5 Critical Pieces of a Good Security Playbook

To ensure business continuity for their clients, MSPs need a comprehensive plan covering a cyber incident's immediate and long-term effects.

Cyber Security

Cybersecurity today requires much more than just backup and disaster recovery. For MSPs to ensure business continuity for their SMB clients, they need a comprehensive plan covering both the immediate and long-term effects of a cyber incident. A properly designed cybersecurity playbook assumes that data loss will occur and provides reassurance that the business will survive regardless of how the data is lost. This article answers the most critical questions surrounding recovery, including:

  • What is the difference between an incident response (IR) plan and a business continuity plan (BCP)?
  • What are the five critical pieces of a good cybersecurity playbook?
  • How do I get started?

Incident Response Plan + Business Continuity Plan = Cybersecurity Playbook

A cybersecurity playbook is an all-encompassing, organization-wide manual that dictates precisely what actions to take when data loss occurs. It combines an incident response plan (IR plan) with a business continuity plan (BCP) to guide you through a cyber incident from initial discovery to preventing a reoccurrence. Sometimes these plans can be incorrectly referred to interchangeably, but the significance of differences is key to creating an ironclad cybersecurity playbook.

Immediate and Long-Term Planning

Imagine that a cyber incident has just occurred. Whether it’s a natural disaster, a ransomware attack, accidental data deletion, or a critical device is lost, stolen, or destroyed; your IR plan answers the question, ‘what now?’ It’s a detailed plan that starts with your incident response team members. These are the first people to be contacted, who will then complete the tasks outlined in your cybersecurity playbook. Once the incident has been discovered, the team is responsible for the following:

  • Assessing the damage and determining whether tools need to be shut down – essentially, ‘stop the bleeding.’
  • Tracking the incident
  • Contacting the cybersecurity insurance provider and/or lawyer(s)
  • Coordinating with insurance-approved IR provider
  • Outreach to affected customers
  • Compliance with breach notification regulations (i.e., HIPAA, GDPR, state laws, etc.)

BCP takes over once the initial IR plan is already in motion. It defines how a business will continue running while the IR plan is moving, despite a crisis situation. For example, your cyber liability insurance provider will most likely conduct forensics following a breach to determine the payout of your claim. Your BCP provides a resolution for doing business despite being locked out of your systems. To combat that common scenario and more, every business continuity plan should include the following:

  • An in-depth audit of the various risks, threats, and problems most likely to impact business operations
  • Mission-critical business functions and processes that, if interrupted, will cause operations to stop
  • Internal personnel who have the authority to declare a disaster and communicate with external stakeholders
  • Emergency communication plan for alerting employees, vendors, and stakeholders if critical systems are unavailable and business facilities are inaccessible

Preventing, Addressing, and Recovering

Put your IR plan and your BCP plan together, and you’ve got the basis for a good cybersecurity playbook. However, good isn’t good enough in today’s cyber climate – it has to be downright outstanding. The five critical pieces of a cybersecurity playbook include:


When it comes to a cyberattack, we always say that it isn’t a question of if but when you and your clients will be hit – but that doesn’t mean you want to make it easy. You need a layered security-first approach to protecting business-critical data, which is the beginning and end of your cybersecurity playbook. Before and after a cyber incident takes place, you need to reassess your level of protection.

  • What layers of security are keeping attackers out?
  • What threats are currently being exploited, and what protections are in place to address them?
  • What is your intrusion detection mechanism? What are you tracking on your network?

These questions should be regularly discussed as part of your cybersecurity playbook practice drills, tabletop exercises, and updates. At least quarterly, your incident response team and associated stakeholders need to come together to make sure the playbook is still actionable based on the current cybersecurity landscape and business environment. Allowing a playbook to go stale could be the difference between surviving an attack or losing your livelihood.


Intrusion detection, dwell time, and scope of compromise define the detection piece of your cybersecurity playbook. These are the tools you rely on to kick off the first actions of your cybersecurity playbook: your IR plan. They are also essential for tracking, reporting, and understanding a breach to meet compliance and regulation standards and prevent a future attack.

  • Intrusion detection: Knowing when there’s been an attack or breach. How will you be notified of data loss or suspicious activity?
  • Dwell time: The amount of time the bad actor has been on your network or systems. Unfortunately, with today’s complex attacks, it could be months that hackers are sitting silently, penetrating systems, observing routines, and planning their attacks. When did the breach occur versus when you found out? 
  • Scope of compromise: The number of things affected or touched, the type of data impacted, and what data has been extracted. What did the bad actor do once they gained access?


Streamlined communication and a clear understanding of each person’s responsibilities will help you recover quickly and smoothly during a crisis. A critical piece of your immediate response is communicating with your incident response team. Depending on the type and severity of the cyber incident, you may not have access to communication systems, including phone and email. Be sure your team is ready to receive and react to emergencies through various channels.

Outside of your emergency team is the people who are authorized to coordinate and speak to external stakeholders, including clients, vendors, government and regulatory agencies, lawyers, financial personnel, and public relations. For businesses operating under compliance standards and regulations, it’s vital to understand and follow breach notification policies to avoid fines and penalties. These statutes should always be revisited during quarterly updates and discussions.


Your cybersecurity playbook must be followed no matter the size of the incident. What may seem like a regular, contained, or minor cyber incident – for instance, clicking a phishing link in an email or losing a device – still needs to follow the protocol of the playbook. For efficiency, a cybersecurity playbook should have criticality classifications and clear directions to help define the impact of a breach. Then, based on the incident’s significance, the incident response leader will choose the appropriate path or play from the playbook.

Avoid unreported or underreported incidents by including reporting policies in regular company-wide security training. Everyone in the organization should know not to attempt to respond to an incident by themselves. After all, human error is the number one cause of data loss, so normalize reporting over blaming. Failure to report a problem is the problem – not the breach itself.


Recovery largely comes down to the business continuity and disaster recovery (BCDR) solutions that MSPs choose for themselves and their clients. Today’s cybersecurity landscape demands more than just legacy backups to keep businesses open. Knowing how reliant SMBs have become on backups alone, bad actors are purposely deleting, encrypting, and holding them ransom to increase the likelihood of payment.

Fortunately, modern BCDR solutions give MSPs the tools and features necessary to recover from complex and sophisticated attacks. If your solution does not provide the following, you are risking not being able to recover your backups, which could be fatal during a cyber incident.

Developing Your Own Cybersecurity Playbook

Axcient has created an Incident Response Checklist to help you cover your bases as you amass your cybersecurity playbook. Utilize this checklist and the information above as a jumping-off point and customize depending on industry, location, insurance policies, infrastructure, and of course, feedback from your incident response team. This is merely the basics of a cybersecurity playbook, but it’s enough to start getting you prepared for surviving the inevitable. Through discussions with your incident response team, quarterly updates and upgrades, and practice drills, you will develop a playbook that helps you sleep at night.

Additional resources include:

See how Axcient x360Recover provides comprehensive business continuity to reinforce your cybersecurity playbook without the local appliance. Using Chain-Free technology, Axcient allows MSPs to standardize, simplify management, and lower costs while providing best-in-class security with built-in, always-on features like AutoVerify, Virtual Office, and AirGap.

Ben Nowacky

As Senior Vice President of Products for Axcient, Ben Nowacky leads the Engineering and Security teams to provide business continuity and cloud enablement services. He’s also a semi-amateur boxer and modern-day renaissance dog trainer. When he’s not banging the keyboard and helping MSPs, he loves long walks on the beach and romantic dinners with his wife.