The most common incident response pain points – and how companies are solving them 

Why do successful cyberattacks still happen? The reasons are often simpler than we think and have a lot to do with failure to prepare properly. But what are the common incident response pain points, and how can they be solved? 

November 2025, Text: Andreas Heer, Image: Swisscom           7 Min.

Even major cyberattacks often have surprisingly simple causes on closer inspection. Many successful attacks make use of known vulnerabilities or insecure configurations. Verizon’s 2025 Data Breach Investigations Report (DBIR) states that 20% of initial breaches were due to known vulnerabilities. And about the same amount resulted from stolen credentials that were not secured with two-factor authentication (2FA). Karin Holzhauser, Threat Detection and Incident Response Expert at Swisscom, can confirm this. ‘Our experience shows that most incidents are due to weaknesses in multi-factor authentication, management of administrator rights and failure to patch critical vulnerabilities.’ 

If the attack vectors are known, the question arises as to why there are still so many successful cyberattacks in Switzerland and elsewhere. Why are incident response (IR) teams not better prepared to defend against such attacks? This article highlights common problems or ‘pain points’ when dealing with cyber emergencies and offers tried-and-tested solutions. 

Pain point 1: insufficient contingency plans 

First, let’s clarify the terms:

  • A contingency plan or disaster recovery plan is part of business continuity management (BCM). In addition to damage caused by natural hazards (fire, water, etc.), it should also specifically cover cyberincidents.  
  • An incident response plan (IR plan) describes the procedure to be followed in the event of a cyberincident and may be based, for example, on the NIST Incident Response Recommendations. It is part of the contingency plan. 
     

Some companies lack an up-to-date, tried-and-tested contingency plan. ‘A cyberincident such as a ransomware attack doesn’t just affect the IT department. The effects are felt throughout a company. It’s important to prepare for this with appropriate plans and exercises – especially at management level,’ says Holzhauser.

Daniel Würsch, Product Portfolio Manager for Threat Detection and Response at Swisscom, says that unclear processes and responsibilities make it difficult to respond correctly once an incident is discovered: ‘Lack of preparation leads companies to react hastily and first try to contain the incident themselves. Valuable time is wasted through this.’ 

An inadequate contingency plan is also the cause of the following pain points. 

Pain point 2: initial response overwhelm 

Cyber incidents are stressful to deal with. Things are hectic and uncertain, and yet the first few hours decide how quickly and effectively an attack can be contained. ‘Many companies don’t know when to declare a crisis. This uncertainty often means that important resources are deployed later than optimal,’ says Holzhauser. 

In this phase, IR managers have to make decisions that can massively affect business operations. ‘For example, uncertainty around who has the authority to isolate critical systems in a crisis without consulting others and thus significantly influence operational readiness can delay the response and lead to additional risks,’ says Holzhauser. ‘Valuable time is wasted when such issues are only addressed while an incident is ongoing.’ 

Pain point 3: shortage of resources in an emergency 

Cyber incidents can happen at any time – and are sometimes deliberately triggered outside office hours. When employees and executives are unavailable, it makes it difficult to respond quickly. And sometimes companies lack the expertise or simply the resources to deal with a situation by themselves. That’s when they need the support of external partners. But this, too, has to be planned. Or, as Holzhauser puts it: ‘This is not the ideal time to be trying to figure out how to reach a partner after 6 p.m.’ 

Pain point 4: cyberincidents are not just an IT problem 

If companies did not already know it, the crisis situations caused by cyberincidents show them how dependent every department is on a functioning IT system and what their most important assets are. ‘We often see that companies are not aware of how seriously operations could be impacted by the failure of an application. In particular, many do not realise that isolations may prevent them from using their usual internal communication channels,’ says Holzhauser. ‘And you need a good overview of your IT landscape to target your measures in the right place,’ adds Würsch. 

A cyberincident raises questions such as: 

  • Are there reporting obligations, e.g. FADP/GDPR, FINMA, DORA, NIS2, data protection authorities? 
  • What financial risks arise from the cyberattack and system isolations? 
  • Who is in charge of isolating, shutting down and restoring systems? 
  • Who should coordinate the incident response? 
Learn about current trends in cybersecurity and relevant threats.

Recommendation 1: practice, practice, practice 

Preparation is the be-all and end-all when it comes to incident response. Well-prepared companies have a better chance of containing the damage caused by a cyberincident. This means not only having a contingency plan in place and keeping it up to date, but also practising the scenarios on a regular basis. ‘A realistic cyber crisis simulation involves the crisis team taking full responsibility for all its duties. This also ensures that management grasps the implications of a cyberincident,’ emphasises Holzhauser.  

One option is tabletop Excercises (TTX)(opens in new tab), in which a cyberincident is played out at the table, so to speak – with all the necessary departments involved. When it comes to the content of such exercises, Würsch recommends running through scenarios from the company’s threat models that are as realistic as possible. 

Recommendation 2: prepare your communication 

Communication is crucial in an emergency. On the one hand, members of the crisis team must have a way to communicate with each other. On the other hand, communication with authorities, customers and partners determines whether a company can be trusted.  

One important aspect of preparation is the choice of communication channels in the event of an emergency. But communication content can also be prepared, for example to update customers or the public or to provide information in case of reporting obligations. 

Recommendation 3: increase security awareness 

Employees are often the key link in the chain. As the first line of defence, they can help to detect cyberincidents in good time. For this, they need to be aware of how to spot unusual activity and have the confidence to report it. ‘Ongoing training is an important tool for developing security awareness amongst employees,’ says Würsch. 

Recommendation 4: maintain a network 

An effective incident response often requires additional expertise and human support. This might mean having to involve hardware and software suppliers or external cybersecurity services. Companies are well advised to establish such a network – and define points of contact in the event of a crisis – before an incident occurs. Würsch emphasises that this requires a continuous effort: ‘Regular dialogue with partners and industry representatives can help companies to identify security risks at an early stage and take appropriate measures to strengthen their resilience.’ 

Recommendation 5: how do I get the boss to see all this? 

Ensuring management understands the need for cybersecurity measures is essentially a translation exercise. ‘If you can demonstrate the potential seriousness of a cyberincident using the example of the impact on profit or revenue, then that can really get across the benefits of good cybersecurity,’ adds Holzhauser. ‘Recent incidents in the automotive industry and among major retailers show that attacks can threaten a company’s very foundation.’  

Weitere interessante Artikel