Incident Response Plan for SMEs: A Practical Guide for Swiss Businesses

Why Most SMEs Are Not Ready for a Cyber Incident

Here is a situation that plays out every week in Switzerland: a small business discovers its website has been hacked, its customer data has been stolen, or ransomware has encrypted its files. The owner asks "what do we do now?" and nobody has an answer.

There is no documented plan. There is no designated person in charge. Nobody knows who to call. The IT provider's emergency line goes to voicemail. Hours pass. The damage gets worse. Decisions are made in panic rather than preparation.

According to a survey by the Swiss Federal Statistical Office, over 36% of Swiss businesses experienced a cyber incident in the past year. For SMEs in Ticino and across Switzerland, the question is not whether an incident will happen, but when. Having a plan does not prevent incidents, but it dramatically reduces the damage, the downtime, and the cost.

This guide provides a practical incident response plan (IRP) template sized for small and medium businesses. Not a 200-page enterprise document that nobody reads, but a focused plan that you can actually follow when things go wrong.

The 6 Phases of Incident Response

Every incident response framework (NIST, SANS, ISO 27035) follows roughly the same structure. Here are the 6 phases adapted for SME resources and Swiss requirements.

Phase 1: Preparation

Preparation happens before any incident. This is the phase where you build the foundation that makes the other 5 phases possible.

Designate an Incident Response Team

For an SME, the "team" might be 2-3 people with defined roles:

• Incident Coordinator: The person who makes decisions during an incident. Usually the business owner or a senior manager. This person authorizes actions like shutting down systems, contacting authorities, or hiring external help.
• Technical Lead: The person (or external provider) who handles the technical response: isolating systems, analyzing the attack, collecting evidence, and restoring services. For many SMEs, this is the IT provider.
• Communications Lead: The person who handles communication with customers, employees, regulators, and media. For small businesses, this is often the business owner.

Create a Contact List

During an incident, you need to reach the right people fast. Prepare a contact list (printed, not just digital, since your systems might be down):

• IT provider: name, phone (emergency), email, contract SLA details.
• Cyber security consultant: for investigation and forensics.
• Legal counsel: for regulatory obligations and liability questions.
• Cyber insurance provider: policy number, claims phone number, what the policy covers.
• Hosting provider: emergency contact for server incidents.
• Domain registrar: for DNS-level incidents.
• NCSC (National Cyber Security Centre): report@ncsc.admin.ch, +41 58 462 29 19.
• Cantonal police: for criminal complaints.
• FDPIC (Federal Data Protection and Information Commissioner): for data breach notifications under nLPD.

Document Your Infrastructure

You cannot protect or restore what you do not know you have. Document:

• All servers, hosting providers, and IP addresses.
• All domains and DNS providers.
• CMS platforms and their admin access credentials (stored securely, e.g., in a password manager).
• Third-party services and integrations.
• Where backups are stored and how to restore them.
• Network diagram (even a simple one showing key components).

Ensure Backups Exist and Are Tested

Backups are the single most effective recovery tool. But backups that have never been tested are not backups; they are hopes. Verify:

• Backups run automatically on a daily schedule (at minimum).
• Backups are stored in a separate location from the primary systems (different provider, different account).
• At least one backup copy is offline or immutable (cannot be encrypted by ransomware).
• You have tested restoration from backup within the last 6 months.

Phase 2: Identification

Identification is the process of detecting that an incident has occurred and understanding its scope.

Common Signs of an Incident

• Unusual login activity: successful logins from unknown IP addresses or at unusual times.
• Website defacement or unauthorized content changes.
• Customer reports of phishing emails that appear to come from your domain.
• Unexpected system slowness or unavailability.
• Files encrypted with ransom notes appearing on servers.
• Alerts from security monitoring tools.
• Notification from external party (NCSC, a customer, a security researcher).
• Unusual outbound network traffic (data exfiltration).

Initial Assessment Questions

When a potential incident is identified, the Incident Coordinator should immediately assess:

1. What is affected? Which systems, data, and services are involved?
2. Is it still ongoing? Is the attacker still active?
3. What data is at risk? Is personal data (customer information, employee data) involved?
4. What is the business impact? Are critical services down? Is revenue being lost?
5. Is this a reportable breach? Under nLPD, data breaches involving personal data must be reported to the FDPIC.

Preserve Evidence

Before making any changes, preserve evidence. This is critical for both investigation and potential legal proceedings:

• Take screenshots of any unusual activity.
• Save relevant log files (access logs, error logs, system logs).
• Record timestamps of when events were noticed.
• Do not reboot systems unless necessary (this can destroy volatile evidence in memory).

Phase 3: Containment

Containment prevents the incident from spreading further. The goal is to limit the damage without destroying evidence.

Short-Term Containment

Immediate actions to stop the bleeding:

• Isolate affected systems: Disconnect compromised servers from the network. If a website is serving malware, take it offline immediately.
• Change credentials: Reset passwords for all accounts that might be compromised. Start with admin accounts and service accounts.
• Block the attack vector: If the attack came through a specific vulnerability, block it. If it came from a specific IP address, block it at the firewall.
• Revoke compromised access tokens: API keys, OAuth tokens, session cookies.

