Note: This article was originally written a few months ago but never published. I’ve now revisited it, adding some updated reflections.

This period has taught us many lessons at different levels. Today I want to focus on one in particular: the importance of having a plan for emergencies.

Referring to an investigative report by Report — “Virus and State Secrets” — one of the main weaknesses that severely impacted the ability to respond was the absence of an emergency plan that was:

• shared with all the people involved;
• clear and complete, down to the details;
• comprehensive, covering a wide range of scenarios.

In recent weeks, an additional factor has emerged: the reliability of the supply chain during global crises.

Shared

When an emergency occurs, people need to know that a plan exists and that it specifies exactly what actions to take.

In Incident Response engagements, I’ve often found emergency plans tucked away in drawers—never communicated, let alone practiced.

But awareness alone is not enough: people must internalize the plan so they can act as a team, not as individuals driven by panic or anxiety. One of the most important and fascinating aspects of my job is training staff through simulated scenarios with increasing levels of stress.

Borrowing the concept of Kata from martial arts—later adopted by Toyota in organizational management—we know that only by repeatedly practicing behaviors can we truly internalize them and apply them effectively when it really matters.

Clarity and Completeness

An emergency plan must be clear and complete. In high-stress situations, people can’t be expected to think calmly and rationally. They must follow a predefined plan that includes every necessary detail.

Examples of seemingly obvious yet essential information include:

• roles and responsibilities of team members;
• internal and external communication procedures;
• how to file a report with law enforcement;
• how to assess and, if needed, notify a Data Breach to the Data Protection Authority.

While some of these steps may appear “obvious” and easy to look up online, under stress people forget, misjudge, or waste time. In fact, during real crises it’s common to see confusion and disorganization—even forgetting basics like the network topology, device locations, or how to access them.

This is not about “experience.” It’s about the ability to work under stress.

Here again, training is key: if the plan clearly defines roles and procedures, and people are trained accordingly, the team is much more likely to perform effectively.

Realistic training also serves to test how individuals react under pressure. The goal is not that everyone stays calm, but that leadership at all levels—board, line managers, team leaders—can guide and reassure the team in a moment of crisis.

As highlighted in Report, chains of command must function, because people need structured points of reference.

Comprehensive Scenarios

While it’s impossible to anticipate every possible crisis, a good risk assessment helps identify the most critical scenarios. That assessment is the foundation for building targeted emergency plans.

Today, most cyber threats revolve around ransomware: attackers exfiltrate sensitive data and then attempt to render infrastructure unusable.

Clearly, an attack on a telecom network is very different from an attack on an ICS/OT system, a database, or a file-sharing platform hosting next season’s product catalog. Just as the attacks differ, so must the response plans. Reacting to an attempt to poison a water treatment plant requires entirely different actions than handling the outage of a call center’s phone system.

Equipment Availability

Preparedness also depends on the scenarios considered in the crisis plan. If scenarios are missing or unrealistic, you’ll end up improvising under pressure.

As COVID-19 showed, effective operations require tested and ready-to-use equipment. In a health emergency, that might mean stockpiled medical gear and medicines. In a cyber crisis, it means having “clean” workstations available—functional, charged, with all necessary accessories (network cables, serial adapters, Wi-Fi/4G connectivity, etc.).

Without planning, the result is what we saw: governments rushing to procure medical equipment mid-crisis, and companies scrambling to buy laptops to hastily enable remote work.

Supply Chain Reliability

One lesson that wasn’t highlighted in Report, but has since become clear, is the fragility of the supply chain during global crises.

The slow and uneven distribution of vaccines revealed how suppliers may struggle to meet expectations—or, in some cases, prioritize certain entities over others.

When selecting suppliers, organizations must now consider not only technical and contractual factors but also geopolitical ones: in times of crisis, political decisions may override contractual obligations, prioritizing some regions or countries over others based on commercial, economic, or strategic interests.

Conclusions

Observation is essential for understanding the world around us—but to be useful, it must be detached and objective. This allows us to see the many parallels between the physical and digital worlds.

As COVID-19 has shown, real-world crises can teach us valuable lessons for cyber crisis management, making companies more resilient to inevitable future challenges.

The ultimate goal is not just to make organizations safer, but also more competitive. Reliability is now a differentiator in the marketplace, and in these times, it can make all the difference.

Successfully surviving a cyber attack is one of the best credentials an organization can show—arguably stronger than simply claiming never to have faced one.