GetApp offers objective, independent research and verified user reviews. We may earn a referral fee when you visit a vendor through our links.
Our commitment
Independent research methodology
Our researchers use a mix of verified reviews, independent research, and objective methodologies to bring you selection and ranking information you can trust. While we may earn a referral fee when you visit a provider through our links or speak to an advisor, this has no influence on our research or methodology.
How GetApp verifies reviews
GetApp carefully verified over 2 million reviews to bring you authentic software experiences from real users. Our human moderators verify that reviewers are real people and that reviews are authentic. They use leading tech to analyze text quality and to detect plagiarism and generative AI.
How GetApp ensures transparency
GetApp lists all providers across its website—not just those that pay us—so that users can make informed purchase decisions. GetApp is free for users. Software providers pay us for sponsored profiles to receive web traffic and sales opportunities. Sponsored profiles include a link-out icon that takes users to the provider’s website.
Cybersecurity attacks and data breaches have become more common, even with security technology improvements. Attackers continue to find new vulnerabilities and methods to infiltrate systems and networks.
Organizations have realized that a cyberattack or data breach is often inevitable. It’s typically a matter of when, not if, it will happen. The good news is that cybersecurity crisis management plans can help prepare your business for these attacks.
According to GetApp’s 2023 Crisis Communications Survey*, only 49% of U.S. businesses currently have a formal cybersecurity crisis management plan. However, over half of all crisis events are cyberattacks or tech failures.
Developing a cyber crisis management plan can help your organization mitigate threats, minimize damage during an attack, and prepare for future cyber attacks or other crisis events.
Types of cyberattacks range from hacked devices and website outages to network intrusion, stolen data, or force majeure. A well-designed response plan is critical if preventive security measures fail.
A cybersecurity crisis management plan is essential to risk mitigation/management and other business security programs. This plan outlines a comprehensive strategy for identifying, responding to, and recovering from cybersecurity incidents. It defines the steps to minimize damages, prevent additional attacks, and restore normal business operations as swiftly as possible when a threat emerges.
Your crisis plan should include procedures for:
Containment
Internal/external communications
Forensic analysis
Normal operations restoration
Compliance reporting
Damage assessment
Incorporation of lessons learned
Enhancing defenses against future threats
Many organizations used to address cyberattacks on an ad-hoc basis. Today, most enterprises have matured their preparation and planning. They invest more time upfront into developing cyber crisis management resources.
Unfortunately, companies have seen that digital-only copies stored on servers or in the cloud can be infiltrated during an attack, preventing teams from accessing their plans when needed most. That’s why we recommend keeping a backup copy in a secure offline storage facility or on paper. This redundancy ensures access to your crisis management plan even with a compromised network or server.
An effective cyber crisis management plan helps minimize the impact of security incidents. Established playbooks aid level-headed decision-making, letting organizations respond swiftly and strategically when threats emerge.
Another benefit is faster incident response time. Quickly identifying, isolating, and mitigating an attack can profoundly reduce damages. Bringing in third-party expertise like cybersecurity firms can also help companies shorten the time required to contain threats.
Robust response plans curtail costs and reduce legal and regulatory fines by preventing threats from spreading. Without a plan, widespread breaches escalate risks, impact more employees, halt production, and inflict severe reputational harm. In the United States, organizations can face federal and state-level penalties if investigations find that negligence enabled large-scale breaches.
How well an organization responds to cyberattacks also impacts public perception and brand reputation. Those companies and entities that handle breaches may earn favorable sentiments—despite the negative outcomes. One example is the International Committee of the Red Cross (ICRC) after a cyberattack exposed their employees’ and customers’ data. The organization communicated effectively and openly, taking steps to strengthen security programs even though it took reasonable precautions. [1]
Documenting your management plan further supports evidence of due diligence if questions arise about your data preparation. Being audit-ready instills confidence should a worst-case scenario happen.
Additional tip:
Level up your employees’ data security training so they can avoid social engineering techniques that can compromise your company’s data. Check out Social Engineering Techniques that Hack Your Employees.
Drafting a robust cybersecurity crisis management plan typically requires weeks or months of work—along with buy-in from top leadership. While plans differ across organizations, here are several key steps to consider.
Designate the team or individual(s) responsible for leading your organization’s efforts. They should also participate in creating and maintaining the crisis plan as risks evolve.
Potential roles needed on an incident response team include:
CISO or head of information security
IT security engineers
Legal counsel
Communications lead
Business continuity manager
Third-party forensics firm
The size and composition of the team depend on your resources and anticipated incident scenarios. External experts often provide vital support.
