When a company is hit by a cyber attack, normal business gives way to the chaos of managing the investigation, operational disruptions, legal issues, and communications with customers, employees, vendors, regulators, and more. A tabletop exercise (“tabletop”) allows a team to practice responding to a cybersecurity incident without the pressures and uncertainty that are inevitable in an actual crisis. Many companies have been conducting tabletops for years, but crafting an exercise that is worth the time of a company’s leaders takes considerable planning and applying insights gained from the trenches of actual incidents. This blog post outlines our top goals when preparing a tabletop and common lessons we see companies take away from the exercise.
Tabletop Goals in a Constantly Evolving Landscape
Tabletops can allow companies to enhance their incident response plans (“IRPs”), identify structural or cultural considerations that may come into play in an incident, and build institutional muscle memory to make the response smoother in a real incident. To ensure clients get concrete value from the exercise, we keep the following goals in mind when preparing tabletops:
- Test the Composition of the IR Team. Effective response requires a cross-functional team collaborating closely to manage technical, legal, operational, communications, and other work streams. To streamline response, some companies leave out certain functions, only to hold additional meetings with those functions, further tying up key resources. A tabletop should aim to test the cross-functional and collaborative nature of the incident response team.
- Align Expectations of Roles and Authority. Tabletops should push participants to make difficult decisions with incomplete information and understand the IR team’s responsibilities across functions. Identifying who has the decision-making authority and what approvals are needed can avoid decision paralysis and chokepoints that delay key actions. For example, who must review an external communication before it goes out? Also, who is the one leader of the cross functional response team?
- Refine Escalation Processes. Knowing when to share information about potentially significant incidents with relevant stakeholders is critical to incident response. Tabletops should test this process, for example, by considering the point at which technical and non-technical functions would begin collaborating and testing the practical means of communication. When is the C-Suite involved? The Board? How? Is there an out of band tool to be used when email systems are potentially compromised? Telephone is fine, but sometimes actual technical data needs to be shared and a phone call is not practical for that.
- Test Difficult Decisions. Many companies have thought out answers to difficult questions. For example: Who has the authority to shut down the network? Who can pull the plug on a connection to a critical vendor? Will the company pay a ransom? In practice, these are often decisions that get revisited during an incident, making the tabletop an ideal time to consider the issue. Does the CIO really have the authority to shut down online banking? Do we make a disclosure about the incident?
- Align on Vendor Engagement. Tabletops should help a company identify gaps in the resources it has available. When systems are infected or rumors of a breach are circulating, you want to know that you can call your cyber counsel, forensic experts, crisis communications firm, and other external support. Identifying third-party resources and negotiating agreements during a crisis will delay a company’s ability to respond effectively and can lead to overlooking important issues like how to maintain privilege. Sometimes we see communications teams engage their traditional public relations firm. A tabletop is a good place to ask if such a firm does cyber crisis response.
- Enhance Awareness of Threat Trends. Tabletops are a great way to alert executive teams to new schemes and threats, as they will see these schemes unfold before their eyes. We aim to include the latest schemes, most recently, executive harassment. A good tabletop can prepare executives for this uncomfortable experience, and helps companies determine whether they need to adjust their IRPs or supporting playbooks to address these new issues.
Identifying Opportunities for Enhancement
While companies have different vulnerabilities, organizational structures, processes, and regulatory obligations, we have found the following common lessons and takeaways from tabletops for enhancing a company’s incident response program:
- Enhance Communications Planning. The communications workstreams are often the most difficult to manage and represent a critical area of risk. Speculative, uncoordinated communications and investigative reports increase litigation and investigation risks. Consider a crisis communications strategy for large-scale incidents in advance to avoid communications paralysis and/or inability to execute on emergency messaging to various stakeholders. Make sure your crisis communications firm actually has cyber incident experience. Many say they have it, fewer actually do.
- Get Comfortable with Unknowns. It often takes time to get answers from a forensic investigation—many important decisions must be made on incomplete facts. IR teams can establish a cadence for team meetings on incident updates to discuss facts as they develop.
- Never Say Never on Ransom. Although the goal is to never need to pay a ransom, we recommend against a policy formally banning all cyber ransom payments. Instead, companies should take steps to position themselves to avoid having to make a ransom payment but take a position as to when they might consider such a payment. Consider in advance what internal and external approvals are needed for payment.
- Create a Notification Analysis Framework. The regulatory landscape continues to become more complex and cyber incident notification timelines are trending shorter. Identify applicable notification requirements in advance and create frameworks to ensure incidents that may trigger notification are identified and escalated and how it would be diligenced.
- Have Out-Of-Band Communications Systems Ready. Create and test out-of-band communications platforms, particularly for executives and the incident response team, in the event that primary communications systems are down or compromised. This is more than a push notification system to jump on a telephone call. Consider a backup e-mail system as well.
***
The cover art used in this blog post was generated by DALL-E.
To subscribe to the Data Blog, please click here.