IT emergency response management for your SME.

What's an IT emergency response plan?

An IT emergency response plan, also known as a cyber incident response plan or CIRP for short, allows you to prepare for a serious incident.

The objective of an IT emergency response plan is to mitigate downtime and the financial impact of a cyber incident. It helps to communicate quickly and professionally in the event of such an incident, so as to counteract possible reputational damage in good time. It also helps ensure that employees behave correctly in the event of an incident without panicking: they can follow the defined plan and know what to do, resulting in significantly fewer mistakes.

How can you best prepare for an IT emergency?

• Appoint officers for IT/OT security and emergency management issues in your company (if possible, not the same people).
• Identify time-critical business processes, assets (crown jewels) and emergency-critical systems (e.g. address database, e-mail system, appointment calendar). Prioritize and implement protective measures for these.
• Ensure that you have individual initial measures in place for IT incidents (including alerting and reporting channels within the company, for example). Be sure to print out your emergency plan and tell your relevant units where it is stored. In the event of a cyber attack you may no longer have access to your IT system.
  
• Define contingency levels (e.g. provide replacement PCs, equip all workstations with at least two web browsers etc.).
• Define measures to recover your systems quickly, and consider how work could be continued in the event of critical system failures, including cloud systems and solutions (e.g. print out key contact details, use alternative infrastructures, software and platforms, provide migration tools).
• Clarify with your IT service providers what kind of IT incidents they can help you with (including ransomware, denial of service (DoS), cyber fraud, website hacking).
• Identify other IT service providers who could help you to cope in such situations, and contact them if necessary. Our network of experts can help you here.
• Establish rules for internal and external communication. Our partner Farner Consulting AG will be happy to provide press and public relations assistance.
• Draw up a list of contacts, detailing their tasks and roles as well as when they are available. This list can include IT service providers, public relations partners, legal consultants, police and insurance providers, for example.
• Think of basic organizational and technical protection measures. Our cyber security checklist will help you with this.
• Put active monitoring measures in place for your IT landscape. Our partner Coinnect offers a suitable service for this.
• Comply with data protection requirements, including Switzerland's Federal Act on Data Protection and the EU's General Data Protection Regulation (GDPR).
• Have your IT infrastructure checked for vulnerability (e.g. by means of penetration tests or bug bounty programmes). Our partner GObugfree offers a suitable service for this.
• Make an inventory of your IT infrastructure (including a network plan). In addition, keep a record of who works with which system (names and phone numbers) so that you can provide targeted information in an emergency.
• Network your systems restrictively (network segmentation).
• Prepare reporting channels for external reporting obligations (data protection, critical infrastructures, cyber insurance etc.).
  

How can I ensure that my business is prepared for an IT emergency at all times?

• Check the security status of your IT systems on an ongoing basis (e.g. through the regular certification of your IT/OT security). Our partner cyber-safe offers a suitable service for this.
• Carry out IT emergency drills (e.g. scenarios such as server failures or cyber attacks). Practice will help you develop the professionalism and skills that will enable you to identify loopholes and gaps in your safeguarding framework.
• Designate an appropriate first point of contact for IT emergencies and ensure that they can be reached. Remember that while not every hardware or software malfunction is the result of a cyber attack, any failure in an IT system could be due to such an attack.
• Ensure that your staff know who to contact in an IT emergency (e.g. by using an IT emergency card).
  

What should my business do to best handle an IT emergency situation?

• Contact everyone in the organization whose support you need.
• Ask affected users about their observations and activities.
• In the event of a cyber attack, disconnect the affected systems from networks (cable and WLAN/WiFi).
• Contact IT service providers who can help you with the recovery.
• Notify the provider of your cyber insurance (if you have one). If you wish, you can also obtain support in various areas through our network of experts. (Keyword: crisis management).
• Collect and back up system logs, log files, etc.
• Document facts that could be related to the emergency.
• Consider contacting the cantonal police and the National Cyber Security Centre (NCSC).
• Observe the reporting obligations (under the Swiss Federal Act on Data Protection and the GDPR, inter alia).

Sample letter to customers following a cyber attack

What points do I need to pay attention to following an IT incident?

• Close any vulnerabilities and security loopholes revealed by the IT emergency.
• Monitor and supervise your network and IT systems particularly thoroughly in the aftermath to make sure they are functioning properly again, and to detect any attempted repeat attack in good time.
• Lessons learned: Review the existing regulations, processes and measures, optimizing them if necessary.
• Keep your emergency management documentation up to date.
• Refine your IT security architecture.