One of the big things that surprised me when I first started trying to help local small businesses was the lack of a plan or knowledge of what to do should something to happen. In my larger enterprise experience, there were disaster recovery plans and incident response plans out to wazoo. We tested them often and made sure we knew what to do.
When I asked my first small business client what would they do should something happen, they had absolutely no idea. They did not know who they would call. They had no knowledge if the group they might call could even help them.
The wrong time to put together a plan of what to do is when the worst thing is actually happening. There will be tons of pressure and stress. You won't be able to think clearly and may vary well be panicking. An incident response plan can be as simple as a list of who to call. It does not have to be hard. But before something actually happens make sure you have talked to those on your list of who to call in an emergency and make sure they are the right people. Role play and pretend something has happened and see if your plan works as well as you thought it might. Many new cybersecurity regulations are going into affect that require reporting within 48-72 hours of an incident. In today's world it is not if but when something will happen. You need to make sure you have a plan before an incident happens as you will not have a lot of time before you have to disclose.