Crisis response team

How to manage the aftermath of a cyber attack?

The National Cyber Security Centre (NCSC) continuously warns businesses about the proliferation of issues related to cybersecurity in 2022. In such a context, its main recommendation is simple: British companies must prepare for cyberattacks, and to achieve that, they first and foremost need to train their crisis response teams – and now!

C-RiskC-Risk
Published on 13 August 2021 (Updated on 26 August 2022)

Who should be part of the crisis unit? Why should they be appointed upstream of the crisis? What are the risks of not creating a crisis response team now? The following article offers a comprehensive guide of the procedures needed to set up an effective crisis response team.

Crisis response team: a definition


What is a “crisis response team”, “crisis management team”, or “crisis unit”? In everyday terms, we could say that it is “the team that handles the crisis management of a company, both in terms of logistics and crisis communication strategy”.

So, the core goal of the crisis management team consists of solving issues related to sensitive or critical situations. In detail, the crisis management team:

  • is in charge of implementing preventive actions,
  • limits the impact an emerging crisis may have on the activities and the survival of the organisation,
  • protects both the reputation and the potential financial valuation of the company faced with a crisis situation.
Assembling a crisis response team

What is the role of a crisis response team?

The crisis response team is an answer to abnormal, rare, and dangerous circumstances for the company. Its first role is to design a set of measures just as extraordinary as the situation, which must constitute a quick and effective framework for a crisis situation.

In doing so, the crisis response team offers a crisis resolution system focused on coordinating the management of activities and information. This multidisciplinary assignment brings together several complementary goals:

  • centralizing data to avoid the risk of misinterpretation
  • controlling communication and clarity of messages;
  • conceptualising and planning crisis management;
  • coordinating resources related to crisis resolution;
  • disseminating the right messages to the press, stakeholders, and the general public

In what context should you establish a crisis unit?

A risk audit makes it possible to determine the potential field of intervention of a company's crisis response team. Risk audits are generally necessary in any situation that exposes the reputation of the company.

Crises often result from an event capable of slowing down or stopping your activity. DDoS (Distributed Denial of Service) attacks, for example, render your website or your online services inaccessible. This is an example of a crisis situation. Another might be a cybercrime damaging the reputation of your services, such as the theft of personal data. Faced with a varied array of potential risks, the decisions your crisis unit makes can be very different from one given crisis situation to another.

Who should be in your crisis response team?


It is better to set up your crisis response team upstream of potential crises, after having assessed cyber risks and other potentially dangerous scenarios. Your crisis response team must bring together strategic departments within the company:

  • General management
  • Site directors, if applicable
  • Communication management
  • Legal affairs management
  • Quality management
  • Heads of relevant departments, in particular the Cyber and IT Systems Division, if the crisis occurs because of a cyberattack

If necessary, you could also designate a spokesperson and a coordinator for the team. However, efforts must be made to restrict the crisis response team to a limited number of participants – keep in mind that it has to remain flexible and efficient. Alternatively, many organisations decide to seek help from outside experts:

  • Crisis management consultants
  • Crisis communication experts
  • Legal practitioners, lawyers, in particular
  • Cybersecurity consultants if the crisis occurs because of a cyber incident

A document should also be in place that details the role of each member within the crisis response team, their objectives, and the means placed at their disposal. This file, often in the form of a table, needs to be updated regularly. Each member of the crisis unit must also be easily reachable – it is a good idea to create a contact list.

Composition of the crisis unit

Pros and cons of a crisis management team


Having a crisis management team should relieve some pressure from general management. It is a flexible tool, capable of adjusting to a crisis situation in real time, following scenarios prepared in advance. Relying on a crisis response team will ensure that:

  • the business is prepared for a crisis – it mitigates negative impacts and improves the resilience of the company,
  • crisis situations become less frequent,
  • business can continue smoothly.

Setting up a crisis response team, however, is not, in itself, enough to solve the problem. For effective crisis management, you need a trained team and a clear distribution of tasks between members. Each member should also be included in the conceptualisation of the business continuity plan, as crisis management can only be successful if the team members understand crisis management strategies before having to apply them.

Similarly, be careful not to build a crisis response teams around the authority of a single person – the coordinator, for instance. In order for the crisis unit to show the flexibility necessary for responsive crisis management, each member requires a sufficient degree of autonomy in their own field. When this parameter is not respected, crisis response teams can be slowed down by lengthy validation processes, making it arduous to reach a quick and effective way out of a situation.

How to organise a crisis response team?


