Here is a test that will tell you whether your company would survive a security incident. It takes 10 minutes and zero budget.

Walk over to your CTO, IT lead, or whoever owns security at your company. Ask them these 5 questions:

Question 1: First response

If we discovered a data breach right now, what is the first thing we do? If the answer is vague or starts with "well, it depends," that is a gap. The first 60 minutes of an incident determine whether it costs you $50,000 or $5 million. You need a specific, documented sequence.

Question 2: The team

Who is on our incident response team? Not titles. Names. Who gets called at 2 AM on a Saturday? If there is no defined team with contact information, you are improvising during a crisis. That never ends well.

Question 3: Legal obligations

What are our legal notification obligations? Most states require breach notification within 30-72 days. HIPAA has its own timeline. GDPR requires 72 hours. If your team does not know the specific requirements that apply to your business, you risk regulatory penalties on top of the breach cost.

Question 4: Testing

When did we last test our incident response plan? A plan that has never been tested is a document, not a plan. Tabletop exercises, where you walk through a simulated incident as a team, take 2 hours and reveal gaps you would never find on paper.

Question 5: Documentation

Where is our incident response plan documented? If the answer is "in someone's head" or "I think it is on the shared drive somewhere," that is the same as not having one. During an actual incident, stress and adrenaline eliminate the ability to think clearly. The plan must be accessible, current, and specific.

Score yourself

5 clear, confident answers: You are ahead of 90% of mid-market companies. Review the plan annually and run tabletop exercises quarterly.

3-4 answers: You have a foundation. The gaps are fixable in a few focused days.

0-2 answers: This is your wake-up call. But it is better to discover this now than during an actual incident.

The minimum viable plan

Define the team (names, roles, contact info). Define the first 4 steps when an incident is detected. Document who communicates with customers, legal, and regulators. List your key vendors' emergency contact information. Set a quarterly review date.

One page. One afternoon of work. The difference between controlled response and complete chaos.

‍