You may have invested in the most advanced alarm systems and surveillance cameras for your home, but what do you do if a burglar still manages to get in?

Call 911 or lock yourself in the basement? Or do you panic and freeze up? You’ll be better prepared if you have a response plan.

Cybersecurity for businesses is no different. With increasing incidents of hacked websites, breached networks, and ransomware and denial-of-service attacks, cybersecurity is transforming from an operational challenge into a business challenge.

You can’t completely shield your business from cyberattacks, but you can create a response plan to deal with them in unfortunate times.

Having a cybersecurity crisis management plan will help you respond more quickly to cyberattacks, deliver coherent and consistent internal and external communications, and take timely remedial action.

Yet, only 37% of organizations have a cyber incident response plan, according to Gartner’s report “Prepare for and Respond to a Business Disruption After an Aggressive Cyberattack” (full content available to Gartner clients).

Only 37% organizations have a security incident response plan

Businesses are often reluctant to set aside time and resources to build a cybersecurity crisis management plan, believing that they’ll never be targeted. What they fail to realize is: Automated botnet attacks target systems randomly and having even a partially developed crisis management plan is better than having none at all.

You don’t have to create your entire cybersecurity crisis management plan in one go but can follow a piecemeal approach and keep adding to it until it’s complete.

How to prepare a cybersecurity crisis management plan

Preparing a robust cybersecurity crisis management plan may take you weeks or months, and it requires the support and approval of top leadership.

Here are five steps to help you prepare your cybersecurity crisis management plan.

1. Form an emergency cybersecurity incident response team

You need to clearly state who will take charge and manage the “firefighting” in the event of a cybersecurity incident. In addition to leading the organization as it follows the defined crisis management processes, this team will also be involved in creating and updating the crisis management plan.

The below table lists roles that different employees will need to fill on an incident response team. The composition of your incident response team will vary based on your available employee resources and the nature of anticipated security incidents.

Example Incident Response Team

Role Who owns the role?
Information owner CEOs or CIOs/CISOs are usually the information owners for larger companies, while for smaller firms it might be the business owner .
Incident response manager Business unit leaders or operations managers usually lead the response actions. Your HR or legal staff may also shoulder responsibility for this role and help inform employees and concerned regulatory bodies.
Security/IT staff This could be your internal staff who helps fix IT needs or your management security service provider (MSSP).
Volunteers Select a few employees and rotate them yearly or every other year to help with any coordination and training on cybersecurity incident response management.

2. Define what a cybersecurity crisis means to your organization

Not every security incident is a crisis. You must, therefore, define what qualifies a security incident as a crisis for your organization. Loss of confidential data; adverse financial or reputation consequences for your business, partners, or customers; and regulatory breaches are some instances when a security incident becomes a crisis.

3. Create escalation process flowcharts for crisis situations

Visual representations such as flowcharts help employees quickly understand the steps they must take following an incident. Below is a sample flowchart depicting action items that need to be taken when a security incident is reported.

Your escalation process flowchart must also cover the legal and regulatory aspects of the different security incidents. For example, Article 33 in GDPR requires you to notify the controller about any breach of customers’ personally identifiable information within 72 hours.

Crisis management flowchart showing steps to responding to a crisis

Having separate flowcharts to indicate how employees should respond to different types of incidents—phishing, DDoS attacks, malware, IoT attacks—helps create a faster and more targeted response.

4. Create cybersecurity crisis communication templates

You’ll need to issue communiques about security incidents to internal as well as external stakeholders (media, clients, and partners, depending on the severity of the crisis).

Having crisis communication templates ready for different scenarios—serious data breach incidents, minor data breach incidents, etc.—helps save time and avoids incoherent communications. You must also designate spokespersons who are authorized to speak on behalf of your company about the incident.

Here’s a sample crisis communication template:

Our company, [Company name], has become aware of a potential network and systems breach. At this time, we are unable to confirm the extent of the breach and whether sensitive data is affected. We are working closely with federal authorities and cybersecurity experts to determine and contain the impact of the incident. We are committed to working through this investigation and addressing any concerns our clients or partners might have.
We will provide regular updates on our website,, and will hold media briefings as necessary.

5. Create RACI charts and list emergency contact details for speedy communication and collaboration

Providing timely information to internal and external stakeholders about how the crisis is being handled is an important step. RACI charts help you quickly determine whom to contact or get approval from for different steps in the crisis management plan. Below, we discuss what each element in a RACI chart means:

Responsible: Person who is responsible for executing or doing the activity.

Accountable: Person who owns, approves, and is the final decision-maker for the activity.

Consulted: Person who can provide further information or feedback for performing the activity.

Informed: Person who only needs to be informed about the activity’s progress or status.

Here is a downloadable template that you can customize for your incident response plan. We’ve added columns providing communication details for the relevant stakeholders in the template to help make communication easier and faster.


Best practices for creating a cybersecurity crisis management plan

A crisis management plan is a document that will be referred to under intense pressure and panic. It should not be complicated, forcing a reader to read a step multiple times to understand what to do. Here are some best practices you should follow when preparing your cybersecurity crisis management or incident response plan.

  • Keep it simple and short: Use simple, actionable language to provide employees enough details to initiate the correct response.
  • Ensure the plan addresses traditional and new security incident types: Include distinct flowcharts that show specifically how to tackle common
    incidents such as malware or DDoS attacks, as well as listing out generic procedures for tackling new types of
    security incidents.
  • Keep copies of the plan in a secure yet easily accessible location: Store physical as well as electronic copies of the crisis
    management plan with business unit heads or team leads or on cloud storage tools.
  • Test the plan regularly: Conduct mock drills to check the preparedness of your team and the robustness of your cybersecurity crisis management plan. This will also help train employees to act quickly and take immediate reactive steps.

Share This

Share this post with your friends!