Strengthen Your Organization’s Cybersecurity Incident Response Plan with Tabletop Exercises

Ankura
Contact
LinkedIn
Facebook
X
Send
Embed

Ankura

One thing all companies have in common if they’re doing business in the e-commerce world today is the need to secure and protect their infrastructure and sensitive data. There are both state and federal regulations that require this and harsh penalties if a company is found to be in violation. So, how does a company know if they are doing the right thing to protect its infrastructure from the numerous threats that continue to arise as a part of the e-commerce community?  

As an organization that maintains a Digital Forensics and Incident Response (DFIR) and Threat Hunting (TH) team, we frequently witness instances where companies make the security of their network their last priority. Common explanations usually center around the lack of an available budget or cases where network security is outsourced to a managed service provider (MSP).

Unfortunately, numerous companies have discovered the hard way that failing to prioritize the proper security measures and plans has resulted in paying out costly ransoms, lawsuits, or monitoring of customer personal information for a year. In an article published by Inc., The National Cyber Security Alliance confirmed that at least “60% of small and mid-sized businesses that are hacked go out of business within six months” [1].  

Incident Response Procedures: How to Know if Your Organization is Prepared?

There are measures that companies can take, such as investing in the right people, preparing an incident response plan (IRP) [2], performing independent reviews, and conducting internal audits. A company can have the best IRP procedures for each event that may occur, contact lists, etc. but, without testing personnel and plans, the question remains “how does a company know they are doing the right things to be prepared”? Once the IRP has been updated, and the internal and external audits have been conducted, many companies ask what's next. As stated many times in the military, the best-drawn plans are only as good as the people who are designed to implement them. Below are key preparedness questions to ask. 

Key Questions Your Team Should be able to Answer During a Cyber Crisis Incident

Key questions that should be asked include:

  • Does each team member know what they are supposed to do during a cybersecurity incident?
  • What elements define a cyber incident, starting the initial call?  
  • Who gets notified and by whom?  
  • Who are the critical responders and what are their functions?  
  • Who is responsible for the collection of logs and volatile data?  
  • Who is responsible for providing updates to the shareholders and establishing the line of defense that prevents access to sensitive data to the threat actor (TA)?  
  • Under what circumstances are third-party vendors notified?

These are all valuable questions that a company does not want to be asking during an actual cyber incident.

What is a Tabletop Exercise?

One of the truly successful means in which to determine the answers to these questions is by testing the team in a manner that focuses on security-related issues so that each member of the team is aware of their key role in a cyber incident. This exercise not only includes the IT staff but also includes management as well. This is known as a “Tabletop exercise".  

A Tabletop exercise provides the company or organization with the ability to test control measures that were designed as part of the IRP. The National Institute of Standards and Technology (NIST) defines a Tabletop exercise as:

“A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responsibilities during a particular emergency situation” [3]. 

Tabletop exercises are carried out on a periodic schedule and are determined by the company management and the designated incident response commander. It is a mock scenario that provides internal team members with the basic means to test controls and recovery processes.  

In addition, Tabletop exercises can vary in size and or scope of the process and procedures that are covered. They can vary in time as in a 30-minute scheduled event and include PowerPoint presentations where the scenario is outlined and involves interaction from team members. Or it can be designed to be more sophisticated, as in a mock exercise that spans multiple hours and includes various teams within the IRP. Once completed, each member’s position and responsibility should be understood and clear. However, no matter the scenario, it should always make time for an after-action review (AAR) in which team members are allowed to provide feedback, as well as management.

Why are Tabletop Exercises Important?

When tabletop exercises are properly executed, all the key players incorporated will satisfy the objectives that are contained in the original questions, “how do I know I’m doing the right thing?” and “does each team member know what they are supposed to do during a cybersecurity incident?”.

Additional benefits of tabletop exercises include: 

  • Engages team members that might not otherwise be included in all aspects of the incident but can be called upon in the absence of another member.  
  • Serves as a safe process in which to test the IRP and other disaster plans.  
  • Allows members and shareholders to strengthen communications protocols and test the effectiveness of the plan.  
  • Most of all, it can provide reassurances to team members, managers, and shareholders of company preparedness in the case of a cyber incident.

Final Thoughts

Tabletop Exercises can be invaluable for strengthening your IT security posture and teaching your organization and essential team members about the effectiveness of your incident response capabilities and preparedness. 

Consider implementing regular tabletop exercises in your environment to advance your team’s ability to succeed if a real-life cybersecurity incident response occurs. 

[1] https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html

[2] https://csrc.nist.gov/glossary/term/incident_response_plan

[3] https://csrc.nist.gov/glossary/term/tabletop_exercise

Michael Sullivent contributed to this article. 

Written by:

Ankura
Ankura
Contact
more
less

Ankura on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide