Most people will never have a fire in their home or office, but everyone can remember going through a fire drill at some point. The process of evacuating a building and meeting outside prepares us for the actual conditions we might face in a real fire.
Many companies go to great lengths to prepare for disasters like fires and floods, but most remain woefully unprepared to deal with ransomware—despite the fact that ransomware attacks are far more likely. One way to improve your company's ransomware incident response capability is to gather your employees and conduct some simple tabletop exercises.
What are ransomware tabletop exercises?
Tabletop exercises are informal sessions where employees meet to discuss their specific roles and the proper team response to an emergency. The meetings are typically led by a facilitator who guides participants through a simulation of a disaster scenario.
During a ransomware tabletop exercise, the facilitator walks each participant through the actions they should take if computers and servers become encrypted with ransomware. The facilitator explores unexpected additional problems that might pop up during the emergency—such as ransomware spreading to multiple servers or office locations. The goal is to make sure that participants spend time thinking through how they would handle these situations.
Facilitators also work to identify gaps in the current plan such as a lack of adequate backups, data recovery limitations, or insufficient contractual relationships with disaster recovery software vendors. The facilitator can then make recommendations for improvements to the plan.
The first step in a ransomware tabletop exercise is to find the right facilitator. Ideally, the facilitator will have experience in ransomware incident response to make the session realistic. The facilitator must be well prepared to discuss the ransomware scenario and potential problems when they step into the meeting. The best facilitators are good communicators and discussion leaders who keep the team on task.
Start the meeting by introducing each person and their role in the organization. Participants typically include employees from the information technology, security, legal, public relations and operations teams. But your team could include others depending on your company makeup. For example, a company with custom developed applications might include those from software development, or a school might include faculty members.
It's also a good idea to assign someone to attend the meeting to take notes on how the team decides to handle specific problems as well as notes on any unresolved issues that can be revisited later. Having a note-taker frees up the facilitator to interact with the participants. Each participant should come to the meeting with a copy of the current incident response plan, if available, and a notebook.
The facilitator should wrap up by reviewing what the team did well and what needs improvement. The facilitator can then use the notes send out a follow-up memo more details on the discussion, proposed revisions to plans, and responsibilities for each attendee. Be sure to plan meetings regulary until you're satisfied with the incident response plan, then revsit the plan every so often as the comapny grows and changes.