👉 Incident Response for Swiss SMEs: What to Do in the First 72 Hours

Laszlo Simon
Guides, Cyber Threats
Page content

Cybersecurity incidents rarely come with a warning. For Swiss small and medium-sized enterprises (SMEs), a phishing attack, ransomware infection, or data breach can escalate from a minor issue to a business-threatening crisis within hours.

The first 72 hours after discovering an incident are critical. The decisions made during this period often determine:

  • how much data is lost,
  • how long operations are disrupted,
  • whether legal obligations are met,
  • and how well the business recovers.

This guide provides a clear, step-by-step incident response plan tailored to Swiss SMEs in 2026.

What Counts as a Security Incident?

An incident is any event that compromises—or threatens to compromise—the confidentiality, integrity, or availability of your systems or data.

Common examples include:

  • Ransomware or malware infections
  • Phishing emails leading to account compromise
  • Unauthorized access to email, cloud, or VPN systems
  • Data leaks involving customer or employee information
  • Lost or stolen devices containing business data

If you are unsure whether an event qualifies as an incident, assume it does and act accordingly.

The First 72 Hours: A Practical Timeline

Phase 1: First 0–24 Hours — Contain and Stabilize

The goal of the first day is damage control, not perfection.

1. Isolate Affected Systems Immediately

  • Disconnect infected devices from the network
  • Disable compromised user accounts
  • Do not power off systems unless absolutely necessary (valuable evidence may be lost)

This step prevents the incident from spreading further.

2. Preserve Evidence

  • Take screenshots of ransom notes or suspicious messages
  • Save log files where possible
  • Document what was observed, when, and by whom

Good documentation helps later investigation and legal compliance.

3. Activate Your Internal Response Team

Even in small companies, responsibilities should be clear:

  • One person coordinates decisions
  • One handles technical actions (internal IT or external provider)
  • One manages communication

Avoid ad-hoc decisions made in panic.

4. Change Credentials

  • Reset passwords for affected users
  • Invalidate active sessions
  • Enforce multi-factor authentication where possible

Credential theft is often the root cause of larger incidents.

Phase 2: 24–48 Hours — Assess and Communicate

Once the situation is contained, focus on understanding impact and obligations.

5. Assess the Scope of the Incident

Key questions:

  • What systems were affected?
  • Was personal data accessed or exfiltrated?
  • Are backups intact?
  • Is the attacker still active?

At this stage, assumptions should be replaced with verified information.

Under the Swiss Data Protection Act (DSG), certain incidents may require:

  • Internal documentation
  • Notification to authorities
  • Communication to affected individuals (in serious cases)

If personal data is involved and the risk is high, delayed action can create legal exposure.

When in doubt, seek legal or data protection advice.

7. Communicate Internally

  • Inform employees about the situation
  • Provide clear instructions (e.g., do not click suspicious emails)
  • Avoid speculation or blame

Clear communication reduces panic and further mistakes.

Phase 3: 48–72 Hours — Recover and Strengthen

Now the focus shifts from reaction to controlled recovery.

8. Restore Systems Carefully

  • Use clean, verified backups
  • Avoid restoring infected data
  • Monitor restored systems for unusual activity

Speed is important, but safe recovery is more important than fast recovery.

9. Decide on Ransom Demands (If Applicable)

Authorities strongly discourage paying ransoms:

  • Payment does not guarantee recovery
  • It may violate internal or contractual policies
  • It encourages further attacks

Recovery from backups is almost always the safer option.

10. Document Everything

Create an incident report covering:

  • Timeline of events
  • Impact and affected data
  • Actions taken
  • Lessons learned

This documentation is valuable for audits, insurance, and future prevention.

After the First 72 Hours: What Comes Next?

An incident should trigger improvement, not just recovery.

Key follow-up actions:

  • Review and strengthen email and identity protection
  • Improve remote access security
  • Update backup and recovery strategies
  • Train employees based on what actually happened

Most SMEs experience repeat incidents when lessons are not applied.

Incident Response Readiness Checklist

Before an incident happens, ask:

  • Do we know who makes decisions during an incident?
  • Can we isolate systems quickly?
  • Do we have tested backups?
  • Are employees trained to report suspicious activity?

If the answer to any of these is “no,” preparation should start now—not after the next incident.

Final Thoughts

For Swiss SMEs, cybersecurity incidents are no longer rare exceptions—they are a business reality. The difference between a manageable disruption and a long-term crisis often lies in how the first 72 hours are handled.

A calm, structured incident response protects:

  • your operations,
  • your customers,
  • your legal position,
  • and your reputation.

Preparation is not about expecting the worst—it’s about ensuring your business can survive it.

Related guides and resources: