Incident response for small businesses

I am not in the MSP business but have had several friends with small businesses that were compromised lately which has me thinking about how they can manage these situations. I work for a large organization which has full IR capabilities like forensics, reverse engineers, threat intel, etc. but these capabilities are out of reach of small businesses and many small business MSPs. I would also imagine most small businesses can’t afford hiring Mandiant to investigate either.

What is the best case scenario for these small businesses, when they need more attention than their MSP (if they have one) can provide ? Are there good IR firms that are more oriented towards small business?

Insurance… Some Cyber Insurance policies specify that they select the Incident Response company do to the work. If they don’t have insurance, depending on the size, it’s not hard to burn the network to the ground and rebuild. It all depends on regulations, reporting requirements, etc.

To answer your question, the IR company that I partner with (they sell honey pot appliances that some of my clients require) charges $700/hr for IR. To many small businesses it’s cheaper to burn and rebuild than go through full forensics.

1 Like

Agreed, a good and specific cyber liability policy. It’s really no different than having other types of insurance to protect from losses that are too expensive for the business to handle.


Chubb is one of the insurance carriers that provides IR and remediation services from established forensic providers. SMBs should look for extensible coverage and not just premium.

We typically recommend thorough backup discipline with daily, offsite backups, i.e., two people take home backup copies. (Simple method for small companies: Acronis TrueImage; full backup on Friday gets copied to two portable disks, each of which goes home with someone, preferably people who do not live close together. Daily incremental backups are also written to two DVDs, which go home with same two people. Monthly full backup goes in bank lockbox.) If the business is running a transaction database, then it’s also critical to run a full transaction journal and copy that to either portable disks or DVDs, more than once a day if the transaction volume is high.

Biggest risk is malware that replicates to laptops that go home, likely replicating the virus to the home network, making remediation a difficult task. For this reason we also recommend that the company provide a separate, preferably wired, router for home offices.

We also recommend that no small business operate their own web servers; use cloud. And we very strongly encourage a Netgate firewall with Snort and pfBlockerNG We also refer them to a specific outside consultant to manage the firewall.

For the terminally paranoid, we recommend 3x5 cards!