Lack of Emergency Concepts in SMEs in the Event of Cyber Attacks

As the digitization of companies progresses, information security must also be kept in mind at all times, because hackers exploit every loophole they can find. Thus, cyberattacks are a serious business risk, not only for large, but also for small and medium-sized enterprises. To counter this in the best possible way, clear emergency concepts for cyberattacks are needed.

Organized attacks with high criminal energy have been increasing in recent years. A particularly recent example is the attack on the online comparison service Comparis. Hackers have paralyzed the website and gained access to customer data. The seemingly only way out of the company – surrender to the blackmailers. Comparis said it settled and paid a ransom for the decryption. A strategy that industry experts do not recommend. (A detailed report on the case can be found here).

The problem here is also that cyber risks can only be partially insured, as the risks are very diverse. It is virtually impossible to cover all hazards, but there are some cybersecurity insurance policies with various ranges of benefits.


Emergency Concepts in SMEs

If a cyberattack occurs, it is important to be prepared and to have an up-to-date and well-rehearsed emergency concept. Often, however, this is precisely what is lacking in SMEs. It is therefore necessary to create an internal organization within the company. To do this, a company should ask itself these three questions in particular:

  1. Who is responsible?
  2. What threats may arise?
  3. What measures need to be taken?

1. Who is responsible? Role definitions of all participants

Clear responsibilities and areas of responsibility are essential for an emergency concept in the event of cyberattacks. It should be precisely defined in advance who will take on the following roles and functions and whether they are to be filled internally or externally:

  • Crisis management
  • Communication Management
  • Legal aspects
  • Sponsors
  • Cybersecurity Experts
  • Other, depending on the company

2. What threats can arise? Risk identification and assessment

An emergency concept can only prepare a company for contingencies. As with cybersecurity insurance, it is nearly impossible to have a plan in place for all risks. Nevertheless, there are common threat types for which a company can equip itself individually:

  • Natural hazards (floods, major fires, storm damage, …)
  • Faulty tampering (accidental damage, data destruction, loss of keys …)
  • Technical failure (power failure, cable fire, hardware and software errors, …)
  • Intentional acts (cyberattacks, sabotage, theft, vandalism, …)
  • Organizational deficiencies (lack of responsibilities, lack of archiving, deficient contracts, insufficient know-how, …)

The threat situation may change over time. For example, as described above, cyberattacks on companies are becoming more frequent, and natural disasters are spreading to regions that were not affected 10 years ago as a result of climate change. Therefore, it is recommended to regularly review and update the threats and subsequent measures.

In addition, the threats can still be expanded by their probability of occurrence and impact. Accordingly, the measures must also be adjusted.

3. What measures need to be taken? The actual emergency process

Once the responsible parties have been determined and the most likely threats have been identified, it is important to develop a procedure for the emergency in question. Some of the following procedures may apply to multiple threat situations.

  • Assess extent of damage
  • Convene emergency organization in case of need
  • Prioritization of the recommissioning of individual services
  • Involvement of responsible persons/companies (internal and external according to role definition)
  • Initiate possible immediate measures
    • e.g. disconnecting systems from the network, cleanup or reinstallation, data recovery, etc.
  • Resource planning (internal and external)
  • Compliance with reporting requirements (e.g., for data protection officers)
  • Filing a criminal complaint with the cantonal police
  • (Customer) communication
    • Communication strategy according to role definition
    • Listing of all affected
    • Who is affected by the threat and to what extent (customers, systems, …)
    • Record periods
  • Dealing with ransomware
    • Involvement of the insurance company and cantonal police


The best possible cybersecurity is characterized by a combination of intelligent and modern technologies, as well as clearly structured processes and good preparation. As a company, you need to be aware of the threat level of potential attacks and be prepared to take targeted and rapid action. This is best achieved with a clear, well-rehearsed emergency concept for cyberattacks. The goal is to keep the damage as low as possible.

If you want to know more about cybersecurity, our Cybersecurity Awareness Training provides you with basic knowledge about current, high-consequence risks. Learn how to protect your data in the best possible way – from technology to possible human errors, we make you fit in cybersecurity!

You do not yet know the current status of your company in the area of cybersecurity? No problem. With our standardized procedure, based on scientifically recognized methods, we work out your personal starting position together with you using the Cybersecurity Risk Assessment.

Would you like to be informed about our latest blog posts in the future?
Just subscribe to our newsletter now!

Subscribe to our newsletter
13. January 2023