How can an organization know if they are prepared to handle the many facets of a cybersecurity incident? We check the news all the time and see headlines of the latest data breach, or ransomware outbreak, but what if that happened to you? Would your team be able to identify and classify a security incident? Would you even be able to detect that something abnormal is occurring in the environment? How would you know the full scope and severity of the incident, and how would you notify customers and recover? The answers to these questions are addressed in a written Incident Response Plan (IRP).
Even with the best written and detailed plan, you may not have enough confidence that, were an actual event to occur, the stakeholders included in the IRP would be able to carry out their roles and responsibilities. Simply put, you won’t know how effective your IRP is until you test it. One method for testing your plan is a tabletop exercise. A tabletop test is a meeting to discuss a simulated cyber-incident, discussing concrete plans to manage the fine details of the occurrence and aftermath of a cyber incident or breach. The following steps will help guide you through a successful tabletop exercise to uncover the strengths and weaknesses in your incident response plan.
Setting Goals
What do you want to achieve in this test? You may be evaluating the flow of your plan, the ability of our staff and vendors to respond and notify, or the readiness of your information security program.
Participants
At a minimum, those listed with defined roles and responsibilities in the IRP should be included and present at the test. A facilitator of the test should also be invited. A key or critical vendor who provides services for your organization might be involved in your incident response program. They should also be in attendance. Also consider a member or two of the executive management team for observational and awareness purposes.
Create a Welcoming Environment
Ground rules are necessary to create a good testing environment. There should be no fault and no blame. An environment should be created where participants are encouraged to share their opinion on what to do during a portion of the scenario.
Pick Your Scenario
There are many different ways a cyber incident could occur in your environment that would make for a feasible testing scenario. An employee falls for a phishing email, which spreads malware. A laptop is stolen from an employee’s car containing sensitive data. Private information is leaked due to an insider threat. Or perhaps a data breach occurs at a key vendor, which impacts your organization and or customers. A cyberattack might initially be isolated to one department, but then spread to the entire network, causing massive data loss. It could then become a ransomware event when hackers call demanding cash or crypto currency.
Document Lessons Learned
Once the exercise has been completed, the group will take time together to discuss what went well and where improvements can be made. Those who took notes or facilitated the exercise can express their opinions and share their thoughts. This is a critical part of the overall exercise as the noted areas for improvement will be used to update the incident response plan.
An organization should anticipate an actual cyber incident attack at any time. Many organizations only discover the flaws in their incident response plans when they are trying to deal with an incident.
Incident response testing can expose gaps in even the most seemingly robust of cyber incident response plans and provides valuable insight into whether the incident response plan actually delivers its stated goals and objectives. Even organizations with incident response plans in place are finding that the time to resolve incidents is increasing. This is largely due to organizations not testing their incident response plans, then finding that they can’t adequately address all the aspects of a genuine security incident.
At FoxPointe Solutions, our team of experts can review your existing plans, assist you in drafting a new one, and facilitate a tabletop test for you. Contact us today!