EN | PL | ES | IT | RO


Crisis management — they hacked me, what next?
Video demo    |   Feedback form    |       Play Audio    |   Download:
Cyber crisis management

Why do you need cyber crisis management?Click to read  

If you manage a micro or small business, you probably don't have enough resources and people to prevent and fight cyber crimes. For medium enterprises, it is more realistic to delegate a few specialists to work on cyber security. However, even the smallest business should feel obliged to improve cyber crisis management procedures.

Cyber crisis management protocols consist of 3 stages: 1) prevention, 2) response to the crisis, and, finally, once the dust settles 3) recovery. In this module, you will deepen your knowledge regarding stages 2 and 3.

Thanks to this module, you will improve your cyber crisis management procedures with steps helping you to deal with the hacker's attack.

Identify the crisisClick to read  

First of all, you need to know what may be classified as a cyber crisis.


For example:

• hacked devices
• screen mirroring of your devices
• copied emails
• stolen credit card data
• stolen client database
• crashed websites
• breached networks
• denials of service, etc.

All suspicious cyber events should start your cyber crisis protocol and launch stage 2 — response. Even if you are not 100 percent sure what happened, it is better to initiate an action.


Remember is not only about you and your business's current situation. You have to care also about:


your clients and business partners' safety


your business' profitability


your business' future reputation


Response to the cyber crisis

The role of timeClick to read  

Your reaction to the cyber crisis has to be fast. Sometimes you have few seconds to do something, and the worse scenario is to start a panic. Keep in your mind that panic and fear may cost you the whole business you builded.

The most common cyber crisis mistakes in MSME

no designated person(s) responsible for cyber crisis response

providers contact info not ready at hand
no cyber crisis communication protocol


Why do you need a person(s) responsible for cyber crisis response?

Cyber crisis response is a plan that you implement in case of an attack. When someone hacks you, there is no time to think who will do what. Everyone needs to be prepared. That's why you need to have one or multiple people responsible for cyber crisis response.

What do you think: the person(s) responsible for cyber crisis response has to have an IT background or not?


Are you uncertain of whether the people responsible for cyber crisis response should have an IT background? Well, we can tell you that the IT background is not the most important factor. Why? In the beginning, let' take a look at cyber crisis response person's responsibilities.

Cyber crisis response person's responsibilities

to know the backup plan


to monitor all activities within crisis


to lead the internal strategy


to implement the cyber crisis communication protocol


If the person responsible for cyber crisis response has an IT background, he/ she may better understand all of the steps involved. However, without the leadership and management skills that are crucial here, an IT person can't implement the cyber crisis response.

If you have a micro-company, it is obvious you need to prepare yourself for that possibility. You can also sign an agreement with a cyber expert that you trust. Small or medium companies should appoint a leader for the cyber crisis response stage.

It is good to remember that the cyber crisis response may be implemented remotely.

The backup planClick to read  

In MMSE, the backup plan may differ depending on the branch, type of business, etc.

However, you should consider the following steps:

Know your providers

Keep all of your providers (Internet, cloud, hosting, etc.) contact information in a secure, unplugged manner. Since the attack can be carried out from your local network, even if you are not connected to the Internet, your passwords and sensitive data may get stolen .

To do:

Consider all possible attacks before they happen. Keep all important contacts not only online, but also in the printed version.

Follow the traces

If you notice suspicious actions:

• on your bank account, call your bank and block all credit cards; 
• in your business cloud, contact the provider (by phone or e-mail).

  Pull out the plug!

Sometimes it is the only way to stop the cyber attack.

To do:

If you notice suspicious events on your or your employee's computer/other device, just pull out the plug.

Cyber crisis communication protocolClick to read  

Thinking about the response to a cyber crisis, you should consider the crisis communication protocol. Here the most important is always time. Communicate as soon as possible with the key stakeholders and inform them about the problem. You should be the source of facts — not the newspapers or social media.


Show your stakeholders you care about them, and you have already taken adequate steps to minimize the cyber crisis consequences.


You have to be ready for this step before the attack, so prepare the key stakeholders list:


clients (especially if you have a client database)


your suppliers

  business partners, sponsors, and investors    

neighbors / other businesses in the building (maybe the attacker hacked them too)


You also have to consider making a statement on your website/ social media site or in other media. Of course, you can delegate one of your employees to this task.
It is crucial to update your statement frequently. Your stakeholders and audience need to be sure that you take care of their data. Remember that the outcome of the cyberattack may be the future of your business.

How to speak about the cyber crisis?


Always speak clearly.

Give straight answers to the questions. 

Use facts, not opinions. 

Do not accuse anyone or apologize until you get to know what happens. 


Avoid emotional reactions.



Recovery after the cyber crisis

How to return to normal after the cyber crisis?Click to read  

After the cyber crisis, each business needs to take some steps to return to normal functioning. That is how we reach the third stage of cyber crisis management called disaster recovery.

Recovery after the cyber crisis includes post-event steps like:

assessments (of the damages, causes, and the management)

lessons learned

planned improvements


Do the assessment!Click to read  

Recovery starts after the cyber crisis. To make sure that your business will be "healed" you need to take radical steps. First of all, you need to find gaps that may the attack possible.


Plan the assessment meetings with your team to discuss all damages made during the cyber attack. Find and understand the causes. If it is necessary, ask external experts for support.

  Evaluate your cyber management plan. Discuss it step by step, all taken actions, to understand what went wrong.


Lesson learnedClick to read  

During or after the assessment, create a list of vulnerabilities that made the cyber attack easier. Do not take it personally. Do not think about it as a failure. More important is to learn from this attack.

If you are a leader/ business owner, your attitude has an impact on your employees and stakeholders. If you consider the attack as a failure or wrongly accuse one of your employees of being responsible for it, that may affect your business's future. 

Just keep in mind, each move and action you take is influencing not only this moment and this cyber attack but also your future reputation and profitability. 

Plan the improvementsClick to read  

The last step is to analyze all gaps using facts and data. If you find out that the attacker hacked your business because one of your employees neglected his / her duty, it is better  to avoid emotional reactions. There are multiple ways to act in this situation because each case is different.

For sure, you can make an effort to create short- and long-term goals to close gaps. Each gap is a verified indicator in the incident. Each goal assumes the prevention of similar attacks in the future.

The recovery after the cyber attack must eliminate or minimize the causes of said attack. If this does not happen, the lesson won't be learned. 

Cyber crisis case studyClick to read  

You may be hacked, no matter if you own a small or big enterprise. Owning a bigger company doesn't make you safer or better prepared for the crisis. At least not always. Just take a look at the case studies below.

Marriott International:

The cyber attack 

The well-known hotels' chain, Marriott International, was hacked in January 2020, but the attack went unnoticed by the company until late February. Hackers who obtained the login credentials of two Marriott employees might gain access to the guest's details. The company started its own investigation.


Marriott made a statement that hackers might acquire personal details such as names, birthdates, telephone numbers, language preferences, and loyalty account numbers. Also, the hotel sent emails to the guests involved; created a dedicated website and call center to inform guests. Marriott assured that they carry insurance, including cyber insurance. Till now everything looks professional, however, giving the statement the company didn't believe that its total costs related to this incident would be significant.


In October 2020, the UK's data privacy watchdog fined the Marriott Hotels chain £18.4m for a data breach that may have affected up to 339 million guests records.

Where was the lesson learned?

First of all, that wasn't the first cyber attack on Marriott International. In 2014, hackers attacked the Starwood Hotels group that was acquired by Marriott two years later. As we know, the company didn't take any recovery steps at that time. That's why the next attack was easier.

The first publicly noticed attack had placed in 2018. Again, the crisis management protocol wasn't implemented correctly, in consequence, until this time the attacker continued to have access to all affected systems, including:

• names
• arrival and departure information
• email addresses
• VIP status
• phone numbers
• loyalty program numbers
• passport numbers

That is why Marriott has been fined by the UK's data privacy watchdog. The hotel's chain failed to protect personal data as required by the General Data Protection Regulation (GDPR). Moreover, it failed more than once. Leaders responsible for cyber crisis management didn't identify and analyze gaps deeply.

What helped?

Marriott International carries insurance, including cyber insurance. This helped to pay up the fines.

What can you learn from this?

Lessons learned:

Rethink your cyber crisis management.

Think if you have enough leadership and management skills to implement the cyber crisis management plan.

If not, learn more in our other courses.
Also, look for a cyber expert as support.
Think whether you need cyber insurance.


SummaryClick to read  

Nowadays, cyber crisis management is important the same for a micro and large company.

The difference is in the resources that you have. The smallest business the biggest responsibilities you have as an owner.

Remember that a cyber crisis may affect your company even if it is not a typical online business (e-business). Whenever you need a laptop, smartphone, printer, fax, mailbox, you need to consider cyber security management. 

Finally, keep in mind that mismanagement may escalate the crisis or even create a new one. 

Good luck!


cyber crisis; recovery plan; cyber crisis management


At the end of this module the trainee will be able to: identify cyber crisis in business; identify potential risks and gaps; avoid most common cyber crisis mistakes; improve or create cyber crisis management plan; prepare himself/herself for the cyber crisis response and to recovery after the cyber crisis.


This module will introduce you to cyber crisis management. In the first unit, you will get to know how to identify a crisis.

In the second unit, you will receive a set of best practices for responding to a cyber crisis, whether you run a sole proprietorship or employ people.

The third unit focuses on the recovery of your business after a cyber crisis. You'll get specific tips based on the case study.


The New Statesman > How to tell your customers you’ve been hacked


Deloitte > Cyber crisis management: Readiness, response, and recovery


Security Boulevard > Marriott Data Breach 2020: 5.2 Million Guest Records Were Stolen


BBC News > Marriott Hotels fined £18.4m for data breach that hit millions


Marriott International News Center > Marriott International Notifies Guests of Property System Incident


Forbes > What Businesses Are The Most Vulnerable To Cyberattacks?


Related training material


team img
team img
team img

team img
team img
team img
The European Commission's support for the production of this publication does not constitute an endorsement of the contents, which reflect the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.
Legal description – Creative Commons licensing:
The materials published on the CyberMSME project website are classified as Open Educational Resources' (OER) and can be freely (without permission of their creators): downloaded, used, reused, copied, adapted, and shared by users, with information about the source of their origin.