The organisation of a crisis response team is carried out both before the onset of a crisis and after. In any case, it follows precise procedures supported by specific tools.

What does the process of setting up a crisis response team look like in the event of crisis management applied to cybersecurity? Here we take the case of a Denial of Service attack, which blocks access to your online services.

Upstream of the crisis

For an effective crisis response team, you need to define the types of risk that threaten the company. This is precisely the idea behind establishing a cyber risk map.

1. Define the risks to make up the team

The make-up of a crisis unit greatly depends on the risks that you assess as priorities for your organisation, such as potentially serious threats to your business, stakeholders, or both.

The identification of those risks – cyber risks in this example – determines the composition of the crisis response team and the planning of its tasks. Taking into account the risk of a Denial of Service attack requires including the information systems security manager (ISSM) in the crisis unit.

2. Creation of the crisis guide

When the crisis response team is being prepared, it is necessary to design a “crisis guide” that lays out procedures, tools, and responsibilities when an attack strikes. It must include the table previously mentioned and specify the identity of each member, their contact details, role, and degree of autonomy in decision-making.

This guide may also include a document listing the equipment placed at the service of the crisis response team and how it works. In the case of a DDoS cyberattack, it may be a switchboard dedicated to internet users' questions, for example. You may also want to plan for extra computers, dedicated email addresses, etc.

This crisis guide also needs to feature the crisis unit’s logistical structure and chain of command. The general idea is to facilitate the action of the crisis response team to avert unknown sources of errors on D-Day.

3. Set up a monitoring procedure

The members of the crisis response team must be aware of the major risks. They must also train, along with their respective teams, to recognise the signs of a possible emerging crisis. In the case of a Denial of Service attack, for example, you may notice unexplained traffic spikes or a sudden slowdown in your online service.

If your crisis unit detects such signals, all its members must be alerted to ensure the unit’s proactivity in crisis management. Then, they check that this is not a false alarm. You may suspect a DDoS, but a simple DNS configuration error could, after all, be slowing down online services.

Identifying pre-alert signals

4. Prepare the arguments

Finally, the crisis response team needs a reference document listing the various questions and the corresponding solutions to run through in the event of a crisis. The style and content must be the same for every team member called upon to speak.

Indeed, in order to be impactful, your crisis communication needs to show consistency. However, it must also take into account the diversity of your targets – your investors probably don't expect the same information as the general public. Besides, your crisis communication has to plan for arguments and counterarguments at the same time.

Once the crisis has begun

In the event of a real crisis, the crisis response team has to keep up a juggling act between procedures to put in place, documentation theory, experience from drills, and the specific characteristics of the current crisis. If you want your crisis response team to succeed, they must follow these steps:

1 / When someone detects a pre-alert or an alert, they must inform the coordinator of the crisis response team and the appropriate managers. In the case of a cyberattack, this is usually the IT director. The IT director must then collect as much information as possible on the anomaly, then decide whether the risk is serious enough to mobilise the crisis response team. Mustering the crisis management team must be done quickly, step by step, in accordance with a predefined diagram.

2 / Ideally, the crisis response team meets at the company's headquarters in a dedicated room containing all the necessary equipment.

3 / The crisis unit is set in motion according to the pre-existing table of responsibilities, with each action being logged in a “crisis book”.

4 / Team members in charge of communication collect information on the crisis – on the cyberattack, for the sake of this example – and then exploit the prepared arguments from the reference document (see point 4 of the previous section) to adapt this data to different audiences: media, board of directors, customers, etc.

5 / The spokesperson communicates with the media, alone if possible, to avoid contradictory messages which would only worry the target audience. Transparency guarantees the success of crisis communication.

After the storm, the report that the crisis response team prepares on how it managed the crisis – also called a “crisis book” – can serve as a resource for improving the company’s operation in the event of future crises.

Internal communications priority crisis

Frequently asked questions about crisis response team

The crisis response team, or crisis unit, anticipates the risks that threaten an organisation. The team manages a crisis when it occurs, centralises information, and draws lessons from what happened.

Assembling a crisis response team has to be done upstream of the actual outbreak of a crisis. It brings together all the representatives of the departments that support the operation of the company.

Things can be fast-moving in a crisis situation, so decision-making needs to be meticulous and effective. If roles and responsibilities within the team are not clearly distributed to a dedicated task force, employees will take actions that risk overlapping or contradicting one another. The whole organisation may then be compromised: the crisis will only deepen, with everyone pointing the finger at each other. It then becomes hard to draw lessons from the whole experience. Put simply, having a crisis management team helps prevent that.