GetApp offers objective, independent research and verified user reviews. We may earn a referral fee when you visit a vendor through our links. 

Security

How To Create a Cybersecurity Crisis Management Plan

Feb 9, 2024

A cybersecurity management plan is essential for organizations to address and mitigate cyber threats.

AvatarImg
Jennifer Cameron
How To Create a Cybersecurity Crisis Management Plan

What we'll cover

Cybersecurity attacks and data breaches have become more common, even with security technology improvements. Attackers continue to find new vulnerabilities and methods to infiltrate systems and networks. 

Organizations have realized that a cyberattack or data breach is often inevitable. It’s typically a matter of when, not if, it will happen. The good news is that cybersecurity crisis management plans can help prepare your business for these attacks.

The connection between cyber threats and crisis management plans

According to GetApp’s 2023 Crisis Communications Survey*, only 49% of U.S. businesses currently have a formal cybersecurity crisis management plan. However, over half of all crisis events are cyberattacks or tech failures.

Developing a cyber crisis management plan can help your organization mitigate threats, minimize damage during an attack, and prepare for future cyber attacks or other crisis events. 

Types of cyberattacks range from hacked devices and website outages to network intrusion, stolen data, or force majeure. A well-designed response plan is critical if preventive security measures fail.

What is a cybersecurity crisis management plan?

A cybersecurity crisis management plan is essential to risk mitigation/management and other business security programs. This plan outlines a comprehensive strategy for identifying, responding to, and recovering from cybersecurity incidents. It defines the steps to minimize damages, prevent additional attacks, and restore normal business operations as swiftly as possible when a threat emerges. 

Your crisis plan should include procedures for:

  • Containment

  • Internal/external communications

  • Forensic analysis

  • Normal operations restoration

  • Compliance reporting

  • Damage assessment

  • Incorporation of lessons learned

  • Enhancing defenses against future threats

Many organizations used to address cyberattacks on an ad-hoc basis. Today, most enterprises have matured their preparation and planning. They invest more time upfront into developing cyber crisis management resources.

Where is your crisis management plan stored?

Unfortunately, companies have seen that digital-only copies stored on servers or in the cloud can be infiltrated during an attack, preventing teams from accessing their plans when needed most. That’s why we recommend keeping a backup copy in a secure offline storage facility or on paper. This redundancy ensures access to your crisis management plan even with a compromised network or server.

Why do you need a cybersecurity crisis management plan?

An effective cyber crisis management plan helps minimize the impact of security incidents. Established playbooks aid level-headed decision-making, letting organizations respond swiftly and strategically when threats emerge. 

Another benefit is faster incident response time. Quickly identifying, isolating, and mitigating an attack can profoundly reduce damages. Bringing in third-party expertise like cybersecurity firms can also help companies shorten the time required to contain threats.

Robust response plans curtail costs and reduce legal and regulatory fines by preventing threats from spreading. Without a plan, widespread breaches escalate risks, impact more employees, halt production, and inflict severe reputational harm. In the United States, organizations can face federal and state-level penalties if investigations find that negligence enabled large-scale breaches.

How well an organization responds to cyberattacks also impacts public perception and brand reputation. Those companies and entities that handle breaches may earn favorable sentiments—despite the negative outcomes. One example is the International Committee of the Red Cross (ICRC) after a cyberattack exposed their employees’ and customers’ data. The organization communicated effectively and openly, taking steps to strengthen security programs even though it took reasonable precautions. [1]

Documenting your management plan further supports evidence of due diligence if questions arise about your data preparation. Being audit-ready instills confidence should a worst-case scenario happen.

Additional tip:

Level up your employees’ data security training so they can avoid social engineering techniques that can compromise your company’s data. Check out Social Engineering Techniques that Hack Your Employees.

9 steps to create a cybersecurity crisis management plan

Drafting a robust cybersecurity crisis management plan typically requires weeks or months of work—along with buy-in from top leadership. While plans differ across organizations, here are several key steps to consider.

Step 1: Assemble an incident response team

Designate the team or individual(s) responsible for leading your organization’s efforts. They should also participate in creating and maintaining the crisis plan as risks evolve.

Potential roles needed on an incident response team include:

  • CISO or head of information security 

  • IT security engineers 

  • Legal counsel 

  • Communications lead 

  • Business continuity manager 

  • Third-party forensics firm 

The size and composition of the team depend on your resources and anticipated incident scenarios. External experts often provide vital support.

Step 2: Classify crisis severity thresholds

Not every cybersecurity incident requires complete crisis management. You should classify different thresholds based on potential business impacts—such as substantial financial, legal, reputation, or continuity harm beyond routine incidents.

