Emergency Concept For Cyberattacks – The 7 Most Important Steps

A careless click on an attachment from a spam email, lack of two-factor authentication or security software on the computer, insecure passwords and other vulnerabilities – malware, a virus or a hacker can quickly gain access to your network. The damage caused by cyberattacks is then great, and often companies are not sufficiently prepared for such incidents.  

One of the most important and helpful steps that SMEs in particular can take is to define an up-to-date and well-established emergency concept. We have described in more detail how such a can look like in a previous blog post.  

If the worst has happened, and you’ve been the victim of a hacker or other cyberattack, it’s important to take the right measures quickly. The real emergency process for your safety begins:

  1. Stay calm and inform those responsible
  2. Assess extent of damage
  3. Prioritize the recommissioning
  4. Initiate possible immediate measures
  5. Report obligations & criminal charges
  6. (Customer) communication
  7. Deal with ransomware


Emergency Process In the Event Of a Hacker Attack

1. Remain calm and inform those responsible

A thoughtful and considered approach to a stressful situation is always particularly important. This way, you keep a clear overview and don’t act on impulse. As described in our earlier blog entry, you should have clear responsibilities and areas of responsibility clarified in SMEs. These must be informed immediately in the event of hacking or a cyberattack so that the next steps can be taken.

2. Assess the extent of damage

Foremost, it is necessary to check how big the damage actually is.

  • Which computers, systems or files are affected?
  • Possibly the whole network, a cloud or a single website?
  • What was being worked on when the problem occurred, and what exactly happened?

If a website has been attacked, a close inspection of the affected pages and directories is necessary, as a malicious code may have been placed on multiple subpages or may spread to other computers. It makes sense to clarify at the incident stage which emergency organizations and IT security experts will be called in should the attack be of unmanageable size.

3. Prioritization of recommissioning

Once the damage has been looked at in detail and all the information has been gathered, it should be clear which business areas are affected. If there are sub-areas that are functioning independently and where there is no risk, people on your IT security team can have them put back into operation. Ideally, prioritize ahead of time which are the most important services and thus need to go live first.

4. Initiate possible immediate measures

Once the first points have been clarified, you must act as quickly as possible to protect yourself from further damage. Your IT service providers should then take affected areas offline to prevent further malware from spreading. Other immediate measures would include disconnecting systems and computers from the network, cleaning or reinstalling, backing up and/or restoring data, etc. In addition, access to your company’s email accounts, devices, and databases should be blocked and users informed. Keep in close contact with your own security experts as well as external service providers, and be guided by prioritization. Regularly back up your most important data so that your data loss in case of a hacker attack is as low as possible.


5. Reporting obligations & criminal charges

In Switzerland, there is currently no general obligation to report cyberattacks. This was only approved for FINMA-regulated firms and critical infrastructures in the form of a legislative revision by the Federal Council for consultation. However, this should only apply to operators of critical infrastructures and cyberattacks that have a “significant potential for damage.” The decision was made on the basis that the National Cyber Security Center NCSC receives an average of over 300 reports per week of successful or attempted attacks. It therefore makes sense to report attacks in view of the overall situation, so that responsible authorities can get an overview of the situation and take better measures for security in the future.

It is also important to note that as soon as data subjects are exposed to a high risk of impairment of their personality or fundamental rights, i.e. sensitive data such as personal information is affected, a report must be submitted to the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible.

For legal processing, a cyberattack can also be filed for criminal charges with a specialized cyber law enforcement agency. In many cantons and also at the Swiss federal level, there are competent offices that can help you identify the perpetrators and recover any stolen assets.

6. (Customer) communication

An often awkward and vulnerable aspect of the emergency process is communication. Both internally and externally with customers, suppliers or other business partners, a serious hacking attack must be communicated. Internal communication should take place right at the beginning. First, as described in point 1, the responsible parties must be informed. In addition, employees also need to be aware of the situation so that there is no uncertainty about possible failures.

External communication with customers is particularly delicate, because as a company, you also want to save face. To do this, point 2 must first be clarified – is this an emergency or a possibly longer-lasting crisis? Possibly the problem is quickly fixed, and you can also tell the customers with the scare message that you are already back in control. Be careful and thoughtful when addressing your customers, do not put them in unnecessary anxiety, but at the same time do not downplay an extreme situation. Since, as mentioned in the previous point, a report should be made to the FDPIC as soon as personality or fundamental rights risks arise, it is advisable to also inform the affected persons or customers at the latest then.

Transparency and consistency in communication also helps your company maintain its reputation. This way, you cannot be accused of trying to cover up problems.

7. Dealing with ransom demands

In fact, hackers today have little in common with the movie cliché of the teenager in the hoodie. Rather, they are modern-day white-collar criminals, and their hacking is for profit. Ransom is often a part of it. Security authorities such as the cantonal police actually always advise against payment, as there is no guarantee that the encrypted data will really be returned afterwards. Nevertheless, if you are a victim of a hacker, it is advisable to involve the cantonal police and seek professional advice and support. A report may also be advisable, as mentioned in point 5.

Another person to contact on this topic is your insurance company. Cyber risks can only be partially insured, yet there is some cyber security insurance available with various benefit spectrums – including cyber theft/fraud and ransomware. When you take out the insurance, make sure you know whether ransoms are paid in the event of extortion and consult your contact person in the event of an acute case.


If you have been the victim of a hacker attack, the most important thing is to act quickly, gather important information and close security gaps immediately. Get in touch with experts and follow a clear prioritization if your business or website has been hacked.

To prevent all of this, it’s important to protect your devices, software, computers and email accounts from hackers and cyberattacks in advance. Across the company, make sure you have strong passwords, regular backups, and keep your systems current by installing updates promptly. Unfortunately, the biggest risk factor is always the person – through so-called social engineering, a person is hacked themselves and, for example, their password is found out that way. Educating all employees in the company about possible risks is therefore essential, even if the majority is certainly already aware that you cannot trust every file in your email account and that the Internet and even Google are full of pitfalls.

In our Cybersecurity Awareness Training, we impart fundamental knowledge about current and consequential risks. Do you want to train your company on how to best protect your data – from technology to avoiding human error? Then we look forward to advising you with our many years of expertise!

Would you like to be informed about our latest blog posts in the future?
Just subscribe to our newsletter now!

Subscribe to our newsletter
13. January 2023