The belief that cybersecurity insurance removes the need for incident response planning is dangerously wrong. Insurers increasingly deny claims to companies without documented plans.

Incident Response: What to Do During Cyberattack

Despite all preventive measures, no company can guarantee one hundred percent security. The question is not if, but when a security incident occurs. Response speed and quality are then decisive. According to an IBM study, each hour of delay in incident response costs an average of CHF 12,000 in additional damage.

Swiss SMEs are often poorly prepared for security incidents. Only a minority of Swiss SMEs have a documented Incident Response Plan. This guide shows how to develop an effective plan and respond correctly in emergencies.

The First 60 Minutes: Immediate Measures

When you suspect or discover a security incident, every minute counts. The first actions can make the difference between limited and catastrophic damage.

1. Stay Calm and Activate Incident Response Team

Don’t panic. Hasty actions can cause more damage than the attack itself. For example, prematurely shutting down all systems can destroy important forensic evidence and complicate recovery.

Activate your Incident Response Team (if available) or the defined responsible persons. In small SMEs, this may be the IT manager and CEO, in larger ones a dedicated team should exist.

Document everything from now on: Times, observed symptoms, measures taken, people involved. This timeline is critical for forensics, insurance, and legal aspects.

2. Verify Initial Suspicion

Determine whether a security incident actually exists or if it’s a technical error, false alarm, or misconfiguration. Typical indicators of an attack:

  • Unexplained system slowdown
  • Unknown processes or network connections
  • Encrypted files or ransomware messages
  • Unusual logins or access
  • Alerts from security tools
  • Reports from employees about suspicious activities

3. Damage Containment: Contain the Breach

Isolate affected systems, but do NOT shut them down (except in acute danger of data exfiltration). Disconnect affected computers from the network but keep them running to enable forensic analysis.

Stop the spread. With ransomware, quick action is critical as it often moves laterally through the network. Network segmentation can be worth gold here.

Change critical passwords (but only for non-compromised accounts and after the attack has been stopped, otherwise you may alert the attacker).

Preserve evidence. Don’t delete anything, not even suspicious files. Create disk images of affected systems if possible.

4. Engage External Experts

For most SMEs, a security incident exceeds internal capacities. Don’t hesitate to get external help:

Cybersecurity Incident Response Specialists can analyse the attack, stop spread, and support recovery. Choose partners proactively, ideally before an incident (retainer models).

IT Forensics Experts for in-depth analysis, evidence preservation, and attack reconstruction.

Legal Counsel for data protection-relevant incidents or when legal action is being considered.

Insurance (if cyber insurance exists) should be informed immediately.

5. Check Reporting Obligations

According to the revised Swiss Data Protection Act (revDSG), there is a reporting obligation to the Federal Data Protection and Information Commissioner (FDPIC) for serious data protection violations, namely “as soon as possible.”

Violations are considered serious if they are likely to result in high risk to the personality or fundamental rights of affected persons. When in doubt, you should seek legal advice.

The report must contain the following information:

  • Type of data security violation
  • Consequences of the violation
  • Measures taken or planned

Additionally, industry-specific reporting obligations may exist (e.g., FINMA for financial institutions).

The Incident Response Lifecycle

Professional incident response follows a structured process. The widely used NIST framework defines six phases:

Phase 1: Preparation (before the incident)

This phase occurs BEFORE an incident and is crucial for successful response:

Create Incident Response Plan:

  • Define what qualifies as an incident
  • Name Incident Response Team and roles
  • Document escalation paths
  • Define communication protocols
  • List external contacts (experts, authorities, insurance)

Technical Preparation:

  • Implement logging and monitoring
  • Ensure backups work and are secured offline/offsite
  • Prepare Incident Response toolkit (forensic tools, contact lists, templates)
  • Establish secure communication channels for crisis (separate email, encrypted messenger)

Organisational Preparation:

  • Train employees in recognising and reporting incidents
  • Conduct Tabletop Exercises (simulated incidents at the conference table)
  • Establish retainer with Incident Response specialists
  • Review cyber insurance and its requirements

Proactive red team assessments can also strengthen incident preparedness by revealing how real attackers would move through your environment. Firms like RedTeam Partners conduct realistic adversary simulations that stress-test your detection and response capabilities before a real incident does.