Examples include:

  • Extensive data loss requiring public notice

  • Blackmail ransomware disrupting operations

  • Safety risks stemming from compromised industrial control systems

  • Clarifying Lawful Overseas Use of Data (CLOUD) Act warrants threatening intellectual property

Step 3: Map out escalation processes with flowcharts

Visual representations make crisis response protocols easy to digest. Map out step-by-step flow charts covering critical actions, such as assessment, containment, remediation, reporting, public communications, and recovery.

Tailor separate flowcharts for incident types:

  • Data breaches

  • Denial-of-service attacks

  • Critical IT infrastructure failure

  • Supply chain disruptions

  • Insider threats

  • Third-party risks

  • Common attack vectors

Outline compliance requirements for notifications. In the United States, this includes state breach laws and sector rules like the Health Insurance Portability and Accountability Act (HIPAA).

Step 4: Construct communication templates

Draft customizable communication templates that help you rapidly inform stakeholders. Tailor statements by audience, with key templates for employees, customers, partners, regulators, and the public. Designate spokespeople with clearance to release information externally.

Having predefined templates improves your messaging while avoiding inconsistent statements that could intensify scrutiny. As details emerge, the updates can build upon your initial cyber crisis management plan template.

Outline a public relations strategy

Determine guidelines for crisis communications, media interactions, and key messaging principles ahead of incidents. PR missteps could rapidly escalate fallout, so prudent planning pays dividends.

Step 5: Identify responsibilities with RACI charts

A RACI chart outlines roles and responsibilities critical for effective collaboration during incidents:

  • Responsible: Leads executing tasks

  • Accountable: Approves actions

  • Consulted: Provides subject matter expertise

  • Informed: Receives notifications of status and updates

Write down the contact information and order of contact for personnel across these categories. RACI models enable efficient coordination, particularly when you have multiple internal teams, vendors, regulators, and partners.

Step 6: Ensure access to tools and resources

Verify your incident responders have access to essential technologies. These technologies may include:

Step 7: Train and stage simulation exercises

Test effectiveness by conducting crisis scenario walkthroughs with stakeholders. For ease of training, assign roles as outlined in your RACI charts.

Examples of roles that fill each quadrant of this matrix include:

  • Responsible: designers, engineers, etc.

  • Accountable: department director, project manager, etc.

  • Consulted: head of customer support, customer support agents, team leads, etc.

  • Informed: C-suite, marketing team, sales team, etc.

Once you identify gaps, address them. This proactive behavior ensures optimal responses when actual crises strike.

Step 8: Conduct ongoing risk assessments

Ongoing risk assessments are vital in crisis communications management. Performing ongoing assessments helps teams:

  • Identify potential hazards

  • Make note of significant risks

  • Gather information to present to relevant individuals and teams from your RACI chart

  • Obtain feedback for next steps

Performing periodic risk assessments to identify and prioritize risks, vulnerabilities, and potential attack vectors helps teams arrange potential and known hazards and risks according to threat level. Including a third-party penetration testing partner can help uncover any overlooked weaknesses.

Step 9: Incorporate lessons learned

Perform thorough reviews and event analyses following major incidents to uncover what worked well and what could use improvement. Then, apply what you’ve learned. 

Implement new risk definitions and metrics by:

  • Assessing impact

  • Considering likelihood

  • Measuring velocity

  • Measuring volatility

Remain proactive by updating your protocols accordingly and as necessary.

Essential elements of a cybersecurity crisis management plan

The GetApp Crisis Communications Survey* found that at companies with formal crisis communications plans, the top three areas involved include: 

  1. IT management (91%)

  2. Business operations (83%)

  3. Public relations (81%)

After using a cybersecurity crisis management plan during an actual crisis, 72% of business leaders say they’d expand the scope of crisis communications planning going forward—even training and role-playing don’t reveal the intricacies or lessons you learn during real events. 

While these leaders praise mock-crisis drills, practice, and ongoing training, they say ongoing risk assessments, tweaks, and updates of lessons learned can help businesses improve incident response. Crisis management plans should evolve alongside real-time threats.

An effective cyber crisis plan requires:

  • Understanding potential vulnerabilities. Conduct thorough risk assessments using internal expertise or third-party services to probe for weaknesses (also known as pen testing or penetration testing) in systems, data storage, cloud platforms, exposed assets, and other attack surfaces. These assessments help you prioritize which areas to secure first. 

  • Analyzing relevant legal and regulatory requirements. Factor in industry-specific rules, data privacy protections, breach disclosure laws, and cross-border differences based on countries of operation. Violations carry steep fines and sanctions, so compliance is paramount.

  • Cataloging key assets. Intellectual property, protected information, and other digital “crown jewels” require robust safeguards to sustain operations, along with their storage locations, access controls, and backups. These represent top targets for malicious actors.

  • Listing resources. Take stock of available response resources by building internal teams, contracting external experts, or setting up hybrid models to address fundamental capabilities. 

