Does Your Plan Actually Work? Test It Before You Need It (IR-3)
You’ve written your incident response plan. You’ve walked through the basic steps in your head. You feel prepared.
But does any of it actually work?
You know your backup email, but what if you can’t remember the password when you need it? That “Find My Device” feature you enabled six months ago? What if the battery died or you forgot to update the location settings?
The only way to know if your security plan works is to test it before you desperately need it. You don’t want to discover that your plan has a critical flaw during a real emergency.
IR-3: Incident Response Testing
Instead of just mentally rehearsing the steps (that was IR-2), you’re now executing parts of your plan to verify they work in real life.
You’re not just reading about what you’d do—you’re doing it to make sure the process works the way you think it does.
IR-3 helps you find the problems that could trip you up when you’re already stressed and operating under pressure.
Two Examples
What happens when you test your plans—and when you assume they’ll work.
For Individuals: The Recovery Email Mystery
You’ve set up account recovery for all your important services using a backup email address. Your incident response plan lists this email as a key part of regaining access if your main account gets compromised.
Without testing: Your main email gets hacked and locked. You try to recover it using your backup email, only to discover that you haven’t logged into that backup account in over a year and can’t remember the password. The recovery process for the backup email requires access to your main email—the one that’s been compromised. You’re stuck in a circular problem that takes weeks to resolve through customer service calls.
With testing: Every few months, you log into your backup email to verify you can still access it. During one check, you realize the account is about to be deleted for inactivity, so you set a reminder to log in regularly. When your main email gets compromised, you regain access quickly instead of spending weeks on customer service calls.
For Small Businesses: The Backup That Wasn’t
A small consulting firm has a detailed data backup plan. They’ve identified their critical files, set up cloud storage, and documented the recovery process. They feel completely prepared for a ransomware attack or hardware failure.
Without testing: Their server crashes right before a major client presentation. They go to restore from their backup and discover that the automated sync stopped working months ago due to a billing issue they never noticed. The local backups they thought they had were just shortcuts to files on the crashed server. They lose months of work and have to tell their biggest client that the presentation is delayed indefinitely.
With testing: Every quarter, they pick a few random files and go through the restoration process. During one test, they catch the billing issue with their cloud storage before it becomes critical. They also realize their recovery documentation assumes the server is working, so they update their plan to include scenarios where they need to restore everything to new hardware. When their server crashes, they’re back online in hours instead of weeks.
Your Task for This Week
Here’s what you can test:
Everyone: Test one piece of your digital recovery plan by actually doing it. Try logging into that backup email account. Check whether “Find My Device” can locate your phone right now. Pull up those account recovery codes you stored securely and make sure you can access them. Verify that one critical piece of your plan functions as intended.
Small Business Owners: Pick one critical system and walk through an actual restoration scenario. Can you really restore that backup? Do those admin passwords still work? Are the contact numbers in your plan still valid? Test one thing each month rather than trying to test everything at once.
Why This Matters
Testing helps you find problems while you have time to fix them. Every gap you discover during testing is a crisis you’ve prevented during a real incident.
Testing helps you find the weak links when you can still do something about them.
My Work
IR-2, Incident Training, took longer than I thought last week! For my gmail account, I had to find the recovery email (g.co/recover) and document that in my Incident Response Plan (IRP).
I double checked my recovery email and noted it in the IRP. While I was there I went through and checked all of my Google account security settings and cleaned it up a bit. And downloaded my account recovery codes.
I also added some of the above information to my phone contacts to be able to easily find it if needed.
For this week, I’m going to check my Find My for my Air Tags and other Apple devices.
Before You Go
Last week we covered how to keep your response skills sharp through mental rehearsal (IR-2). This week, we’re verifying everything works (IR-3).
Coming up next: IR-7: Incident Response Assistance—knowing when to call for help and where to find it.
P.S. If this series is helping you build security that works, subscribe to get the final posts.