Phase 2: Detection and Analysis

Early detection is critical. The faster you detect an attack, the lower the damage. On average, it takes 127 days in Switzerland until an attack is discovered, often even longer for SMEs.

Detection Sources:

  • Security Information and Event Management (SIEM) alerts
  • Antivirus/Endpoint Detection and Response (EDR) alarms
  • Intrusion Detection Systems (IDS)
  • Reports from employees
  • Unusual network activity
  • External hints (customers, partners, authorities)

Initial Analysis:

  • Verify the incident (True Positive vs. False Positive)
  • Classify severity and type of incident
  • Determine affected systems and data
  • Identify attack vector and time if possible

Severity Rating: Establish a simple system for prioritisation:

Critical: Massive data exfiltration, ransomware encryption of critical systems, APT attack

  • Response: Immediate escalation, external experts, potential business interruption

High: Compromise of important systems, malware infection with spread potential

  • Response: Quick reaction within hours, activate Incident Response Team

Medium: Isolated malware infection, successful phishing without critical data

  • Response: Response within business day, regular processes

Low: Failed phishing attempt, automated scans

  • Response: Documentation, regular handling

Phase 3: Containment

Goal is to prevent further damage without affecting business continuity more than necessary.

Short-term Containment:

  • Isolate affected systems from network
  • Block known Command & Control (C2) servers
  • Deactivate compromised accounts
  • Increase monitoring on non-affected systems

Long-term Containment:

  • Patch exploited vulnerabilities
  • Implement additional security controls
  • Prepare recovery environment
  • Plan system restoration

Important: Balance between containment and evidence preservation. Too aggressive action can complicate forensic analysis.

Phase 4: Eradication

Remove the threat completely from your environment:

  • Delete malware from all affected systems
  • Eliminate backdoors and persistence mechanisms
  • Identify and close initial entry path
  • Harden systems against re-infection

Common Mistake: Incomplete eradication. Attackers often leave multiple access points. Forensic analysis should identify ALL compromises before you begin recovery.

Phase 5: Recovery

Bring systems back into production:

From Backups:

  • Verify that backups are not compromised
  • Restore data from clean backups
  • Test restored systems thoroughly

System Rebuild:

  • With severe compromise: Rebuild systems rather than repair
  • Fresh installation from trusted sources
  • Restore only verified clean data

Phased Recovery:

  • Prioritise business-critical systems
  • Restore gradually, not all at once
  • Intensified monitoring during recovery phase
  • Be prepared for possible re-infection

Communication:

  • Inform employees about recovery progress
  • Manage expectations realistically
  • Transparency creates trust, even when news is unpleasant

Phase 6: Lessons Learned

After each significant incident, a Post-Incident Review should take place:

What went well?

  • Which measures were effective?
  • What enabled quick response?
  • Which preparations paid off?

What went poorly?

  • Where were delays or errors?
  • Which information was missing?
  • Where were processes unclear?

How was the attack possible?

  • Which vulnerability was exploited?
  • Where did protection measures fail?
  • Were there warning signs that were overlooked?

Which improvements are necessary?

  • Technical measures (tools, configurations)
  • Process improvements (playbooks, escalations)
  • Organisational adjustments (training, resources)

Document:

  • Detailed timeline of incident
  • Measures taken and their effectiveness
  • Total costs (direct and indirect)
  • Lessons learned and action items
  • Update Incident Response Plan based on findings

Communication During an Incident

Communication is one of the most critical and often underestimated aspects of incident response.

Internal Communication

Crisis Team: Close and frequent. For critical incidents, multiple times daily.

Management: Regular updates on status, impacts, costs, timeline. Clear, fact-based communication without technocracy.

Employees: Information about affected systems, expected restrictions, behavioural instructions. Avoid panic but be transparent about seriousness.

IT Team: Technical details, work division, coordination with external experts.

External Communication

Customers:

  • Inform proactively if their data could be affected
  • Transparent about scope and measures
  • According to revDSG, there is an obligation to inform when high risk exists for affected persons

Partners and Suppliers:

  • Inform if their systems could be affected
  • Coordination in supply chain attacks

Authorities:

  • FDPIC for reportable data protection violations
  • National Cyber Security Centre (NCSC) for serious incidents (voluntary but recommended)
  • Industry-specific regulators (FINMA, etc.)
  • Police for crimes (extortion, fraud)

Media:

  • Only if incident became or will become public
  • Prepare statements
  • Communicate consistently and coordinated
  • Consider professional PR support for large incidents

Insurance:

  • Immediate information according to insurance terms
  • Coordination on measures (some insurers have own Incident Response partners)

Communication Channels

Problem: In many incidents, normal communication channels are compromised (email, internal messaging).

