Articles & E-Books


Concerned About Disasters or Ransomware? Practice!

Mar 09, 2018

We're not saying you should deliberately install ransomware on your company's network or set a fire in your company's data center—you might not have a job for long if you do that! But the more familiar with and prepared your employees are about how to respond to an event, the lower the impact that event will have on your business operations and technology.

Step 1: Create a Plan

To respond effectively, the first step is to have a plan. Depending on the type and size of your organization, plans include crisis response, disaster recovery, business continuity, and incident response.

No plan can cover every possible combination of events, but thinking through and documenting priorities, teams, resources, and action items for typical scenarios in advance will provide responders with a playbook and supporting information they can use in a time of crisis.

Step 2: Practice

Now that you have created a plan, you can put it on the shelf and wait for a disaster or incident, right?

Wrong! As your parents told you when you were avoiding your piano lessons, practice makes perfect. This applies to preparing for a crisis, disaster recovery, business continuity, and incident response events as well.

So how can you practice? If you are unfortunate enough, you could practice by responding to an actual event. This is suboptimal, to say the least. Ideally, you would be prepared prior to an event. Your technology team may be able to test your systems by recovering data from backup tapes or by restoring processing at an alternate data center, but how does your company test your business response to an event?

Many organizations prepare for events by using simulated exercises such as a tabletop exercise. A tabletop exercise involves practicing the response to an event by simulating an actual scenario. This could include simulating an act of nature (e.g., a hurricane, fire, or tornado that impacts a company’s business operations and technology) or the malicious activity of an attacker (e.g., a ransomware attack that infects a company's computers and network, leaving the business with no access to the data and technology it uses for critical business processes). Also, a cyber incident could result in a company being required to exercise its disaster recovery plans in addition to its cyber incident response plans, so performing a tabletop exercise helps organizations prepare for a more comprehensive response.

During a tabletop exercise, a facilitator guides a cross-functional group of participants through a simulated scenario. At each step of the process, the facilitator asks participants questions that help them understand their response during each phase of an event. Participants reference their plans but also use critical thinking and institutional knowledge to determine how to respond.

There are many benefits to performing a tabletop exercise. Participants get to think through and practice their response prior to an event. They can review and understand topics such as roles and responsibilities, communication, decision making, action items, and alternate processing options. They can also validate documentation, including plans and procedures, to make sure they are accessible, current, and thorough. In addition, regulators in some industries require companies to exercise these documented plans and procedures.

Don’t Forget to Ask Questions

Traditionally, disaster recovery or business continuity tabletop exercises have been used to practice the response to fires and tornados. Because of the visibility of data breaches and cyber attacks such as ransomware, companies should also be prepared to respond to a cyber incident. Key questions organizations should consider include:

  • What type of plans are in place regarding disaster recovery, crisis management, fire and safety, business continuity, and incident response?
  • Are your plans current? When was the last time you updated them?
  • How familiar with the plans are the individuals who would need to rely on them in the case of an event?
  • What kind of training and awareness does your organization provide for employees and stakeholders?
  • Do the plans have the information your company needs to respond to an event? How do you know?
  • How will your critical vendors respond to an event? Do they have documented plans? Do they regularly exercise them? Will they provide evidence to you that they have exercised them?

Having plans in place and rehearsing them are two ways a company can reduce the impact of an event if or when one occurs.

To learn more about how your business can prepare for a disaster or cybersecurity event, contact Wipfli.


Eric Onderdonk, CISM, CBCP
Senior Manager
View Profile