Attempting to make key decisions or develop policies while you are in the middle of a cyber-attack is a recipe for disaster. Planning ahead and having an incident response plan (IRP) in place is key to properly handling and responding to an attack. An IRP should be written and updated with appropriate leadership and decision makers at your organization on an ongoing basis. Different events can create different situations and needs, so as you look to develop an IRP, take your time and test your theories by running simulations and then debriefing on the results. Communication is an important factor during this stage, so ensure you have a team lead appointed who understands their role and responsibilities in declaring that an incident has occurred and managing the response. Once an incident has been declared and the proper notifications have been communicated, the incident must be contained, the damage assessed and the system cleaned and recovered.