A mid-sized logistics company in Kharkiv spent four days recovering from a ransomware attack last year. Their incident response plan existed — it was just buried in a shared folder nobody had opened since 2021. The cost of that delay was not just financial.
What the situation looked like before
The IT team had no clear chain of command during the incident. Three people were making conflicting decisions about whether to shut down servers. Communications to clients went out 36 hours late because nobody knew who owned that responsibility.
Leadership was informed through a group chat. There was no documented escalation path, no pre-approved vendor contacts, and no offline backup of critical credentials.
The specific gaps that caused the most damage
- No defined roles per incident severity level
- Response playbooks written in technical language non-IT managers could not parse
- Contact lists stored only in cloud systems that were also compromised
- No tabletop exercises run in the previous 18 months
What changed after the rebuild
The company restructured their plan around four severity tiers, each with a named owner and a checklist readable by any department head. Critical contacts were printed and stored in two physical locations.
They ran a simulated incident drill within 60 days. The second drill, six months later, took the response team from initial detection to full containment decision in under 40 minutes — compared to the original 11 hours.
What this means for your planning process
An incident plan is only as useful as the last time someone practiced it. If your team has not walked through a scenario in the past year, the document is mostly decorative.