What Are Incident Playbooks?

Cyber incident playbooks are structured, actionable guides designed to help teams detect, respond to, and recover from security events. Whether facing ransomware, phishing, or insider threats, a good playbook provides clarity during chaos.

These sections outline key roles, escalation steps, communications, and remediation actions — ensuring your team acts quickly, consistently, and in compliance with regulatory obligations. In critical moments, playbooks can mean the difference between a minor disruption and a major breach.

The examples provided by Cyber.Irish in the following section are foundational response guides — ideal for small businesses, IT teams, and security-aware stakeholders. While not exhaustive, they offer concrete actions to take during high-risk scenarios and are intended to supplement your organisation’s broader incident response plan.

Cyber Incident Response Playbooks

When an incident strikes, quick and structured action is critical. These playbooks provide clear, actionable steps for responding to common cyber threats — helping your team contain, recover, and report effectively. Each guide aligns with Canadian best practices and industry frameworks like NIST and CIS.

Ransomware Attack

If your systems are locked and a ransom demand appears:

  • 1. Isolate Affected Systems: Disconnect infected devices from the network immediately to prevent spread.
  • 2. Do Not Pay: Paying ransoms is discouraged by law enforcement and may violate OFAC regulations.
  • 3. Notify Authorities: In Canada, report to the Canadian Centre for Cyber Security (cyber.gc.ca).
  • 4. Engage IR Specialists: Contact your internal team or external IR consultants (e.g., Cyber.Irish).
  • 5. Preserve Evidence: Capture logs, timestamps, and encrypted file samples. Avoid wiping machines prematurely.
  • 6. Restore Safely: Only use verified clean backups. Scan restored files and monitor endpoints for residual threats.
Phishing or Suspicious Email

When a user reports or interacts with a suspicious email:

  • 1. Quarantine the Message: Use your email security tools (e.g., Microsoft Defender, Proofpoint) to isolate the message.
  • 2. Revoke Compromised Credentials: If the link was clicked or a form submitted, reset passwords and review login activity.
  • 3. Notify Other Users: Alert staff to the phishing email. Use screenshots and clear “do not click” language.
  • 4. Report to Authorities: Submit to the Canadian Anti-Fraud Centre (antifraudcentre.ca).
  • 5. Conduct Awareness Training: Consider follow-up training or simulations to reinforce vigilance.
Business Email Compromise (BEC)

If an attacker impersonates or compromises an executive or finance account:

  • 1. Freeze Financial Transfers: Alert your finance team to hold any outgoing funds.
  • 2. Reclaim Control: Change passwords, review mailbox rules, and check for token-based sessions.
  • 3. Check Forwarding Rules: BEC actors often create hidden rules that exfiltrate data silently.
  • 4. Contact Your Bank: Notify your bank immediately if funds were transferred. The sooner, the better the recovery chance.
  • 5. Notify Your Insurer: If you have a cyber insurance policy, begin the claim process and follow their instructions.
Data Breach or Exposure

If confidential or personal data may have been leaked:

  • 1. Identify What Was Accessed: Determine what data was exposed, for how long, and to whom.
  • 2. Contain and Patch: Fix the source of exposure — misconfigured bucket, vulnerable endpoint, etc.
  • 3. Notify Affected Parties: If personal data was involved, you may have obligations under PIPEDA or provincial legislation.
  • 4. Report to Regulators: Notify the Office of the Privacy Commissioner of Canada (priv.gc.ca) as required.
  • 5. Review and Improve Controls: Update logging, access permissions, and data retention policies.