Long-Term Containment

Once the immediate threat is controlled:

• Set up temporary workarounds to restore critical business functions while the full investigation continues.
• Apply security patches to the vulnerability that was exploited.
• Enable enhanced monitoring to detect any further compromise attempts.
• Begin forensic analysis of affected systems (ideally by a qualified professional).

Phase 4: Eradication

Eradication removes the threat from your environment completely.

Identify the Root Cause

Before you can eradicate the threat, you need to understand how the attacker got in. Common root causes for SMEs:

• Unpatched CMS (WordPress, Joomla) or plugins.
• Compromised credentials (weak passwords, reused passwords, no 2FA).
• Phishing attack that gave the attacker employee credentials.
• Vulnerable third-party software or services.
• Misconfigured server or cloud service.

Remove the Threat

• Remove all malicious files, backdoors, and unauthorized accounts.
• Restore clean versions of compromised files from known-good backups.
• Update all software to the latest versions.
• Rebuild compromised systems from scratch if the extent of compromise is uncertain.
• Scan all systems for remaining indicators of compromise.

Close the Entry Point

Fix the vulnerability that allowed the attack. If it was a weak password, enforce stronger passwords and 2FA. If it was an unpatched CMS, update it and set up automatic updates. If it was a misconfigured server, fix the configuration and document the change. For more on securing your website login, see our article on brute force attack defense.

Phase 5: Recovery

Recovery is the process of bringing affected systems back to normal operation.

Restore from Known-Good State

• Restore data from verified, clean backups.
• Rebuild systems that were compromised, rather than trying to "clean" them (you can never be 100% sure all backdoors have been removed).
• Verify that restored systems are functioning correctly.
• Implement additional security controls before bringing systems back online.

Monitoring After Recovery

After systems are restored, monitor closely for at least 30 days:

• Watch for signs that the attacker still has access (login attempts, unexpected changes).
• Monitor network traffic for unusual patterns.
• Verify that all patches and security improvements are in place.
• Run vulnerability scans on all restored systems.

Recovery Timeline

Incident Type	Typical Recovery Time (SME)	Key Factor
Website defacement	Hours to 1 day	Backup availability
Ransomware	Days to weeks	Backup quality and coverage
Data breach	Weeks to months (including investigation)	Scope of compromised data
Email compromise (BEC)	Days	Speed of detection
DDoS attack	Hours	CDN/WAF capability

Phase 6: Lessons Learned

After the incident is resolved, conduct a lessons-learned review. This is the phase most SMEs skip, and it is the one that prevents the same incident from happening again.

Post-Incident Review Meeting

Within 2 weeks of the incident being resolved, hold a meeting with everyone involved. Answer these questions:

1. What happened? (Timeline of events)
2. How was it detected? Could it have been detected sooner?
3. What worked well in the response?
4. What did not work well?
5. What should we do differently next time?
6. What security improvements should we implement to prevent recurrence?

Update the IRP

Based on the lessons learned, update your incident response plan. Update the contact list, revise procedures that did not work, and add any new scenarios you encountered.

Who to Contact in Switzerland

NCSC (National Cyber Security Centre)

The NCSC is Switzerland's central point for reporting cyber incidents. They provide free analysis and guidance. Reporting is voluntary for most businesses but strongly recommended.

• Report form: https://www.report.ncsc.admin.ch
• Email: report@ncsc.admin.ch
• Phone: +41 58 462 29 19

The NCSC can help with: analysis of malware samples, identification of attack patterns, coordination with international CERTs, and technical guidance on containment and recovery.

Cantonal Police

For cybercrime complaints (ransomware, fraud, data theft), file a report with your cantonal police. In Ticino, this is the Polizia cantonale. They have specialized cybercrime units that handle digital evidence and coordinate with federal authorities.

FDPIC (Federal Data Protection and Information Commissioner)

Under the new Swiss Federal Act on Data Protection (nLPD, effective September 1, 2023), data breaches that pose a high risk to the personality or fundamental rights of the affected persons must be reported to the FDPIC as quickly as possible.

• Website: https://www.edoeb.admin.ch
• Email: info@edoeb.admin.ch

Legal Counsel

Engage a lawyer with experience in data protection and cybercrime law. They can advise on notification obligations, potential liability, and managing the legal aspects of the incident.

Cyber Insurance Provider

If you have cyber insurance, notify your insurer as soon as possible (often within 24-72 hours of discovering the incident, depending on the policy). The insurer may provide access to incident response specialists, forensic investigators, and legal support as part of the coverage.

Notification Obligations Under nLPD and GDPR

Swiss nLPD (New Federal Act on Data Protection)

Under the nLPD (effective September 1, 2023):

• Who must report: The data controller (typically the business that collected the data).
• When to report: As quickly as possible when a data security breach poses a high risk to the personality or fundamental rights of affected persons.
• Report to: FDPIC (Federal Data Protection and Information Commissioner).
• What to include: Type of breach, affected data categories, approximate number of affected persons, consequences, measures taken or planned.
• Informing affected persons: Required when necessary for their protection or when requested by the FDPIC.

