When Crisis Hits, You Won't Have Time to Figure It Out (IR-2)
You’ve got your incident response plan written down. You know who to call when things go wrong. You’ve set up monitoring alerts. Everything’s ready.
Then it happens: your phone buzzes at 7 AM with a security alert. Your heart starts racing. You grab your incident response plan. The steps that seemed crystal clear when you wrote them six months ago suddenly feel confusing. Which password do you reset first? Was it the bank or the credit card company you’re supposed to call?
Reading about emergency procedures and actually doing them are completely different experiences. And the middle of a real crisis is not when you want to discover that gap.
IR-2: Incident Response Training
No need to sit through boring corporate training videos. It’s about occasionally walking through the basics so you don’t fumble when it counts.
The same principle that applies to CPR or knowing your building’s emergency exits applies to digital emergencies. A little mental rehearsal ahead of time can mean the difference between handling a crisis smoothly and making it worse through panic and confusion.
The Tale of Two Responses
Let me show you what this looks like when people have practiced—and when they haven’t.
For Individuals: The Locked Account
You try to log into your main email and get an error message: “Account temporarily locked due to suspicious activity.” Your inbox has thousands of important messages, saved confirmations, and account recovery emails for everything else you use.
Without training: You panic and start clicking every “recover account” option you can find. You try password reset, but can’t remember which backup email you used. You attempt the security questions but second-guess every answer. After three failed attempts, the account locks for 24 hours. You’re completely cut off from everything connected to that email, and you have no idea what to do next.
With training: You’ve walked through this scenario before. You remember: check your backup email first (you know which one because you wrote it down). Grab your recovery codes from your secure storage. Follow the documented steps in order. You’re stressed, but you’re not guessing. Within a few minutes, you’ve regained access because you knew exactly what to do.
For Small Businesses: The Phishing Email
A real estate agency gets hit by a sophisticated phishing email that looks like it’s from their title company. An agent clicks the link and enters their credentials before realizing something’s wrong.
Without training: The agent panics and tries to handle it alone, changing their password but forgetting about their email forwarding rules. The compromised account continues sending malicious emails to clients for another hour. When the broker finally gets involved, they’re not sure whether to notify clients immediately or wait to see how bad it is. The response is chaotic, clients lose confidence, and a simple incident becomes a reputation crisis.
With training: The agent immediately recognizes this as the scenario they practiced last month. They follow the steps without having to think: disconnect from the network, notify the broker, reset credentials, check for forwarding rules and auto-replies, send the standard client notification. The whole incident is contained within a few minutes because everyone knew their role and had walked through the response.
Your Task for Today
Here’s what you can do in the next ten minutes:
Everyone: Pick one scenario from your plan and mentally walk through it. If your main email got locked right now, what would you do first? If your laptop was stolen, who would you call? What’s step one? Just thinking through the sequence helps it stick in your brain for when you actually need it.
Small Business Owners: Schedule a monthly 15-minute “what-if” session with your team. Pick one scenario from your incident response plan and walk through it step by step. “What if our email got compromised?” “What if our website went down?” Just talk through who would do what and when. Make sure everyone knows their role before something actually happens.
Why This Actually Matters
Training isn’t about memorizing every detail. It’s about building muscle memory so you can think clearly when adrenaline is flooding your system.
When bad things happen, your brain doesn’t work the same way it does when you’re calmly reading instructions. Simple tasks become difficult. Details get forgotten. Having mentally rehearsed the basics means you can focus on the problem instead of figuring out the process.
The plan tells you what to do, but training helps you actually remember it when it counts.
My Work
Following last week’s confession, I located the fraud numbers for my bank and my credit cards. I put the numbers in my Google Doc with the reporting timeframes. I had to call my bank to get that information.
I also added the fraud numbers to my phone contacts.
This week I’m going to verify what I need to do if my email is hacked.
Before You Go
We’re building your complete incident response toolkit. You now know what to do (IR-4), how to spot problems early (IR-5), how to create your action plan (IR-8), who to notify (IR-6), and how to keep your response skills sharp (IR-2).
Coming up next: IR-3: Incident Response Testing—taking your training to the next level by actually verifying your plan works.
P.S. The best incident response plan is one you’ve actually practiced in your head. If this series is helping you build real security habits, subscribe to get the remaining posts. We’re proving that good security doesn’t require a computer science degree or a corporate budget.