Not every cybersecurity incident requires complete crisis management. You should classify different thresholds based on potential business impacts—such as substantial financial, legal, reputation, or continuity harm beyond routine incidents.
Examples include:
Extensive data loss requiring public notice
Blackmail ransomware disrupting operations
Safety risks stemming from compromised industrial control systems
Clarifying Lawful Overseas Use of Data (CLOUD) Act warrants threatening intellectual property
Visual representations make crisis response protocols easy to digest. Map out step-by-step flow charts covering critical actions, such as assessment, containment, remediation, reporting, public communications, and recovery.
Tailor separate flowcharts for incident types:
Data breaches
Denial-of-service attacks
Critical IT infrastructure failure
Supply chain disruptions
Insider threats
Third-party risks
Common attack vectors
Outline compliance requirements for notifications. In the United States, this includes state breach laws and sector rules like the Health Insurance Portability and Accountability Act (HIPAA).
Draft customizable communication templates that help you rapidly inform stakeholders. Tailor statements by audience, with key templates for employees, customers, partners, regulators, and the public. Designate spokespeople with clearance to release information externally.
Having predefined templates improves your messaging while avoiding inconsistent statements that could intensify scrutiny. As details emerge, the updates can build upon your initial cyber crisis management plan template.
Determine guidelines for crisis communications, media interactions, and key messaging principles ahead of incidents. PR missteps could rapidly escalate fallout, so prudent planning pays dividends.
A RACI chart outlines roles and responsibilities critical for effective collaboration during incidents:
Responsible: Leads executing tasks
Accountable: Approves actions
Consulted: Provides subject matter expertise
Informed: Receives notifications of status and updates
Write down the contact information and order of contact for personnel across these categories. RACI models enable efficient coordination, particularly when you have multiple internal teams, vendors, regulators, and partners.
Verify your incident responders have access to essential technologies. These technologies may include:
Malware detection
System logs
Alternate work locations
Replacement hardware to sustain operations
Test effectiveness by conducting crisis scenario walkthroughs with stakeholders. For ease of training, assign roles as outlined in your RACI charts.
Examples of roles that fill each quadrant of this matrix include:
Responsible: designers, engineers, etc.
Accountable: department director, project manager, etc.
Consulted: head of customer support, customer support agents, team leads, etc.
Informed: C-suite, marketing team, sales team, etc.
Once you identify gaps, address them. This proactive behavior ensures optimal responses when actual crises strike.
Ongoing risk assessments are vital in crisis communications management. Performing ongoing assessments helps teams:
Identify potential hazards
Make note of significant risks
Gather information to present to relevant individuals and teams from your RACI chart
Obtain feedback for next steps
Performing periodic risk assessments to identify and prioritize risks, vulnerabilities, and potential attack vectors helps teams arrange potential and known hazards and risks according to threat level. Including a third-party penetration testing partner can help uncover any overlooked weaknesses.
Perform thorough reviews and event analyses following major incidents to uncover what worked well and what could use improvement. Then, apply what you’ve learned.
Implement new risk definitions and metrics by:
Assessing impact
Considering likelihood
Measuring velocity
Measuring volatility
Remain proactive by updating your protocols accordingly and as necessary.
The GetApp Crisis Communications Survey* found that at companies with formal crisis communications plans, the top three areas involved include:
IT management (91%)
Business operations (83%)
Public relations (81%)
After using a cybersecurity crisis management plan during an actual crisis, 72% of business leaders say they’d expand the scope of crisis communications planning going forward—even training and role-playing don’t reveal the intricacies or lessons you learn during real events.
While these leaders praise mock-crisis drills, practice, and ongoing training, they say ongoing risk assessments, tweaks, and updates of lessons learned can help businesses improve incident response. Crisis management plans should evolve alongside real-time threats.
An effective cyber crisis plan requires:
Understanding potential vulnerabilities. Conduct thorough risk assessments using internal expertise or third-party services to probe for weaknesses (also known as pen testing or penetration testing) in systems, data storage, cloud platforms, exposed assets, and other attack surfaces. These assessments help you prioritize which areas to secure first.
Analyzing relevant legal and regulatory requirements. Factor in industry-specific rules, data privacy protections, breach disclosure laws, and cross-border differences based on countries of operation. Violations carry steep fines and sanctions, so compliance is paramount.
Cataloging key assets. Intellectual property, protected information, and other digital “crown jewels” require robust safeguards to sustain operations, along with their storage locations, access controls, and backups. These represent top targets for malicious actors.
