8 min read
May 27, 2020

How to Create a Cybersecurity Crisis Management Plan in 5 Steps

Follow these five steps to prepare a robust cybersecurity crisis management plan for your business.

Gitanjali Maria, Rahul KumarSr. Content Analyst, Content Writer

You may have invested in the most advanced alarm system and surveillance cameras for your home, but what do you do if a burglar still manages to get in? Call 911 or lock yourself in the basement? Or do you panic and freeze? You’ll be better prepared if you have a response plan.

Cybersecurity for your business is no different. Rising incidents of cyberattacks, such as hacked websites, breached networks, and denial-of-service attacks, have turned cybersecurity from just an operational challenge into a business challenge.

It’s almost impossible to shield your business completely from cyberattacks, but what you can do is create an effective response plan that instructs your IT team on how to respond to an attack.

Having a cybersecurity crisis management plan will help you respond more quickly to cyberattacks, deliver consistent communication to internal and external stakeholders, and take timely remedial actions.

It’s surprising that only 37% of organizations have a cyber incident response plan, according to Gartner’s Prepare for and Respond to a Business Disruption After an Aggressive Cyberattack report (full content available to Gartner clients only).

Businesses are often reluctant to set aside time and resources to build a cybersecurity crisis management plan, believing that they’ll never be targeted. What they fail to realize is that automated botnet attacks target systems randomly, and having even a partially developed crisis management plan is better than having none at all.

You don’t have to create your entire crisis management plan in one go. Follow a piecemeal approach and keep adding to it until it’s complete.

Group 3@1x Created with Sketch.

5 steps to create a cybersecurity crisis management plan

Preparing a robust cybersecurity crisis management plan may take weeks or months and requires the support and approval of top leadership. Here are five steps to follow.

Step #1 - Form an emergency cybersecurity incident response team

You need to clearly state who (or which team) will take charge and manage the “firefighting” in the event of a cybersecurity incident. Besides leading the organization as it follows the defined crisis management processes, the response team will also be involved in creating and updating the crisis management plan. 

The below table lists a few roles that different employees will need to take up. The composition of your incident response team will vary based on your available employee resources and the nature of anticipated security incidents.

Role Who owns the role?
Information owners Chief executive officers (CEOs), chief information officers (CIOs), or chief information security officers (CISOs) are usually the information owners in large companies, while business owners usually take up the role in small firms.
Incident response managers Business unit leaders or operations managers usually lead the response actions. Your human resources (HR) or legal staff may also shoulder the responsibility for this role and help inform employees and concerned regulatory bodies.
Security/IT staff This could be your internal staff that helps fix IT needs or your managed security service provider (MSSP).
Volunteers Select a few employees and rotate them yearly or every other year to help with any coordination and training on cybersecurity incident response management.

Step #2 - Define what a cybersecurity crisis means to your organization

Not every security incident is a crisis. You must, therefore, define what qualifies a security incident as a crisis for your organization. Loss of confidential data; adverse financial or reputation consequences for your business, partners, or customers; and regulatory breaches are some instances of a security incident becoming a crisis.

Step #3 - Create escalation process flowcharts for crisis situations

Visual representation using flowcharts helps employees quickly understand the steps to be followed during an incident. Your escalation process flowchart must cover the legal and regulatory aspects of various security incidents. For example, Article 33 of the General Data Protection Regulation (GDPR) requires you to notify supervisory authorities about any breach of customers’ personally identifiable information within 72 hours.

Below is a sample flowchart depicting action items to be taken when a security incident is reported.

 Having separate flowcharts to indicate how employees should respond to different types of incidents—phishing, distributed denial of service (DDoS) attacks, malware, internet of things (IoT) attacks—helps create a faster and more targeted response.

Step #4 - Create cybersecurity crisis communication templates

Depending on the severity of a crisis, you’ll need to issue a communique (i.e., an official announcement or statement) about the incident to internal as well as external stakeholders, including media, clients, and partners.

Have crisis communication templates ready for different scenarios—serious data breach incidents, minor data breach incidents, etc. These templates will help save time and avoid incoherent communication. You must also designate spokespersons who’ll be authorized to speak, on behalf of your company, about the incident.

A sample crisis communication template

Our company, [Company name], has identified a potential network and systems breach. At present, we are unable to confirm the extent of the breach and whether sensitive data is affected. We are working closely with federal authorities and cybersecurity experts to determine and contain the impact of the incident. We are committed to working through this investigation and addressing any concerns our clients or partners might have.

We will provide regular updates on our website, www.companyname.com, and will hold media briefings as necessary.

Step #5 - Create RACI charts and list emergency contacts for speedy communication and collaboration

It’s necessary to provide timely information to internal and external stakeholders about how a crisis is being handled. A responsibility assignment matrix, also known as a RACI chart, helps determine whom to contact or get approval from during different stages of a crisis management plan. Let’s discuss each element of the RACI chart.

  • Responsible: Individual responsible for executing or doing the activity.

  • Accountable: Individual who owns, approves, and is the final decision-maker for the activity.

  • Consulted: Individual who can provide further information or feedback for performing the activity.

  • Informed: Individual who only needs to be informed about the activity’s progress or status.

Here’s a downloadable template that you can customize for your incident response plan. We’ve added columns providing contact details of relevant stakeholders to help make communication easier and faster.

Group 3@1x Created with Sketch.

Best practices to follow

A cybersecurity crisis management plan is a document that is referred to during intense pressure and panic situations. Hence, it shouldn’t be complicated. Employees shouldn’t have to read a step multiple times to understand what exactly to do.

Here are a few best practices you should adopt while creating your organization’s cybersecurity crisis management or incident response plan.

  • Keep it simple and short: Use simple, actionable language, and provide enough details to initiate the correct response.

  • Ensure the plan addresses traditional as well as new security incidents: Include distinct flowcharts that explain how to tackle specific incidents, such as malware or DDoS attacks. Keep updating the plan as and when you encounter a new incident.

  • Keep copies of the plan in a secure yet easily accessible location: Keep physical copies of the plan with each business unit head or team lead and electronic copies on cloud storage platforms that can be quickly accessed by employees.

  • Test the plan regularly: Conduct mock drills to check the preparedness of your team and the robustness of your cybersecurity crisis management plan. This will also help train employees to act quickly and take immediate reactive steps.

Back to top