Higher education and healthcare institutions are battling ransomware attacks daily. Multiple high-profile attacks have plagued higher education in the last six months. One of the key metrics from the IBM Ponemon 2021 Cost of a Data Breach report is that having a tested incident response plan can reduce the cost of a breach and an organization’s recovery expenses by more than 50%. If you don’t have an incident response plan, now’s the time to create one. And if you have one, now is most definitely the time to be proactive with testing to ensure your organization is ready.
Having a tested incident response plan can reduce the cost of a breach and an organization’s recovery expenses by more than 50%.
Security incident tabletop exercise (TTX) workshops are a common method to test an organization’s incident response (IR) plan and help teams develop response strategies, update IR plans, and bolster cyber resilience. A facilitated TTX workshop simulates a real-world security incident, providing technical and non-technical teams with an opportunity to work together to make incident response and recovery decisions. These exercises allow participants to evaluate their existing incident response, business continuity, and disaster response policies, procedures, and plans in a hypothetical situation.
8 Steps to Organize and Host Your Own Tabletop Exercise
Select a topic. Identify a top organizational risk that can be used to create a realistic scenario (e.g., ransomware through a phishing attempt, a natural disaster like flooding or a forest fire, etc.).
Develop the script, scenarios, and supporting materials. Tailor scenarios to the organization and its stakeholders. For example, technical staff can review tactical strategies; executive-level leadership can discuss high-level incident response strategies and communication channels.
Schedule the tabletop exercise workshop(s). Host the workshops virtually or in person. The length of the workshop will depend on the stakeholders involved – e.g., 2-4 hours for a virtual TTX and up to a full day for an on-site TTX.
Host the TTX. Remember, a TTX is intended to test an existing IR plan and procedures–it is never a test of an organization’s personnel. Reminding your workshop participants of this purpose at the outset is important to set expectations.
Create an after-action report. Create an after-action report with observations about key strengths, areas for improvements, action items, and other recommendations to address any critical gaps in existing IR plans and policies and share with all stakeholders.
Review IR plans annually. Continue to host tabletop exercises to test, review, and update IR policies, processes, and procedures. IR plans should be stored in a shared, secure location that’s accessible by the appropriate staff.
Sharing Lessons Learned
Here are some key lessons learned that we’ve observed after hosting cybersecurity incident tabletop workshops with several different higher educational institutions.
- Create a formalized IR framework and supporting documentation with clearly defined roles and responsibilities, appropriate communication channels, processes, and workflows for IT staff, IT leadership, and campus leadership to ensure seamless coordination between IT and campus executive leadership. It’s critical that all IR actions don’t fall on one person during an incident and team members are available and prepared to work on different response steps in tandem.
- Prepare security incident playbooks for the highest threats and include these with your IR plan. The National Student Clearinghouse has shared two IR playbook templates focusing on DDoS attacks and ransomware.
- Remind end users (faculty, staff, and students) where to get information on potential phishing or ransomware messages, including how they can report potential activities to your IT team. Many institutions like Princeton and Hudson County Community College have a “Phish Bowl” website where people can check to see if a message they’ve received is a potential phishing attack, as well as find instructions to report suspicious emails.
- Create a data incident notification process and communication templates, so your institution is prepared to share consistent messaging in the event of an incident or data compromise. EDUCAUSE has a Data Incident Notification Toolkit with templates and sample materials that can be modified.
- Take the opportunity to review other security controls that can help reduce the impact of a potential ransomware attack or other incidents. For example, schedule regular backs and test your backup restore processes, develop and perform a business impact analysis (BIA) of all systems, and enable multifactor authentication (MFA) whenever possible.
A tabletop exercise ultimately helps you and your team review and revise an incident response plan cooperatively and collaboratively. Hosting workshops like this regularly will provide your organization with the ability to respond to potential future security incidents and coordinate more seamlessly with other departments across campus. A TTX workshop is also a team-building opportunity that allows IT teams to hone their own incident response processes and communication skills in an incident or crisis.
Keep Learning with Resources
- NIST SP 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities,” provides documentation for organizations to design, develop, conduct, and evaluate events to help train and prepare personnel, exercise IT plans, and test IT systems.
- NIST SP 800-34, “”Contingency Planning Guide for Federal Information Systems” provides a sample BIA template.
- DHS provides campus resilience program exercise starter kits and customizable templates so colleges and universities can host self-conducted tabletop exercises.
- CISA offers Tabletop Exercise Packages that can be used to plan TTX workshops.
This post was authored by Strategic Consultant Valerie Vogel, who advises clients on information security program education and awareness initiatives.
If you’d like assistance conducting a security incident tabletop exercise at your organization, the Vantage Strategic Planning and Technology Management team can help. We have extensive experience designing response plans that define necessary roles and responsibilities for users, technical specialists, and executive leadership. Our consultants are experienced InfoSec leaders and practitioners who understand the issues of complex organizations. Our certifications include CISSP, HCISPP, CISM, CGEIT, CRISC, GSLC, and GSTRT. Contact us at [email protected] to learn more.