A ransomware attack is a destructive and costly cybersecurity incident. Your company can improve its preparedness and response by conducting tabletop exercises, which test whether your organization is prepared to respond to a ransomware incident and mitigate its impact.

Tabletop exercises are unique because they simulate real-life situations and allow stakeholders to problem-solve and adjust their response strategy in a safe environment. While possible to conduct the exercise solely with an internal team, it is likely more productive to have an experienced and preferably independent facilitator to help keep the exercise focused and on track. The facilitator will ensure everyone participates, moderate discussions, and provide situation or scenario updates and ask any necessary follow-up questions.

Taking this hands-on approach to ransomware will identify the technical activities and security protocols required to respond to the threat and the impact these actions may have on enterprise operations.  

What are the key elements?

Below, check out our tips for how to execute a successful ransomware tabletop exercise.

Educational and prep

Everyone involved should understand the context in which an organization would encounter a ransomware incident, as well as their roles, key terminology and the purpose of the tabletop exercise.

Prior to the exercise, incident response plans or related procedure documents should be distributed to participants. The more familiar participants are with the response plan, the better prepared, more comfortable and responsive they will be during the exercise.

Collaborative environment

An important — and often overlooked — aspect of a tabletop exercise is creating a no-fault, stress-free learning environment where everyone feels comfortable contributing, and varying viewpoints and feedback are expected. You should also come in with a shared understanding that capabilities, systems and processes will be evaluated with the goal of improving the organization’s cybersecurity posture. Creating a collaborative and open yet professional atmosphere is essential. The independent facilitator should help to establish the ground rules and create the right tone for the exercise.

The scenario

After establishing guidelines for the exercise, the scenario presented should be realistic and plausible for your organization and its unique structure or business. It is also important to provide the exercise scenario to all participants at the same time. Also, it is acceptable, encouraged and expected for additional events or challenges to occur as the team walks through the scenario.

Facilitated discussion

Tabletop exercises should involve an information security expert, commonly an external consultant and facilitator. This individual will encourage participants to respond to the attack scenario as if it were real-life. They will interject points, provide examples of steps in each response phase, and ask leading questions to guide conversations through the vital aspects of ransomware readiness. For example, whether the organization would pay the ransom, and if so, how they would pay and if digital currency had been purchased or was readily accessible.

Post-tabletop analysis

It is important to reflect on what happened in the tabletop exercise, prepare an after-action report or summary memo, and possibly survey or obtain participants' feedback. If an external party or facilitator is used for the exercise, this person will take detailed notes and provide a report subsequent to the exercise. The findings should be incorporated into business continuity, disaster recovery and incident response plans, as appropriate, for future preparation, and all other action items should be analyzed and discussed by the team to determine corrective actions or next steps.  

Conducting the tabletop activity

Before scheduling and performing the exercise, organizations must identify key participants and ensure representatives from core business and operations teams are involved. This likely consists of senior leadership and/or management from legal, IT, communications, HR, facilities, and other departments. Having executive leadership, such as the CEO, participate is encouraged and demonstrates the organization’s commitment to cybersecurity and overall “tone at the top.”  

It is also vital to be flexible and understanding of the current work environment. For instance, allowing for a virtual option when conducting the tabletop exercise for those working remotely, especially if a significant part of the workforce works from home.

By setting expectations from the onset that the exercise is meant to be an opportunity for the organization to work together to learn and improve, the participation, results, and overall effectiveness of the exercise will be improved. During the exercise, it is OK to be “wrong,” and participants should talk openly about your worst-case scenarios. You cannot fix situations if you are not honest about what you do not have in place. For instance, does your organization have:

●       A list of key stakeholders and external parties with contact information?

●       Email templates for communications (internal & external parties)?

●       Mechanisms or tools for communicating when the network and email are down (i.e., out-of-band communication)?

●       Cybersecurity insurance coverage? 

Understanding existing gaps and potential weaknesses is critical for improvement and can only strengthen your overall cybersecurity incident response plan.

And finally — be prepared to do multiple exercises annually because not every scenario or exercise will impact every part of the organization. You must consistently test plans and ensure employees know how to execute them. Best practices say quarterly, but at least every six months, to build cyber resilience within your organization.

The last thing you want is to be unprepared for a ransomware attack. The tips provided will help you successfully execute a tabletop exercise and increase your organization’s current state of maturity and preparedness before an incident happens.