Preparing for the worst: The Crucial Role of Incident Response Plans and Tabletop Exercises

Written by Paul Sibley, Manager, Cybersecurity, CANARIE

What can we do in moments of crisis?

It goes without saying that in moments of crisis, stress levels are naturally high, and judgement can be impaired. School-aged children participate in regular drills and simulations at school that train for crisis so that, in the event of an emergency, they respond in a calm and orderly fashion. The same is true for cybersecurity incidents. Awareness and preparation are necessary to effectively respond to an incident and to minimize its impact.

The big question: Should this be applied to crisis management in the digital realm?

The big answer: Yes! Those who are prepared are better at reacting and making rational decisions.

How can we be better prepared?

A method to develop and test effective response plans is to conduct regular tabletop exercises with the goal of identifying and remediating gaps before they become obstacles in a real-life crisis. 

The goal is to empower and equip the organization to be able to deal with a crisis and decrease the initial stress and shock associated with it – both of which can cost an organization valuable time (and money!) in what is often a very volatile and time-sensitive situation.

What is a tabletop exercise?

A tabletop exercise is an activity where a group of employees is asked to assess a crisis scenario and form a plan to respond. Simply put, it’s a drill to help your organization be better prepared in the face of a cybersecurity crisis.

How do we conduct a tabletop exercise?

Tabletop exercises can take many forms. Here’s an example of what you could do in your organization:

1. Assemble a crisis management team.
   • Who is participating in this exercise?
2. Present a scenario to the team.
3. The team prepares and presents a plan.
   • How should we respond? What is the remedy/solution?
4. Reflect as a group.
   • What went well? What could be improved?

What are some examples of scenarios?

1. Organization X’s entire datacenter is being held hostage by a ransomware gang unless they pay 10 million dollars.
2. Organization Y is the target of a DDoS attack, and all digital services are offline, effectively halting scheduling, billing, and other digital transmissions such as diagnostic imaging.
3.  Organization Z’s datacenter has been breached and massive amounts of personal data has been exfiltrated and is actively being sold on the dark web.

It takes a village

Most cybersecurity awareness training best practices recommend that everyone has a role to play in increasing an organization’s cybersecurity posture. After engaging in a tabletop exercise, it might be surprising to learn that there are many crisis management scenarios that require actions from multiple departments over and above an organization’s cybersecurity and IT teams. In some situations, marketing, finance, and legal departments will play a significant role. This holistic approach to thinking about crisis situations enables organizations to engage and manage them in a calm, efficient, and effective fashion.

The worst plan is no plan at all

Due to the ever-evolving threat landscape, organizations can find themselves caught in situations that can cause significant ramifications to business continuity and overall reputation. It is never too late to create an incident response plan to help combat crisis – it is one of the most essential defenses in your cybersecurity arsenal!