Solution: Prepare alternative, secure channels:

  • External, encrypted email (not in compromised system)
  • Secure messenger (Signal, Wire)
  • Physical meetings
  • Dedicated crisis phone
  • Backup communication list (private contacts of crisis team)

Specific Incident Types and Response

Ransomware Attack

Typical Course:

  1. Initial compromise (phishing, vulnerability)
  2. Lateral movement in network (often over weeks)
  3. Data exfiltration (for double extortion)
  4. Encryption and ransom demand

Response:

  • IMMEDIATELY take backups offline (if not already done)
  • Isolate affected systems quickly
  • Do NOT pay immediately, evaluate options
  • Forensic analysis: How did attacker get in? Are all systems identified?
  • Recovery from backups if possible
  • Contact authorities (NCSC has decryption tools for some ransomware)

Payment Decision: Complex ethical and practical question:

  • Payment doesn’t guarantee restoration or non-publication
  • Finances criminal organisations
  • Can create regulatory problems (sanctions)
  • Sometimes last option for business continuity
  • Seek legal advice

Data Breach

Critical Questions:

  • Which data was compromised?
  • How many people are affected?
  • How sensitive is the data (personal data, health data, financial data)?
  • Was data exfiltrated or only potentially accessible?

Response:

  • Stop further exfiltration
  • Identify scope of compromise
  • Check reporting obligations (FDPIC, affected persons)
  • Document timeline and measures meticulously
  • Prepare communication to affected persons
  • Evaluate support offers (credit monitoring for financial data)

Business Email Compromise (BEC)

Typical Course:

  • Compromise or spoofing of CEO/CFO email
  • Instruction to finance department for urgent transfer
  • Money transferred to criminals’ account

Response:

  • Stop further transactions immediately
  • Contact your bank (chargeback sometimes possible)
  • Police report
  • Analysis: How was email compromised?
  • Change passwords, activate MFA
  • Train employees on verification processes

Distributed Denial of Service (DDoS)

Response:

  • Contact your ISP/hosting provider
  • Activate DDoS mitigation (if available)
  • Consider cloud-based DDoS protection (Cloudflare, Akamai)
  • Communicate with customers via alternative contact channels
  • Document attack for possible legal action

Costs of an Incident: What to Expect

Direct Costs

  • Incident Response Experts: CHF 200-350 per hour, typically 50-200 hours = CHF 10,000-70,000
  • Forensics: CHF 15,000-50,000 depending on complexity
  • Legal Advice: CHF 10,000-30,000
  • Ransom (if paid): Average CHF 45,000 in Switzerland
  • System Recovery: CHF 20,000-100,000
  • Credit monitoring for affected persons: CHF 50-100 per person per year

Indirect Costs

  • Business Interruption: Often largest cost factor, typically CHF 30,000-100,000 per day
  • Productivity Loss: Employees cannot work
  • Reputation Damage: Hard to quantify, can mean customer attrition
  • Regulatory Fines: Up to CHF 250,000 for DSG violations
  • Increased Insurance Premiums: 20-50% increase after incident possible
  • Opportunity Costs: Missed business opportunities

Total costs of typical incidents for SMEs: CHF 80,000-250,000

For severe incidents, costs can also reach CHF 500,000+.

Conclusion: Preparation Is Everything

The best incident response begins long before the incident. Swiss SMEs should:

  1. Develop Incident Response Plan and update regularly
  2. Define and train team
  3. Conduct Tabletop Exercises
  4. Identify external partners (ideally retainer)
  5. Create technical prerequisites (logging, monitoring, backups)
  6. Establish communication protocols
  7. Know reporting obligations
  8. Evaluate cyber insurance

In an emergency: Stay calm, follow plan, act quickly, involve experts, document. The first hours are critical.

Incident response is not an option but a necessity. The question is not whether you will be attacked, but how well prepared you are when it happens.

Back to the Cybersecurity Complete Guide