Planning for the Worst: Making IR, BC, and DR Plans Work

Organizations know they should have plans for cyber incidents, but too often those plans are outdated, incomplete, or untested. Incident Response (IR), Business Continuity Plans (BCP), and Disaster Recovery (DR) plans are frequently treated as check-the-box documents instead of living, operational playbooks. The real cost of that mindset becomes painfully clear during a major cyber incident.

To illustrate why these plans matter, and how they must work together, let’s walk through a ransomware scenario impacting Small Town, USA. While this example uses a local government, the same principles apply to private companies, nonprofits, healthcare organizations, and educational institutions. Any organization that relies on technology to deliver services needs these plans to be accurate, aligned, and functional.

The Scenario: Ransomware Hits Small Town, USA

Small Town, USA’s IT department supports three major operational areas:

• Town Administration – managers, HR, finance, clerks, and records
• Public Safety – sheriff’s department, fire department, and emergency dispatch
• Community Services – animal control, community parks, and the public library

In the middle of the night, dispatch systems start to pop-up ransomware banners, in minutes systems across all of Small Town’s network are encrypted by ransomware. The attackers were able to: gain access to the network, encrypt systems across all departments, and delete all on‑site backups.

The impact is immediate and severe. Small Town administration comes to a complete standstill. The emergency dispatch cannot process 911 calls. The sheriff’s department loses access to critical federal law enforcement systems that allow them to look up criminal justice information. The public library checkout software is bricked and the animal shelter veterinary records have been encrypted.

This is no longer an IT problem, it’s an organizational crisis. Small Town pulls out its incident response plan and starts following the documented investigation and reporting procedures. They reach out for support from CISA, the state response resources, and their cyber insurance company. The department’s are in chaos because they have no documented continuity plans to follow and the IT team is swamped with requests from every department to prioritize restoring their systems. 

Small Town IT pulls out their DR plan, knowing public safety is impacted while dispatch is down. Unfortunately they find their DR plan is over a year old and doesn’t include any of the systems dispatch and the sheriff’s department are currently reliant on. Recovery is slowed as they try to figure out which systems take priority, an already bad situation made more stressful. 

No one wants to be in this situation, but it can happen to any organization at any time and that’s why preparing for it is critical. As of 2025 the average downtime from a ransomware incident is 24 days and only 15% of organizations report fully recovering their data. Let’s talk about how you can prepare so you recover faster.

First Line of Defense: The Incident Response Plan

The first document the IT team should reach for is the Incident Response Plan. This plan guides the organization through the initial chaos by answering critical questions:

• How did the attackers gain access?
• What systems and data are affected?
• Is the threat contained, or still active?

It’s important that the IR plan includes a communication plan for the IR team. The IR team is responsible for reporting what accounts, systems, and applications were used by the malicious actor so that those working on restoring operations can mitigate any vulnerabilities prior to restoration so attackers can’t immediately re-compromise your environment. You can read more about developing an IR plan here. 

Keeping the Lights On: Business Continuity Plans

As IT begins response and recovery activities, every department should be pulling out its Business Continuity Plan (BCP). BCPs answer a different set of questions:

• What operations can continue if systems are unavailable?
• What manual processes or workarounds exist?
• Which services are truly critical versus temporarily deferrable?
• Do mutual aid agreements (MAAs) or memorandums of understanding (MOUs) exist to augment or continue operations during an outage?

These answers determine how the organization functions during prolonged outages, and they directly influence recovery priorities. Each department will end up with its own BCP detailing how they are able to continue their own operations when their dependent systems or facilities are not available. Remember these plans are not just for a cyber related incident, they would be pulled out during a natural disaster as well.

Rebuilding the Environment: The Disaster Recovery Plan

Once the incident is contained, the focus shifts to Disaster Recovery. The DR plan provides the technical roadmap for restoring systems and services in a controlled, prioritized manner. A strong DR plan defines:

• Which systems are restored first
• Dependencies between systems
• Recovery time objectives (RTOs) and recovery point objectives (RPOs)

The IT department normally owns and maintains this document, but the DR priorities included should not exist in isolation. They must be informed by the BCPs created by each department.

Common Pitfalls Organizations Face

Many organizations struggle not because they lack plans, but because the plans are misaligned or incomplete.

1. IT Builds the Plans Alone.  When IR and DR plans are written with minimal departmental input, recovery priorities often don’t reflect leadership or operational reality. What IT sees as critical may differ from what keeps the organization running or the public safe.
2. Confusing BCP and DR as the Same Thing. Some organizations assume Business Continuity and Disaster Recovery are interchangeable terms. They are not.

• • BCP focuses on how work continues during outages
  • DR focuses on how systems are restored

3. Ignoring BCP Workarounds in Recovery Priorities. Without BCPs, DR priorities are often guessed instead of informed.

Best Practices for Effective, Usable Plans

Organizations that handle major incidents well tend to follow the same principles:

1. Build the IR Plan Collaboratively. The IT department may have primary responsibility for Incident Response, but they are rarely the final authority when it comes to external communication or law enforcement interactions so it’s important this document has input from all appropriate departments.
2. Each department build’s their individual BCP and identifies their DR priorities. Each department should have their own Business Continuity Plan that details the work arounds they have in place when their critical systems are out. Their department specific BCP should help identify the priorities for restoring services that impact their operations.
3. Consolidate the department inputs to align the organization’s overall DR priorities. Establish a team with representatives from each department to establish the organization’s overall DRP. Use the identified department priorities and available work arounds to establish the final plan. Take into account what resources your organization has during a disaster and what workarounds are available.
   1. Use the identified BCP work arounds to manage competing restoration priorities. If departments have sustainable workarounds in their BCP, the corresponding systems have a lower restoration priority. For example, if Small Town Dispatch has an MAA with County Dispatch that allows them to continue operating out of the County’s facility, their systems can be moved lower in the restoration plan than systems that have no work arounds.
4. Test, Review, and Update Regularly.  Plans that aren’t tested rarely work as expected. As organizations grow and technology changes, plans must be reviewed, exercised, and updated to remain effective.

Final Thoughts

A ransomware attack like the one faced by Small Town, USA isn’t a fantasy scenario that can be ignored. It’s happened to government agencies, hospitals, and private industry. Attacks of this scale tests the entire organization's coordination, communication, and preparedness. Incident Response, Business Continuity, and Disaster Recovery plans are most effective when they are accurate, aligned, and built with the entire organization in mind. Will the plans on your shelf actually work when everything goes dark?