Key takeaways
- In the event of an incident, follow these five steps: contain the incident, make internal decisions, assess the reporting obligation, communicate transparently and carry out a post-incident review.
- Involve senior management or the business owner from the very beginning. A cyber incident is not an IT problem; it is a management issue.
- Even if NIS2 does not apply directly to your SME, you may still be required to reporting obligations as part of a supply chain.
- You must also evaluate the situation after the incident. Only then can you draw lessons from the incident and strengthen your organisation.
- An incident response plan should be established before the incident occurs, not afterwards.
Why a structured approach is important
A cyberattack is, by definition, stressful. The pressure is high, everyone wants to know what is happening, and you need to communicate without causing panic. Without a preapred response plan, you end up with a recipe for disaster.
A response plan provides structure and guidance, ensuring that no steps are skipped, even under pressure. You know who needs to be involved or informed, when, in what order and for what purpose. This not only limits the technical damage, but also protects your reputation and the trust of your clients and partners.
Waarom een gestructureerde aanpak belangrijk is
Een cyberaanval is per definitie stressvol. De druk is hoog, iedereen wilt weten wat er aan de hand is en je wilt communiceren zonder paniek te zaaien. Als er dan geen plan van aanpak klaarligt krijg je een recipe for disaster.
Een plan van aanpak brengt structuur die houvast biedt, en zorgt dat er geen stappen overgeslagen worden, ook onder druk. Je weet wie wanneer ingeschakeld of ingelicht moet worden, in welke volgorde en met welk doel. Dat beperkt niet alleen de technische schade, maar beschermt ook je reputatie en het vertrouwen van je klanten en partners.
Five steps for SMEs to take in the event of a cyber incident
Imagine: it’s a regular Tuesday morning. An employee in your accounting department opens an email from a trusted supplier – or so it seems. He clicks on an attachment. A few minutes later, his computer is running slowly. A colleague notices that she suddenly can’t open any files. The folder is still there, but the contents have become unreadable.
What just happened? A ransomware attack. With that single click, someone has managed to encrypt all your files. The attacker is demanding payment to release them.
This is not a far-fetched scenario. It happens to SMEs of all sizes and in all sectors. The question is not whether something like this could happen to you, but whether you know what to do when it does.
1. Manage the incident
The top priority is always the same: prevent the damage from getting worse. This means you must act quickly, but also with care.
Disconnect affected systems from the network as soon as possible and also switch off Wi-Fi on devices that may be infected. Block any suspicious accounts as well. Every minute an attacker has access increases the risk.
Do this in a way that disrupts business operations as little as possible. Not every system needs to be taken offline immediately. The focus is on isolating the incident, not on shutting everything down.
Also, ensure that you do not delete or overwrite anything. Traces are valuable, both for the subsequent investigation and for any required notification to the regulator.
2. Internal decision-making & escalation
A cyber incident is not purely an IT problem. It strikes at the core of your business: your processes, your customer data and your reputation. That is why senior management or the business owner must be involved from the outset. It is important to foster a culture where this is possible. Fear of involving management only increases risk.
Furthermore, decisions must be made quickly. Does the incident affect critical processes? Has personal data or other valuable data been leaked? Should an external advisor, a forensic expert or an insurer be brought in?
Under NIS2, responsibility for cybersecurity lies explicitly with the management. But even without that obligation, the principle remains: whoever makes the decisions must be informed. The sooner the right people are gathered around the table, the sooner well-considered action can be taken.
3. Assess the reporting obligation
Not every incident needs to be reported, but it is important to know when it is required.
Organisations directly covered by NIS2 are obliged to report serious incidents to the competent supervisory authority. In Belgium, this is the CCB (Centre for Cybersecurity Belgium). Strict deadlines apply; an initial report must often be made within 24 hours.
So, when is an incident considered serious? Simply put: any incident at a company covered by NIS2 that:
- causes a disruption to services, OR
- causes financial loss, OR
- affects other natural or legal persons through significant material or immaterial damage.
However, even if NIS2 does not directly apply to your SME, you may still have reporting obligations. If you provide services to an organisation that does fall under NIS2, you may be considered part of their supply chain and therefore share responsibility.
Moreover, even if there is no legal obligation, it may still be wise to make a notification. The CCB can provide support, and transparency also protects your long-term reputation with customers and partners. Failing to notify when it is expected can permanently damage trust.
4. Communicate transparently
In addition to the formal reporting obligation, there is another form of communication that is often underestimated: communicating with your own staff, customers, partners and, where appropriate, the media.
Anyone who may be affected has the right to know. Communicating quickly and clearly prevents the rumour mill from turning and stops a story from taking on a life of its own via social media. It shows that you have the situation under control.
This communication must be carefully drafted. It should be factual, without revealing unnecessary details, but also without downplaying the problem. Striking that balance is certainly not always straightforward. Here too, the responsibility lies not with IT, but with management.
5. Evaluate and Improve
Once the incident is under control, the process does not stop. On the contrary, NIS2 expects organisations to learn from incidents. Beyond this requirement, a thorough evaluation is a sensible choice: What went wrong? Which safeguards were missing? How was the attacker able to gain access?
Analyse your approach step by step and determine where it worked and where it fell short. Use those insights to strengthen your security and adjust your plan. An incident is never pleasant, but those who learn the right lessons from it will come out stronger.
Ebook
Doing business securely without an IT department
Download the ebook to learn more about cyber-secure entrepreneurship, even for smaller budgets or SMEs.
What makes SMEs particularly vulnerable?
The five steps outlined above may sound logical, but in practice they are often more difficult for SMEs to implement than for large organisations (despite the latter’s larger structures).
The reason is simple: SMEs simply have fewer staff, fewer resources and rarely a dedicated security officer. Day-to-day operations move quickly. Decisions are made fast, responsibilities are not always clearly defined and there is no formal incident response plan.
In addition, SMEs are increasingly part of the supply chain of larger organisations. Under NIS2, these large organisations are obliged to screen their suppliers and hold them accountable for their security. As an SME, you may therefore be subject to a reporting obligation or be held to account for your security policy, even if NIS2 does not apply directly to you.
Prevention is better than reaction
You cannot always prevent a cyber incident, but you can prepare for it.
Knowing what needs to be done, who makes the decisions and how communication takes place can significantly limit the damage. This does not start during an incident, but long before it happens. Document this in advance so that you have a plan or a playbook when the pressure is high.
At Cingulum, we help SMEs make this preparation concrete. From an initial assessment of your current security posture to a clear action plan and guidance in its implementaiton. That way, you do not have to improvise when it really matters.
Would you like to know where you stand today? Get in touch for a no-obligation chat.
FAQ
As an SME, am I obliged to report a cyber incident?
Yes, as an SME in Belgium, you are legally obliged to report a cyber incident in various situations. First, there is the GDPR, which applies (regardless of the size of your SME) and which requires the reporting of any data breach where personal data (of customers, staff or third parties) has been leaked, lost or accessed by unauthorised persons, and where there is a risk to the rights and freedoms of the data subjects.
More recently, NIS2 also requires that any significant cyber incident to be reported if your SME falls within the scope of NIS2 or if, as part of a supply chain, your customers require you to report cyber incidents.
