​A Cyber Incident Management Plan (CIMP) is no longer a “nice to have” document that sits in a drawer waiting for a major breach. In today’s environment — where ransomware groups evolve weekly, AI-enabled phishing is becoming more convincing, and supply chain attacks can impact thousands of organisations simultaneously — a cyber incident management plan must become a living operational capability.
The challenge for many organisations is not recognising the need for a plan. It is building one that is practical, relevant, maintainable, and achievable within the reality of stretched budgets, limited time, and already overloaded teams.
The good news is that an effective cyber incident management plan does not need to be overly complex or expensive. What matters most is clarity, ownership, adaptability, and regular improvement.
Why Traditional Incident Plans Fail
Many incident response plans fail for three common reasons:

• They are too technical and disconnected from business operations.
• They are written once and never updated.
• They are tested only during a real crisis.

A 200-page document filled with technical jargon is unlikely to help executives, HR, communications teams, or frontline staff during a stressful incident. In reality, cyber incidents create business disruption, reputational damage, legal concerns, and operational uncertainty — not just technical problems.
An effective modern CIMP must therefore be:

• Business-focused
• Human-centric
• Flexible
• Easy to use under pressure
• Continuously improved

The plan should provide guidance, not rigid dependency. During a cyber incident, situations evolve rapidly and decisions often need to be made with incomplete information.
Start With Business Risk, Not Technology
One of the biggest mistakes organisations make is designing incident plans purely around technology systems.
Instead, start by asking:

• What business functions are critical?
• What would stop operations?
• What would cause reputational damage?
• What data loss would create legal or regulatory exposure?
• Which suppliers or third parties introduce risk?
• What cyber scenarios are most realistic for our organisation?

For a small manufacturer, operational downtime may be the biggest concern. For a professional services firm, client confidentiality may be paramount. For healthcare providers, patient safety becomes critical.
This approach keeps the plan relevant and aligned to real business impact rather than theoretical cyber threats.
Keep the Plan Practical and Simple
The most effective incident plans are often surprisingly concise.
A practical plan should clearly define:
1. Roles and Responsibilities
Who does what during an incident?
This should include:

• Executive leadership
• IT and security teams
• Legal
• HR
• Communications
• Operations
• External providers
• Cyber insurance contacts

People should understand:

• Who makes decisions
• Who escalates issues
• Who communicates internally
• Who speaks externally
• Who engages regulators or law enforcement

Clarity removes confusion during stressful situations.
2. Incident Severity Levels
Not every incident requires a full-scale response.
Define simple severity categories such as:

• Low impact
• Moderate impact
• Critical business disruption

This helps organisations scale their response proportionately and avoid unnecessary panic or overreaction.
3. Escalation Pathways
Teams should know:

• When to escalate
• Who to contact
• How quickly decisions must be made
• What thresholds trigger executive involvement

Speed matters enormously in cyber incidents.
4. Communication Templates
One of the most overlooked areas in incident response is communication.
Prepare templates in advance for:

• Internal staff notifications
• Customer communications
• Media holding statements
• Supplier notifications
• Regulatory reporting

During an incident, drafting communications from scratch wastes valuable time and increases risk.
5. External Dependencies
Most organisations rely heavily on external providers:

• Cloud services
• Managed service providers
• SaaS platforms
• Legal counsel
• Cyber insurance
• Incident response specialists

Document:

• Contact details
• Escalation methods
• Contract obligations
• Support arrangements
• After-hours contacts

In many incidents, external coordination becomes one of the biggest operational challenges.
Build a “Living” Plan
Cyber threats evolve too quickly for static documentation.
A modern CIMP should be treated like any operational process:

• Reviewed regularly
• Updated after changes
• Improved after exercises
• Adjusted for new threats

Organisations should review their plan:

• After major incidents
• After significant technology changes
• Following organisational restructures
• Following supplier changes
• At least annually

Importantly, organisations should avoid chasing perfection. A current, usable 15-page plan is far more valuable than an outdated 150-page document.
Testing Does Not Need to Be Expensive
Many organisations avoid testing because they assume it requires costly consultants, large simulations, or significant downtime.
In reality, meaningful testing can be lightweight and highly effective.
Start With Tabletop Exercises
A tabletop exercise is simply a structured discussion around a realistic scenario.
For example:
“A staff member clicks a phishing email and ransomware begins encrypting shared files. What happens next?”
Walk through:

