IT contingency plan for SMEs

The digital transformation is increasing the dependency of many companies on business-critical programs and is also raising the risk of cyberattacks. SMEs, which have fewer resources than large companies and are therefore less well prepared, are particularly at risk. A third of all Swiss SMEs have already been attacked by cybercriminals at least once.

A cyberattack or a system failure due to operating, hardware or software errors can paralyze IT – and therefore operations – for days or weeks. This costs a lot of money and harms customer trust and reputation. That's why every company, regardless of its size, needs a plan for recovering business-critical data and IT systems in the event of an emergency. Many SMEs are technically prepared: They protect their IT systems with virus protection programs, update their software regularly and have installed firewalls. However, too few have an IT contingency plan or an IT disaster plan for how to react to an attack or failure.

The contingency plan ensures that a company can respond appropriately, quickly and effectively to IT emergencies. An IT contingency plan for SMEs should contain at least the following documents:

• All contact details of the company management and central IT staff
• All contact details for external IT service providers and cyber insurance
• Documentation of all relevant IT systems, networks and applications – including dependencies and possible effects on business-critical processes
• Templates for communication with key customers, suppliers and partners, as well as with stakeholders such as the National Cyber Security Center NCSC
• Checklists with tasks and responsibilities for the most likely IT emergency scenarios such as data breaches, ransomware attacks or system failures
• List of all documents that may be helpful in an emergency, for example inventory, customer and personnel lists, system and application documentation, or recovery plans.

The IT contingency plan must be physically stored in a secure location and updated at least once a year. All key employees and management must know where to find the plan and be able to access it at any time.

No two crises are the same. Every SME should therefore integrate various checklists with measures for the most likely IT disaster scenarios into its contingency plan. In addition to measures, the checklists also define escalation levels, reporting channels and responsibilities.

1. Disconnect the backup system from the network immediately
2. Switch off the router and disconnect all connections to the Internet
3. Disconnect the server from the network, but do not switch it off (preservation of evidence)
4. Do not pay a ransom – or only in consultation with an experienced service provider specializing in IT emergencies
5. Do not communicate via the internal email system
6. Do not use possibly infected systems and applications
7. No hasty technical system analysis or recovery

1. Determine the extent of the stolen or compromised data and document it for the investigation.
2. Report the incident immediately to the cantonal police and, in the case of cyberattacks, also to the National Cyber Security Center NCSC. In addition, the Federal Data Protection and Information Commissioner (FDPIC) must be informed in accordance with the Data Protection Act if the risk for the parties concerned is high. 
3. Consult a lawyer who will assess whether the incident is reportable, communicate with the FDPIC and support the company in dealing with the consequences of the incident.
4. Inform all affected (natural and legal) entities.
5. Improve technical and organizational measures to improve system security and data protection and prevent such incidents in the future.

Important: SMEs that have taken out cyber insurance should first clarify the coverage of costs with their insurance company before consulting a lawyer.

1. Disconnect the backup system from the network immediately
2. Inform all users
3. Localize affected systems and applications
4. Check system for hardware and software defects and communication problems
5. Clarify dependencies and impact
6. Check documentation and recovery plan
7. Contact an external IT service provider

You can say what you like on paper. It is therefore not enough to create an IT contingency plan, print it out and file it away. These measures prevent small and medium-sized enterprises from only finding out how good their contingency plan really is in the event of an emergency:

• Update the IT contingency plan on an ongoing basis and test it regularly, for example through simulated disaster scenarios or exercises
• Continuously adapt the IT contingency plan to current threats, but also to new legal requirements, new IT infrastructures and new technologies
• Make all employees aware of the topics of IT security and data privacy, inform them about the contingency plan and conduct training courses or workshops

Companies that have cyber insurance with Zurich can call our 24/7 cyber hotline around the clock. You will find the telephone number on the insurance policy. During office hours, specialized Zurich employees take care of the case; at night and on weekends, the IT security experts from our partner network lend a hand.