Why and how to run a Tabletop Ransomware Simulation Exercise

Labuschagne says Tabletop Ransomware Exercises are essential for three reasons: 

1. Tabletop Exercises are a dress rehearsal for real ransomware attacks

“Structured simulations allow organisations to rehearse their response to get a clear view of how to react to an attack. A well-executed tabletop exercise helps organisations test and refine incident response plans, improve communication between departments, and develop a more coordinated and efficient response.

“Simulations could begin with phishing emails that lead to a network breach or direct attacks on the organisation’s customer data or operational systems. It's crucial to simulate real-time decision-making, test response and recovery protocols, and evaluate containment strategies from every possible angle.”  

2. Ransomware response exercises involve all key departments

“Don’t isolate cybersecurity exercises to the IT team - attacks affect every department. In financial institutions like ours, where both customer trust and regulatory compliance are critical, simulations ensure that all departments know their roles during an attack.” 

During a ransomware attack, he says IT must handle the technical aspects of containment and recovery, Legal needs to ensure compliance with notification laws and regulations, Compliance should focus on notifying law enforcement, compliance authorities and monitoring service level agreements (SLAs), Operations should focus on maintaining business continuity, Back Office must secure transactional data, Marketing and PR should manage external communication and reputational crisis management, and the executive team should work with highly skilled ransomware negotiators while managing high-level stakeholder engagements.

“By working as a team, organisations can create a comprehensive mitigation strategy. This is particularly important in BaaS, where continuous service availability and customer data security are non-negotiable. Maintaining the integrity of transactional data during recovery minimises operational disruption and restores trust,” says Labuschagne.

3. Ransomware exercises go beyond containment and also focus on recovery and resilience

Tabletop Ransomware Exercises should not stop at the point of containment. “A major part of ransomware resilience is recovery. A simulation should test your backup and data restoration capabilities, and provide a comprehensive systems review to see where the chinks in the armour are.” 

“After the simulation, it's essential to conduct a post-mortem analysis to assess performance, identify gaps, and make improvements. Regular tabletop exercises help teams stay sharp against rapidly evolving threats.”

Conclusion: Prepare for the inevitable

“It’s time for all organisations in this space to become more prepared so that we can mount a collective response to the growing ransomware crisis,” says Labuschagne. 

“We’ve learnt that it is possible to build a holistic defence and resilience strategy. We want to encourage other financial services organisations to do the same, so that we can together ensure greater cybersecurity in our shared networks, economies and national payment systems in the face of skyrocketing ransomware statistics. Don’t wait - run simulations now so that we can be better prepared together against this growing threat.”