Cyberattack - what next? Information and checklist

Acting quickly can reduce the damage in the event of a cyberincident.


We recommend that you give your employees a flyer in advance with the most important information on conduct in the event of a crisis and ensure they are aware of what to do.


Immediately disconnect all systems from the network. Do not forget to switch off the WLAN.


Internal communication

  • Contact your ICT officer and all contacts in the organisation that you need to deal with the attack

  • If you are in a communal administration that is part of a communal association, all involved units should be informed about the incident, as other communes may also be affected.

Send a report to the NCSC

Irrespective of whether or not damage was done, you should report all incidents, including those discovered at the experimental stage, to the National Cybersecurity Centre (NCSC) .

Report an incident

However, reports to the NCSC cannot be used for prosecution or in court proceedings.

When reporting, please note that data protection must be respected.

Notify the prosecution authorities

Consider contacting the police and filing a report. Wait until the police have secured the evidence before restarting the systems. Specialised police staff will advise and help you, secure evidence and investigate. You can find the telephone number of your local police station at

Report incidents of a criminal nature to the police, for example:

  • unauthorised access to a data processing system,
  • theft,
  • blackmai.

To do so, dial the emergency number 112 or contact your local police station:

Cyberattack – what to do? Checklist for CISOs in the event of a cyberattack (PDF, 61 kB, 16.02.2021)Document of the Cantonal Police (NEDIK) in collaboration with NCSC and Swiss Cyber Experts.

Last modification 09.12.2021

Top of page