• Who gets notified
• What decisions are made
• What systems are impacted
• How communications occur
• What external parties are contacted

Even a 60-minute discussion can expose:

• Unclear ownership
• Missing contacts
• Decision bottlenecks
• Communication gaps
• Technical assumptions

These exercises are low-cost and highly valuable.
Test Decision-Making, Not Just Technology
Many organisations focus purely on technical recovery testing.
However, the biggest challenges during incidents are often:

• Leadership uncertainty
• Communication failures
• Delayed decisions
• Conflicting priorities
• Lack of coordination

Testing should therefore include executives and business teams — not just IT.
Cyber resilience is ultimately an organisational capability, not solely a technical one.
Keep Exercises Realistic
Overly dramatic “Hollywood-style” scenarios can overwhelm teams and reduce engagement.
Instead, focus on realistic scenarios relevant to the organisation:

• Business email compromise
• Ransomware
• Supplier compromise
• Insider threats
• Cloud platform outages
• AI-enabled phishing attacks

Relevance improves participation and learning outcomes.
Create Continuous Improvement Loops
Every test, exercise, or incident should generate lessons learned.
After each exercise, ask:

• What worked well?
• What caused confusion?
• What slowed response times?
• Were responsibilities clear?
• Were communications effective?
• What assumptions proved incorrect?

Then update the plan accordingly.
This continuous improvement mindset is what keeps a plan relevant over time.
Human Factors Matter Most
Technology alone will never solve incident response challenges.
People make decisions under pressure, often with incomplete information and emotional stress. Fatigue, uncertainty, and communication breakdowns can significantly worsen incidents.
That is why organisations should prioritise:

• Clear communication
• Role clarity
• Psychological preparedness
• Leadership engagement
• Cross-functional collaboration

The strongest cyber resilience comes from organisations where staff understand their role in managing incidents — not just preventing them.
Focus on Progress, Not Perfection
Many organisations delay building or testing a plan because they feel under-resourced or insufficiently mature.
But cyber resilience is not about perfection.
It is about:

• Improving readiness over time
• Reducing uncertainty
• Increasing coordination
• Strengthening decision-making
• Recovering faster when incidents occur

Even small improvements can significantly reduce operational disruption and reputational damage.
The organisations that respond best to cyber incidents are rarely the ones with the largest budgets. They are usually the ones that prepared realistically, tested consistently, communicated clearly, and continuously adapted to change.
In a rapidly evolving cyber landscape, the most valuable incident management plan is not the most sophisticated one.
It is the one your organisation can actually use.

​Artificial Intelligence (AI) is no longer a technology reserved for large enterprises with massive budgets and dedicated innovation teams. Today, small businesses are increasingly adopting AI-powered tools to improve productivity, automate repetitive tasks, enhance customer service, strengthen marketing efforts, and gain operational efficiencies.
From AI chatbots and automated accounting systems to AI-generated content and workflow automation, the opportunities for small businesses are significant.
However, alongside these opportunities comes an equally important conversation: security.
While AI can deliver tremendous business value, implementing it without understanding the associated risks can expose businesses to cyber threats, compliance failures, reputational damage, and operational disruption. For small businesses, which often have limited cybersecurity resources, these risks can be particularly impactful.
The key is not to avoid AI — it is to implement it responsibly.
The Growing Security Challenges of AI
AI systems rely heavily on data. The more data an AI tool can access, the more powerful and useful it becomes. Unfortunately, this also creates new security and privacy concerns.
Many small businesses are unknowingly exposing sensitive information when employees use publicly available AI tools without governance or oversight. Confidential customer information, financial data, internal procedures, intellectual property, or strategic business plans may be entered into AI platforms without fully understanding how that data is stored, processed, or reused.
Some of the most common AI-related security risks include:
Data Leakage
Employees may unintentionally upload confidential information into AI systems. Once sensitive data leaves the organization’s controlled environment, businesses may lose visibility and control over how it is handled.
AI-Enhanced Cybercrime
Cybercriminals are now using AI to improve phishing attacks, automate scams, generate convincing fake communications, and identify vulnerabilities faster than ever before. Small businesses are increasingly targeted because attackers assume they have weaker security controls.
Compliance and Privacy Risks
Businesses operating under privacy regulations must ensure AI usage aligns with legal obligations surrounding data protection, customer consent, and information handling. Failure to do so can result in financial penalties and reputational harm.
Over-Reliance on AI
AI can accelerate decision-making, but it is not infallible. Inaccurate outputs, hallucinations, bias, or poor recommendations can create operational and reputational risks if human oversight is removed from the process.
Shadow AI
One of the fastest-growing concerns is “Shadow AI” — where employees independently adopt AI tools without approval from IT or leadership. This creates significant visibility and governance challenges for organizations.
Why Small Businesses Cannot Afford to Ignore AI
Despite the risks, avoiding AI altogether is not a sustainable strategy.
Businesses that fail to adopt AI may struggle to remain competitive as larger and more agile organizations leverage automation and data-driven insights to reduce costs and improve customer experiences.
The real challenge is not whether businesses should adopt AI — it is how they adopt AI safely and strategically.
Organizations that approach AI implementation through a security and governance lens are far more likely to realize its benefits while minimizing exposure to risk.
Offsetting AI Risks Through Governance and Security
AI implementation should never occur in isolation from cybersecurity and business governance practices.
Small businesses can significantly reduce their exposure by taking a structured and human-centric approach.
Establish Clear AI Usage Policies
Employees need guidance on:

• Which AI tools are approved
• What data can and cannot be entered into AI platforms
• How AI-generated outputs should be validated
• Security and privacy expectations

Clear policies reduce uncertainty and help prevent accidental exposure of sensitive information.
Focus on Employee Awareness
Technology alone cannot solve AI security challenges.
Staff remain one of the most critical components of organizational security. Businesses should ensure employees understand:

• The risks associated with AI tools
• How cybercriminals may exploit AI
• The importance of protecting sensitive information
• How to identify AI-generated scams or phishing attempts

A culture of cyber awareness is essential.
Conduct Risk Assessments Before Adoption
Before implementing any AI solution, businesses should ask:

• What data will the AI access?
• Where is that data stored?
• Who owns the information entered into the platform?
• Does the vendor meet security standards?
• What happens if the AI tool experiences a breach?
• Are there regulatory implications?

These assessments help businesses make informed decisions rather than reactive ones.
Apply Cybersecurity Fundamentals
Many AI-related risks can be mitigated through strong foundational cybersecurity practices, including:

• Multi-factor authentication
• Access controls
• Data classification
• Endpoint protection
• Regular software updates
• Security monitoring
• Backup and recovery processes

Strong cyber hygiene remains essential, regardless of the technology being adopted.
The Role of Risk Management in AI Decision-Making
Risk management plays a critical role in helping businesses balance innovation with security.
Too often, organizations view cybersecurity as a barrier to progress. In reality, effective risk management enables smarter and more confident business decisions.
Rather than asking:
“Is AI safe?”
Businesses should ask:
“How do we implement AI while managing acceptable levels of risk?”
This shift in thinking is important.
Every business decision carries some level of risk — whether financial, operational, legal, or reputational. AI adoption is no different. The goal of risk management is not to eliminate all risk, but to identify, assess, prioritize, and control it appropriately.
For small businesses, this means:

• Understanding which AI tools create the greatest exposure
• Determining what level of risk is acceptable
• Implementing safeguards proportionate to the business
• Continuously reviewing and adapting controls as AI evolves

A structured risk management process allows organizations to:

• Make informed technology investments
• Improve resilience
• Protect customer trust
• Support compliance obligations
• Reduce the likelihood and impact of cyber incidents

Most importantly, it allows businesses to adopt AI with confidence rather than fear.
Human-Centric Security Matters More Than Ever
As AI becomes more integrated into business operations, the human element of cybersecurity becomes increasingly important.
Technology can strengthen productivity and resilience, but people remain central to secure decision-making.
Businesses that combine AI innovation with strong governance, cyber awareness, and risk management practices will be far better positioned to succeed in the evolving digital landscape.
The future of AI in small business is not about replacing people — it is about empowering them safely.
Final Thoughts
AI presents enormous opportunities for small businesses to improve efficiency, competitiveness, and growth. However, without proper governance and security considerations, those same tools can introduce significant risks.
 
The organizations that will benefit most from AI are not necessarily the ones that adopt it the fastest, but the ones that adopt it the smartest.
By embedding cybersecurity, human awareness, and risk management into AI decision-making processes, small businesses can confidently embrace innovation while protecting their operations, employees, customers, and reputation.
AI should not be viewed purely as a technology decision.
It is ultimately a business risk and resilience decision.