EU GDPR (If You Process Data of EU Residents)

If your business processes personal data of EU/EEA residents (e.g., you sell to customers in Italy, Germany, or France), the GDPR also applies:

• Notification deadline: Within 72 hours of becoming aware of the breach.
• Report to: The supervisory authority of the relevant EU member state.
• Informing affected persons: Required without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

For businesses in Ticino that serve customers across the Italian border, both nLPD and GDPR obligations apply simultaneously. This means reporting to both the FDPIC and the Italian Garante per la protezione dei dati personali.

Communication Plan for Customers

How you communicate during and after an incident affects customer trust more than the incident itself.

Principles

• Be transparent. Do not hide the incident. Customers will find out eventually, and discovering that you concealed a breach destroys trust permanently.
• Be factual. Report what you know, what you do not know, and what you are doing about it. Avoid speculation.
• Be proactive. Contact affected customers directly rather than waiting for them to ask.
• Provide actionable advice. Tell customers what they should do (change passwords, monitor accounts, etc.).

Communication Template

A customer notification should include:

1. What happened (in plain language, not technical jargon).
2. When it happened and when you detected it.
3. What data was affected.
4. What you are doing about it.
5. What the customer should do (specific actions).
6. How to contact you with questions (dedicated email or phone line).

Timing

Communicate as soon as you have confirmed the incident and understand its basic scope. Do not wait until the investigation is complete. An initial notification saying "we are aware of an incident, here is what we know so far, and here is what we are doing" is better than silence followed by a delayed, complete report.

Tabletop Exercises

A tabletop exercise is a simulation where team members walk through a hypothetical incident scenario to test the IRP without actually disrupting systems.

How to Run a Tabletop Exercise

1. Choose a scenario. Make it realistic for your business. Examples: "Our website has been defaced." "We received a ransomware demand." "A customer reports that their data has appeared online."
2. Gather the incident response team. Schedule 60-90 minutes.
3. Present the scenario. Walk through it step by step. At each step, ask: "What do we do now? Who do we call? What decisions need to be made?"
4. Identify gaps. Where did the team hesitate? What information was missing? Whose phone number did we not have? What procedure was unclear?
5. Update the IRP. Fix every gap identified during the exercise.

Example Scenario: Ransomware Attack

Monday morning, 8:15 AM. Your office manager tries to open files on the shared drive and sees a message demanding 2 Bitcoin (approximately CHF 60,000) to decrypt the files. The message says the price doubles after 48 hours. All files on the shared drive are encrypted. Your website and email are still functioning.

Walk through the scenario: Who takes charge? Do we contact the police? Do we pay? How do we communicate with employees and customers? When do we involve the insurer? How do we restore from backup? How long will it take?

Frequency

Run a tabletop exercise at least once per year. Rotate scenarios to cover different types of incidents. After any real incident, run a tabletop on a variation of what happened to test the improvements you made.

Practical IRP Template for Swiss SMEs

Here is a condensed IRP template you can adapt for your business. Print this out and keep a copy accessible (not just on a computer that might be encrypted by ransomware).

Section 1: Roles and Contact Information

Role	Name	Phone	Email
Incident Coordinator	[Your name]	[Phone]	[Email]
Technical Lead / IT Provider	[Name]	[Emergency phone]	[Email]
Communications Lead	[Name]	[Phone]	[Email]
Legal Counsel	[Name]	[Phone]	[Email]
Cyber Insurance	[Provider]	[Claims phone]	Policy #: [Number]
NCSC	-	+41 58 462 29 19	report@ncsc.admin.ch
FDPIC	-	-	info@edoeb.admin.ch

Section 2: Initial Response Checklist

1. Confirm the incident is real (not a false alarm).
2. Notify the Incident Coordinator.
3. Preserve evidence (screenshots, logs, timestamps).
4. Assess scope: what systems, data, and services are affected?
5. Contain: isolate affected systems, change credentials.
6. Determine if personal data is involved (triggers nLPD/GDPR obligations).
7. Notify insurer within [X] hours per policy terms.
8. File NCSC report.
9. If personal data is affected: prepare FDPIC notification.
10. Prepare customer communication if necessary.

Section 3: Recovery Priorities

List your business-critical systems in order of priority for restoration. For most SMEs:

1. Email and communications.
2. Website (if e-commerce or customer-facing services are involved).
3. Financial systems (banking, invoicing).
4. Customer data and CRM.
5. Internal file storage.

Next Steps

An incident response plan is only useful if it exists before the incident. Writing one after you have been hacked is like buying fire insurance after the building is burning.

At Envestis in Lugano, we help Swiss SMEs build practical incident response plans, conduct tabletop exercises, and implement the security measures that reduce the likelihood of incidents in the first place. We also provide security assessments that identify vulnerabilities before attackers do. Read our website security checklist for SMEs as a starting point.

If you need help creating an incident response plan for your business, or if you are dealing with an active incident right now, contact us. Being prepared costs a fraction of what recovery costs when you are unprepared.