Listing resources. Take stock of available response resources by building internal teams, contracting external experts, or setting up hybrid models to address fundamental capabilities.
Assigning roles and responsibilities. Outline key roles aligned to stakeholders, including leadership, legal, IT security, communications, business continuity specialists, and third-party partners. Effective coordination relies on firm understanding.
Documenting a comms plan. Communications strategy also warrants planning, particularly with customers, partners, and public messaging. Having predefined channels, tiered notification procedures, spokesperson policies, and template statements helps convey timely and accurate updates.
Reevaluating the crisis plan. Crisis management plans demand ongoing reevaluation. Threats evolve rapidly among growing digital footprints and increasingly sophisticated bad actors, hacking tools, and AI-enabled programs.
Each member of the crisis management cybersecurity team has a designated role to play.
Role | Responsibilities |
---|---|
CISO or head of information security | Leads overall containment, remediation, and recovery; Activates crisis management protocols; Oversees investigation into root causes; Reports developments to leadership and board. |
General counsel | Advises on legal/regulatory notification obligations; Assesses liability, litigation, and PR risks; Engages external counsel as needed; Reviews external communications. |
Communications director | Acts as primary media contact and spokesperson; Drafts press statements and release; Monitors coverage and clarifies misinformation; Shapes crisis narratives. |
IT security engineer | Isolates, diagnoses, and remediates impacted systems; Prevents additional data loss or corruption; Restores services and installs patches/controls; Handles document details for auditing. |
CEO, CIO or business owner (information owner) | Oversees information assets and governance; Acts as decision-maker with high-level oversight; Sets organization's security culture and standards; Authorizes investments in risk mitigations. |
Operations manager or HR (becomes incident response manager during incidents) | Map outs and documents response protocols and escalation flowcharts; Ensures crisis response team members understand responsibilities; Coordinates logistics, such as facilities, equipment, and schedules; Facilitates collaboration across internal groups. |
IT staff & managed security service provider (MSSP) | Maintains and provides access to security tools; Conducts technology and system forensics; Recovers data assets from backups; Makes infrastructure reinforcements. |
Volunteers (annually rotates from across business departments/units) | Provide additional personnel for coordination and communication; Receive training on protocols and expectations; Bring different perspectives as quasi-observers; Maintain a succession plan for knowledge continuity. |
Technical lead (*see below) | Uses deep security architecture and systems expertise; Manages direct remediation actions executed by the security engineering team; Acts as a single point of technical authority, oversight, and decision-making responsibility (sometimes, the CISO may fill this role). |
The technical lead plays a critical systems-focused role within the cybersecurity incident response team. As threats emerge, this individual uses their technical expertise to rapidly discover, analyze, and mitigate impacts to infrastructure and data assets.
Key responsibilities include:
Coordinating with IT security engineers to identify affected systems, isolate compromised components, and prevent additional data leakage or corruption.
Diagnosing initial infection vectors based on system logs and tooling reports to find root causes, whether via malware, unauthorized access, or insider actions.
Guiding containment efforts through temporarily dismantling impacted servers, enforcing password changes, rescanning backups, or blocking suspicious IP addresses.
Advising the CISO and other team leads on the technical severity of the incident, likely remediation timeframes, and cybersecurity improvements required to enhance future preparedness.
Supervising full recovery initiatives, such as securely restoring data assets from backups, reimaging infected systems before reconstituting services, and installing continuously maintained patches.
Leading deep-dive forensic investigations to quantify damage and verify the scope for legal and regulatory reporting.
Conducting post-crisis analyses to uncover exact system issues or process deficiencies.
Providing results of analyses as summarized suggestions for improved security and bolstered infrastructure to senior leadership for authorization.
Cyber threats are only increasing in intensity, so having a rigorous incident response plan is one of the best protections to limit business exposure.
Developing precise processes, defining roles, and assigning responsibilities in a threat management landscape can help your team act decisively if and when a breach occurs. The businesses that establish these core foundations before an attack will be the businesses still standing in the long run.
Cybersecurity doesn’t stop here. For more resources on cybersecurity, visit the GetApp blog or dive into the following security-related articles:
*GetApp's Crisis Communications Survey was conducted in January 2023 among 243 respondents to learn more about crisis communications plans at U.S. businesses. All respondents were screened for leadership positions of director level or above.
1. ICRC cyber-attack: Sharing our analysis, International Committee of the Red Cross
Jennifer Cameron