This site uses third party services that need your consent. Learn more

Skip to content

Now what? What to do after a cybersecurity exercise

An effective way to assess and understand how it went is to perform an evaluation. By doing this, you can identify the strengths and weaknesses of your preparedness. 

To help you, we have created a list of questions that cover every essential area in your preparedness plan. Working through them with your colleagues will reveal your next step and help you notice - and reward – progress.  

We have used a scenario with ransomware as an example in this article. But these questions are relevant for other scenarios as well.  

16 questions to turn insights into action after your cybersecurity exercise  

Ransomware is malicious software which encrypts your IT systems. In such an event, the system will be inaccessible and the data unavailable. The attacker will demand a ransom for giving your data back. The attackers can also double extort you, which means they threaten to release or sell the data as well. This is unfortunately an increasing trend. 

Business impact  

Ransomware can lead to lost or compromised data. Furthermore, disrupted operations might cause financial, reputational and revenue consequences. Any business can get affected by ransomware, regardless of size and industry. 

  • Will the incident affect any assets, in which case?  

  • How will it impact your organization's operations?  

Recommendations: To protect your organization, you must know your most valuable assets. Assess how different scenarios can influence your business operations, systems, data, and services. That makes it easier to take the right measures to protect them.  

Roles and responsibilities  

When suspicious things happen, you need to know when, how and who to reach out to. Ransomware requires immediate response and should activate crisis management. Logging helps you keep an overview of the situation and to ensure taking the proper actions. It is also valuable documentation for the aftermath.  

  • Do the participants know who to contact when they suspected something was going on?  

  • Is it clear to you who is included in the crisis team?  

  • Who is responsible for documenting the timeline of the event?  

Recommendations: Define the roles and responsibilities of colleagues involved in incident management. A crisis team should consist of a leader, a spokesperson, a technical expert, and a legal advisor. Also, make sure to appoint someone with logging the timeline and the details throughout the incident.  

Establish a notification plan describing who to contact during incidents. Communicate and distribute the plan throughout the organization, so everyone knows about it. 

Communication strategies  

Ransomware affects both technology, people and organizational processes. This requires prompt and transparent communication with both internal and external stakeholders. They also need to receive the necessary support and guidance on how to deal with the situation. 

  • Do you know who, how and when to contact relevant actors and stakeholders? 

  • How do you inform everybody to have a clear understanding of what was going on? 

Recommendations: Developing internal and external communication plans contribute to effective incident handling. Decide how you should inform employees, management, partners, customers, and the public. Use clear, consistent, and accurate messages to avoid confusion and misinformation.  

Incident and recovery strategy  

As mentioned before, ransomware can cause data losses and make IT systems unavailable. Having a response plan for this kind of event will help you get back to business faster. But this requires that you have backup and know that they work as intended. 

  • Do you have an incident response strategy? 

  • Do you have a backup and a restore plan for your systems?  

Recommendations: Creating a comprehensive strategy to restore normal operations will reduce downtime. Include step-by-step procedures to ensure a safe and efficient recovery process. This also includes backup and restore procedures. Back up critical data regularly. Also test and verify data restoration plans to ensure and improve their effectiveness.  

Collaboration with third parties  

Ransomware is a serious crime, causing distress for both authorities, organizations and individuals. Cooperation and transparency are crucial for mitigating the consequences. 

  • Do you know which authorities you must inform?  

  • Are there any deadlines for informing them about the incident?  

  • Will you handle the situation yourself or needed external support?  

Recommendations: Establish connections with relevant authorities, industry organizations, and other partners. Promote information sharing about events that may impact others within the industry. Establish necessary arrangements for external help when needed to handle the situation.  

Practical considerations  

Documentation and communication systems can become unavailable or inaccessible in a Ransomware situation.  

  • Are your incident response plans and resources available during IT interruptions? 

    • Who has access to them?   

  • Do you have a safe method for distributing them?   

    • Who is responsible to do this?   

Recommendations: Ensure that your incident response plans are available and accessible during IT interruptions. Consider to have your plans accessible for personell both in and out of the office, through paper or offline copies. Also establish alternative communication channels.  

Always prepared with cybersecurity exercises 

Incident management plays a critical role in an organization’s resilience against cyber attacks. By conducting and evaluating preparedness exercises, organizations can enhance their ability to handle incidents. This ensures you to be prepared to face any cyber threat.