  • Assigning roles and responsibilities. Outline key roles aligned to stakeholders, including leadership, legal, IT security, communications, business continuity specialists, and third-party partners. Effective coordination relies on firm understanding.

  • Documenting a comms plan. Communications strategy also warrants planning, particularly with customers, partners, and public messaging. Having predefined channels, tiered notification procedures, spokesperson policies, and template statements helps convey timely and accurate updates.

  • Reevaluating the crisis plan. Crisis management plans demand ongoing reevaluation. Threats evolve rapidly among growing digital footprints and increasingly sophisticated bad actors, hacking tools, and AI-enabled programs.

Roles and responsibilities of the cybersecurity crisis management team 

Each member of the crisis management cybersecurity team has a designated role to play.

RoleResponsibilities
CISO or head of information securityLeads overall containment, remediation, and recovery; Activates crisis management protocols; Oversees investigation into root causes; Reports developments to leadership and board.
General counsel Advises on legal/regulatory notification obligations; Assesses liability, litigation, and PR risks; Engages external counsel as needed; Reviews external communications.
Communications directorActs as primary media contact and spokesperson; Drafts press statements and release; Monitors coverage and clarifies misinformation; Shapes crisis narratives.
IT security engineerIsolates, diagnoses, and remediates impacted systems; Prevents additional data loss or corruption; Restores services and installs patches/controls; Handles document details for auditing.
CEO, CIO or business owner (information owner)Oversees information assets and governance; Acts as decision-maker with high-level oversight; Sets organization's security culture and standards; Authorizes investments in risk mitigations.
Operations manager or HR (becomes incident response manager during incidents)Map outs and documents response protocols and escalation flowcharts; Ensures crisis response team members understand responsibilities; Coordinates logistics, such as facilities, equipment, and schedules; Facilitates collaboration across internal groups.
IT staff & managed security service provider (MSSP)Maintains and provides access to security tools; Conducts technology and system forensics; Recovers data assets from backups; Makes infrastructure reinforcements.
Volunteers (annually rotates from across business departments/units)Provide additional personnel for coordination and communication; Receive training on protocols and expectations; Bring different perspectives as quasi-observers; Maintain a succession plan for knowledge continuity.
Technical lead (*see below)Uses deep security architecture and systems expertise; Manages direct remediation actions executed by the security engineering team; Acts as a single point of technical authority, oversight, and decision-making responsibility (sometimes, the CISO may fill this role).

What are the responsibilities of the technical lead?

The technical lead plays a critical systems-focused role within the cybersecurity incident response team. As threats emerge, this individual uses their technical expertise to rapidly discover, analyze, and mitigate impacts to infrastructure and data assets.

Key responsibilities include:

  • Coordinating with IT security engineers to identify affected systems, isolate compromised components, and prevent additional data leakage or corruption.

  • Diagnosing initial infection vectors based on system logs and tooling reports to find root causes, whether via malware, unauthorized access, or insider actions.

  • Guiding containment efforts through temporarily dismantling impacted servers, enforcing password changes, rescanning backups, or blocking suspicious IP addresses.

  • Advising the CISO and other team leads on the technical severity of the incident, likely remediation timeframes, and cybersecurity improvements required to enhance future preparedness.

  • Supervising full recovery initiatives, such as securely restoring data assets from backups, reimaging infected systems before reconstituting services, and installing continuously maintained patches.

  • Leading deep-dive forensic investigations to quantify damage and verify the scope for legal and regulatory reporting.

  • Conducting post-crisis analyses to uncover exact system issues or process deficiencies. 

  • Providing results of analyses as summarized suggestions for improved security and bolstered infrastructure to senior leadership for authorization.

Security measures taken today protect your SMB tomorrow

Cyber threats are only increasing in intensity, so having a rigorous incident response plan is one of the best protections to limit business exposure. 

Developing precise processes, defining roles, and assigning responsibilities in a threat management landscape can help your team act decisively if and when a breach occurs. The businesses that establish these core foundations before an attack will be the businesses still standing in the long run. 

Cybersecurity doesn’t stop here. For more resources on cybersecurity, visit the GetApp blog or dive into the following security-related articles:

Survey methodology

*GetApp's Crisis Communications Survey was conducted in January 2023 among 243 respondents to learn more about crisis communications plans at U.S. businesses. All respondents were screened for leadership positions of director level or above.

Sources

1. ICRC cyber-attack: Sharing our analysis, International Committee of the Red Cross

avatar
About the author

Jennifer Cameron

Jennifer Cameron is a writer and analyst specializing in sales, marketing, and eCommerce topics for B2B and B2C clients. She is a frequent contributor to trusted businesses resources, including several Fortune 1000 technology vendors and GetApp.
Visit author's page