Unpredictable and chaotic, responding effectively to crisis situations can be challenging for organisations. Hence, many organisations conduct tabletop exercises to test their crisis management plans in a simulated environment. These exercises identify the strengths and weaknesses of the plan, enabling organisations to refine their approach and be better prepared for real-world crises.
Common Findings of a Cybersecurity Tabletop Exercise
The findings of a tabletop exercise can differ, depending on the organisation’s maturity, the establishment and how regularly reviewed its Incident Response Playbook is. Based on assumptions such as the duration of an incident and the constant availability of key personnel, the findings of a tabletop exercise can range as granular as the need to update the contact information of key personnel to significant gaps in the response plan, such as clear escalation procedures.
With regular exploration of tabletop exercise scenarios, organisations can identify gaps and inefficiencies in their Incident Response Playbook and address them before an actual cyber incident occurs. It also helps organisations refine their crisis communication strategies, ensuring that key stakeholders are prepared and ready to respond in a coordinated and effective manner.
Providing a valuable guide to interpreting and improving your organisation’s crisis management plans, in this blog post, we’ll explore the most common findings of tabletop exercises engagements encountered by organisations in this post.
1. Having Only A Singular Point Of Contact
When performing tabletop exercise, one of the most overlooked points observed is that every role only has a single point of contact.
In the current cybersecurity landscape, crises usually span over multiple days. For example, covering Incident Response from Identification to Recovery would generally take days, or even weeks, for more complicated cases. Therefore, it would be unrealistic for key personnel involved to be active and on-call 24/7 throughout the crisis.
It is strongly recommended for all key personnel to identify an alternative point of contact ahead of time. (This could be mentioned in the playbook.) In addition, documentation regarding the work/rest cycle of the key personnel as well as an SOP for handing over information, would be required.
2. Insufficient Process For Reporting To Regulatory Agencies
When dealing with a crisis, it is a common occurrence that some form of Government Regulatory Agency or Law Enforcement has to be involved once a certain threshold has been reached. This is a legal obligation that may cause major implications if not done in an appropriate and timely manner.
For example, under the Singapore Personal Data Protection Act (“PDPA”) 2012, an organisation’s data breach should be notifiable to the Personal Data Protection Commission (“PDPC”) as soon as practicable but no later than three calendar days. In addition, the affected individuals should also be notified as soon as practicable, at the same time or after notifying PDPC. While most organisations have an understanding of reporting to regulatory agencies, this is often not well documented in the incident response (IR) plan.
When a breach occurs, the IR plan should suffice as a reference point to cover all action items which has to be taken. This includes the notification process and the list of regulatory agencies to be notified. Such documentation would provide clearer tracking to ensure that all the applicable regulatory agencies are informed in a timely manner during an incident.
A tabletop exercise can help to identify an organisation’s gaps in this process, allowing relevant personnel to take the necessary steps to improve efficiency and prevent legal implications.
3. Failure To Incorporate Cybersecurity Insurance Requirements Into Incident Response (IR) Plan
With the rising cases and cost of cyber incidents globally, the demand for cyber insurance has been surging to protect organisations against financial losses caused by cyber-attacks, data breaches and other types of cyber incidents. Just like any other insurance, cyber insurance comes with additional terms and conditions that may impact the development and efficacy of the IR plan. Failure to meet specific terms and conditions may result in only partial reimbursement of the organisation’s expenses.
Hence, it is recommended to include the cyber insurance policy terms and conditions when designing the organisation’s IR plan. Some notable items to include would be the prescribed vendor list provided by the insurance company to perform forensic investigations. Other items that should be included and integrated into the existing flowchart would be the necessary steps required to inform the insurance company.
4. Lack Of Pre-defined Media Response
In the event of an incident, it is vital to manage and have a proper media response that helps maintain public trust and confidence, reducing the risk of reputational damage. If not handled appropriately, it can result in confusion and panic, further exacerbating the crisis.
Therefore, pre-defined responses would aid the media team in ensuring that the responses provided do not disclose potentially sensitive information about the incident in progress. Furthermore, these pre-defined messages also help streamline the overarching response process so the incident response team members can focus on other actions to recover business as usual.
It is recommended to formulate, evaluate and approve the pre-prepared responses for the communications and media team. During a tabletop exercise, the team could also provide prepared responses for the frontline staff, who are usually first responders to enquiries. Organisations can include the following high-level information for the pre-defined responses:
- The generic nature of the incident.
- Potential timelines as to when usability would be restored.
- Assurance that the team is investigating the incident.
5. Insufficient Details In Response Steps and Procedures
*This is a more commonly found finding among the less mature organisations unfamiliar with a tabletop exercise or has only done it for the first few times.
An Incident Response plan helps to provide guidelines and covers the details at a high level. These plans are usually kept simple and concise to ensure that all staff can understand and take the necessary actions during a cyber-attack. However, including a playbook is highly recommended for organisations as it consists of step-by-step instructions for an Incident Response team in a specific situation. This would help account for better-detailed guidance and clear instructions about who is in charge, who to call and what to do. In addition, the playbook should be able to enable other responders without existing knowledge in the case of a prolonged incident or if the immediate response team is unavailable and to guide external responders and personnel in a complex incident or recovery process.
Based on potential common threats in the industry, it is recommended to have regular sessions for the creation of Incident Response playbooks for chosen scenarios. The value in these sessions is not necessarily the playbook itself but the process of creating a detailed step-by-step guide. This would allow key operators and stakeholders to respond and run through details, ‘knowing what they do not know’, benefiting the chosen scenario and overall response capability.
The typical contents of a playbook should make references to the IRP, specifying details such as:
- The initiating condition of the incident
- Possible steps the IR team would perform to identify and investigate the incident
- Separation of ‘mandatory steps’ and ‘best practices’
- List of regulatory requirements or standards that the playbook should comply with
- Approval sources for sensitive messaging
Privasec’s consultants uphold the highest standards of honesty, rigour, flexibility, and service. We listen, understand, and design tailored solutions for your business. Elevate your preparedness with a tabletop exercise today.
Author:
Jonathan Tan, Senior Offensive Security Consultant
Jonathan is well experienced with both defensive and offensive security. With great technical experience and capabilities, he works with various government agencies, schools, hotels and financial institutions to assess security controls in place through red teaming and adversary simulation exercises, tabletop exercises, penetration testing and security reviews.
