Crisis Management Cybersecurity Response Series
CM Ai Gen_with Cert Logo_1

Playbook: Threats against Ransomware Attack

What happens if your organisation or employees threaten your organisation's property and assets?
Moh Heng Goh
Crisis Management Certified Planner-Specialist-Expert

Action Steps for Threats against Cyber Attack

Description of Crisis

A cybersecurity event is a cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation)

Playbook: Threats against Ransomware AttackScenario: A ransomware attack, locking business-critical data and disrupting services essential to PSP’s operations

Action Steps


Before the crisis hits, the organization ("ABC Company") should make sure to:

  • Explain to the crisis management members the threat (ransomware, phishing, etc) and how it works.
  • Establish a cybersecurity event response guideline.
  • Maintain up-to-date critical contact information (service providers, additional resources, third parties intervening during a cybersecurity crisis, etc).
  • Identify alternative methods of communication in case virtual meetings are not possible and business units if emails are unavailable (conference bridge, physical command centre, etc.).

The crisis management team should consider the following while managing the crisis:

  • Rely on the cyber event response team to obtain updates on the situation (technical response);
  • Gather information on the cyber security incident;
  • Follow cyber response guidance described in the Cyber Event Response handbook;
  • Assess the impact on operations (current and imminent):
    • Identify which critical systems and data are affected;
    • Identify what critical operations are or will be interrupted;
    • Communicate with affected business units
    • Determine if BCPs and manual workaround should be activated
  • Assess the impact on employees (if HR data is impacted);
    • Identify what types of HR data have been affected
    • Identify which employees have been affected
    • Provide support and, if needed, offer credit bureau services to affected employees
    • Communicate with affected employees and explain to "ABC Company" action plan.
  • Assess the impact on suppliers and partners (If suppliers and partners are affected)
    • Identify what types of data have been affected
    • Identify which suppliers/partners have been affected
    • Communicate with affected suppliers/partners and explain the "ABC Company" action plan.
  • Assess legal and regulatory impacts;
  • Identify objectives for success (e.g., recovering operations, data, etc.)
  • Communicate with relevant authorities
  • If needed, communicate with a third party to help manage the situation
  • If applicable, liaise with a cyber insurance supplier;

Once the objectives for success have been met and the crisis has been resolved:

  • Identify gaps and action plans to improve IT security and awareness
  • In a post-event report, identify what went well and what went wrong in the crisis management response and establish action plans.
  • Communicate the post-event report to relevant stakeholders.



Do You Want to Continue Your CM Professional Training with Certification Remotely?

Competency-based Course
Certification Course
New call-to-action New call-to-action [BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available? [BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?

Reference Guide

A Manager’s Guide to Implementing Your Crisis Management PlanGoh, M. H. (2016). A Manager’s Guide to Implement Your Crisis Management Plan. Business Continuity Management Specialist Series (1st ed., p. 192). Singapore: GMH Pte Ltd.

Extracted from Appendix 6D: Threats against Property

Note: This version is the draft 2nd Edition being updated in 2021. The numeric in the square bracket {C##] and [AX-#] is the cross-referencing of the actual chapter and appendices in the 2016 Edition.

More Information About Crisis Management Blended/ Hybrid Learning Courses

To learn more about the course and schedule, click the buttons below for the  CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].

New call-to-action New call-to-action New call-to-action
New call-to-action New call-to-action [BL-CM] [5] Register
New call-to-action

Please feel free to send us a note if you have any questions.

Email to Sales Team [BCM Institute]

FAQ BL-CM-5 CM-5000
New call-to-action New call-to-action New call-to-action



More Posts

New Call-to-action