you get started:

  1. Create a dedicated response team.

Should a breach occur, having a dedicated response team enables you to quickly assess the situation and develop an appropriate response, especially if a substantial amount of data has been affected. The team’s size may depend on the type and severity of the breach that occurred, but Atty. Robert Munnelly of law firm Davis Malm suggests that it include at least:

  • A manager in charge of the WISP [Written Information Security Plan]
  • Internal and external legal counsel
  • An IT manager
  • A human relations manager
  • An operations manager
  • A representative from the corporate communications division

The team occupies a crucial role by internally communicating key details about the breach and that a team is already addressing it. They must also remind employees to keep from disclosing information about the breach to external parties so as to contain it within the organization and ensure that internal discussions and the IRP itself are legally protected. 

  1. Identify outside resources.

Your IRP should include all pertinent information about experienced resources that you would utilize in the event of a breach. Examples include computer forensics experts, PR professionals (in the event the breach becomes publicized), and insurance personnel to answer questions on policies concerning the breach. 

  1. Have specific responses for specific breach types.

No two breaches are the same, and so your IRP must be flexible enough to enable your teams to work around the situation should one happen. Some breaches may be minor enough that the WISP-assigned manager could respond on their own accord; others may be massive and require the mobilization of a large-scale response team spanning multiple departments or agencies.

  1. Utilize the power of checklists.

Checklists are essential in consolidating your action items so that teams don’t overlook important details after a breach takes place. These action items may include:

  • Taking note of the date and time the breach occurred
  • Mobilizing teams and providing them with preliminary details about the breach
  • Putting up a secure perimeter around your systems, whether part of the breach or not
  • Refraining from making public statements about the breach until external professionals confirm details
  1. Regularly review and update your IRP.

Experts recommend reviewing and updating your response plan at least once every year — an outdated IRP that fails to account for recent internal or external developments can put your entire business at risk.

It’s also advisable to test the resiliency of your IRP and personnel by conducting mock breaches and incorporating lessons learned from your after-action report.

Final Thoughts

Cyber threats are becoming more sophisticated by the minute, so it is imperative for businesses of all sizes to have a well-defined plan to prevent attacks in the first place and minimize damage if one occurs. While the nature of cybersecurity threats is always evolving, maintaining up-to-date security policies and response plans will always be time well spent.


Photography by Liam Tucker via Unsplash.

Privacy Notice

This privacy notice discloses the privacy practices for ( This privacy notice applies solely to information collected by this website. It will notify you of the following:

  • What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
  • What choices are available to you regarding the use of your data.
  • The security procedures in place to protect the misuse of your information.
  • How you can correct any inaccuracies in the information.

Information Collection, Use, and Sharing

We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.

We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.

Unless you ask us not to, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy.

Your Access to and Control Over Information

You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:

  • See what data we have about you, if any.
  • Change/correct any data we have about you.
  • Have us delete any data we have about you.
  • Express any concern you have about our use of your data.


We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.

Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Web page.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.

If you feel that we are not abiding by this privacy policy, you should contact us immediately via telephone at 202-256-9707 or [email protected].