In today’s ever-changing business landscape of increasingly regulated and cyber-threatened environments, Information Security (IS) incident response (IR) planning is no longer a “nice to have” – It is a business necessity, especially for small and medium-sized businesses.
In 2025, cybersecurity ranks as the second biggest business threat for small and mid-sized businesses. Nearly 43% of cyberattacks target small and medium businesses, yet only 14% feel adequately prepared to defend against them (htt).
Despite the prevalent risk many organizations, especially those outside of the traditional technology sector, continue to put Information Security and Incident Response planning on the backburner of the priority list.
Recently, Synergy Technical partnered with a mid-sized accounting firm to conduct a comprehensive assessment of their Information Security Plan (ISP) and Incident Response Plan (IRP). While accounting firms are adept at handling sensitive financial and tax data, it is common to prioritize daily service delivery and client data accuracy over formally defined and communicated security protocols. That is, until an incident occurs.
Synergy Technical’s objective of this recent engagement was to evaluate the firm’s current security posture as outlined in their ISP and IRP documents against Industry best practices and regulatory expectations. This included but was not limited to NIST, CIS, ISO standards, and relevant IRS publications (e.g., 5708). The result was an actionable gap analysis targeted at improving the organization’s ability to define, detect, respond to, and recover from security incidents.
Common Gaps, Large Risks
Our assessment revealed several high-risk areas that are all too common among professional service firms:
-
Lack of Real-Time Threat Monitoring:
- No Network Detection and Response (NDR) or Security Information and Event Management (SIEM) tools are currently in place, limiting visibility into potential threats.
-
Incomplete Incident Response Framework:
- The existing plan lacked defined severity levels, escalation paths, recovery objectives (RTO/RPO), and a structured response lifecycle (e.g., NIST 5-phase model).
-
Undefined Testing and Validation Cadence:
- No formal schedule exists for penetration testing, vulnerability assessments, or breach simulations, leaving anticipated defenses unverified.
-
Missing Device and Data Inventory:
- There is no comprehensive inventory of devices accessing sensitive data or an existing data classification and retention framework, increasing the risk of unmanaged exposure and making it extremely difficult to determine the scope of assets at risk and how to contain a potential breach.
-
Weak Access Control Governance:
- Access controls are not consistently or poorly defined and enforced, leaving critical systems and information exposed to both internal and external threats.
Turning Insight into Action
Beyond gap identification and analysis, the value of this project came from translating our findings into clear, prioritized next steps. Collaborating with the firm’s internal IT and leadership teams, we:
-
Provided detailed feedback and strengthened documentation:
- We meticulously redlined the existing ISP document and suggested and facilitated structural and formatting improvements (e.g., adding version control, a table of contents, and references to applicable standards like IRS Pub 5708 and NIST).
-
Complete Revamp of the Incident Response Plan:
- We overhauled the IRP to include severity levels, escalation paths, recovery objectives, and alignment with the NIST 5-phase lifecycle for a structured and effective response process.
-
Prioritized Risk Areas:
- Translated our findings into a prioritized list by risk ranking, focusing first on critical gaps like the absence of an existing SIEM tool, incomplete incident response procedures, lack of defined roles/responsibilities, and undefined testing schedules.
-
Defined Tactical Next Steps:
- Outlined actionable recommendations for the identified gaps. These included but were not limited to, best practices for implementing a third-party SIEM solutions, formalizing user access reviews and access controls, and industry best practice penetration testing vendors/cadences.
-
Defining Roles and Responsibilities:
- Advised and assisted the firm in explicitly defining standard incident response team roles, escalation paths, and contact information to ensure accountability and clear line of sight into roles and responsibilities during a potential breach.
-
Expanded Policy Coverage:
- Recommended the creation or refinement of key organizational policies, including data retention and destruction, access control, and vendor management protocols.
The result of these actions? A comprehensive assessment of the firm’s present risk exposure, enhanced operational preparedness, and improved maturity in governance, incident response, and cybersecurity.
Why this Matters – Even if you are not a Technology Company
The completion of this project underscores a broader trend we are seeing across many industries. Organizations that do not view themselves as ‘tech companies’ often underinvest in security preparedness. Yet, cyber and security incidents do not discriminate against industries nor the size of your organization.
In 2025, 43% of all cyberattacks targeted small and mid-sized businesses, with over 50% of those companies experiencing at least one breach in the past year. The financial impact is staggering - each incident costs between $84,000 and $148,000 on average, and 60% of affected businesses shut down within six months. (htt1). Source: SpyHunter 2025 Cybersecurity Stats
Modern threat actors actively target companies that handle sensitive client data, especially those in financial services, legal, and healthcare – regardless of their technical footprint. An up to date, well understood, and actionable Information Security Plan and Incident Response Plan cannot be treated as check-the-box exercises. They are foundational blueprints for business continuity and resilience. While these are by no means the only critical documents an organization should maintain, these plans empower teams to respond decisively, limit damage, and recover efficiently in the face of critical threats to the business’s operations and reputation.
Ready to Assess Your Organizations Risk?
If your organization has not recently reviewed its information security or incident response plan – or worse, does not maintain these documents – we are here to help. Synergy Technical specializes in helping organizations assess, align, and strengthen their security posture based on real world standards and business needs.
Adam Farnsworth is a seasoned cybersecurity and technology risk professional with deep expertise in managing complex projects, mitigating technology risks, and aligning technical execution with strategic business goals. As a Senior Technical Project Manager at Synergy Technical, he leads cross-functional initiatives focused on secure solution delivery, risk management, and process optimization. Prior to this, Adam spent over five years at Ernst & Young (EY), advancing from Consultant to Manager while spearheading IT audits, SOX compliance programs, and internal control enhancements across various industries. He holds a CISA certification and a degree in Business and Computer Information Systems Security from James Madison University, bringing a strong technical and analytical foundation to every initiative.
When it comes to securing your cloud environment and addressing complex security challenges, you need a trusted and experienced partner. Synergy Technical has a proven track record of delivering tailored Cloud Security Assessments to organizations worldwide. With expertise across all 50 states and 70+ countries, we have the knowledge and technical skills to help you protect your cloud infrastructure, optimize your security configurations, and safeguard your organization’s critical data. Let us help you strengthen your defenses and build a resilient foundation for long-term success in the cloud.
Comments