“I’ve got a bad feeling about this.”
It’s a line we all recognise.
And in cybersecurity today, it’s more relevant than ever.
Because many organisations are still thinking about cyber risk like it’s the Death Star--
a big, obvious target protected by strong defences.
But modern attacks don’t look like that.
They look more like the Empire’s real strategy:

• Subtle
• Persistent
• Focused on influence, not just force

And most importantly—they exploit people.
 
The Illusion of Control: “Our Shields Are Strong”
Many leaders still believe their organisation is protected because they’ve invested in:

• Firewalls (deflector shields)
• Endpoint tools (stormtroopers on patrol)
• Backups (escape pods)

Important? Yes.
Enough? Not even close.
Because the Empire doesn’t attack the shield first.
It finds the weakness in behaviour.
 
The Business Owner: When the Empire Strikes Back
You’re running your organisation—your Rebel base.
Everything is operating smoothly… until suddenly, it isn’t.
Your operations grind to a halt
This isn’t a clean battle.
It’s confusion:

• Systems locked
• Communications disrupted
• Teams unsure what to do next

Not because you lack technology—but because your people weren’t prepared for the moment.
 
Your data is already in enemy hands
Before you even realise what’s happening, the Empire has:

• Customer data
• Financial information
• Internal communications

The threat isn’t just destruction—it’s exposure.
 
You’re pulled into a negotiation you can’t win
Pay the ransom.
Don’t pay the ransom.
Either way, you’re dealing with an opponent that doesn’t follow rules.
There’s no Jedi Council to appeal to.
 
Your reputation takes the hit
In the eyes of your customers and partners:
“This organisation lost control.”
And in business, trust—like the Force—is everything.
Once it’s shaken, it’s difficult to restore.
 
Your people feel the impact first
Stress rises.
Confidence drops.
Questions surface:

• “Were we prepared?”
• “Did leadership take this seriously?”

Because in the end, it’s not just a technical failure.
It’s a leadership moment.
 
The Senior Manager: You Are the Target
Now let’s shift perspective.
You’re a senior leader.
You might think the battle is happening “out there”—in systems and infrastructure.
But in reality…
You’re the doorway.
 
Your identity becomes the perfect disguise
If the Empire can become you, it doesn’t need to break in.
With access to your personal accounts, it can:

• Message your team
• Approve payments
• Influence decisions

This isn’t hacking systems.
It’s manipulating trust—like a Jedi mind trick in reverse.
 
Your network becomes the map
Your email.
Your LinkedIn.
They reveal:

• Who you trust
• Who trusts you
• How your organisation operates

To an attacker, this is more valuable than any technical diagram.
 
The attack becomes personal
Messages that feel real.
Requests that seem urgent.
Context that makes sense.
Because they’re built from your world.
 
The line between personal and professional disappears
There is no separation anymore.
Your personal behaviour—passwords, MFA, habits--
becomes your organisation’s vulnerability.
 
The Real Problem: We’re Fighting the Wrong War
Too many organisations are still preparing for a direct assault.
But today’s attackers operate more like the Emperor:

• Manipulating from the shadows
• Exploiting behaviour
• Turning your own people into the entry point

 
A Human-Centric Defence: Building Your Jedi Order
If attacks are human-led, defence must be human-centric.
Not by blaming people—but by empowering them.
 
Design systems people can actually use
If security creates friction, people will work around it.
Even the best intentions fail under pressure.
 
Build awareness that feels real—not theoretical
Training shouldn’t feel like a briefing from a distant galaxy.
It should reflect:

• Real scenarios
• Real pressures
• Real decisions your people face

 
Create a culture where people speak up early
You don’t want silence.
You want:
“Something feels off… I’m flagging it.”
That’s your early warning system.
 
Equip leaders to lead in the moment
When something happens, your people don’t look to IT.
They look to leadership.
And the question becomes:
“Are we calm, clear, and decisive—or reacting in chaos?”
 
So… What’s the Worst That Can Happen?
The worst case isn’t just being attacked.
It’s this:

• Your people aren’t prepared
• Your leaders aren’t aligned
• Your culture works against your controls
• And when the moment comes… you hesitate

 
A Better Question
Instead of asking:
“What’s the worst that can happen?”
Ask:
“Have we trained and equipped our people to respond when the Force is tested?”
Because resilience isn’t built in systems alone.
It’s built in people, behaviour, and leadership.
 
May the Force be with you.
​