Resilience through crisis management: 10 most common mistakes made during a tabletop crisis exercise

Crisis management plans

Crisis management is a critical component of any organisation’s strategic planning, and it becomes even more important during unexpected and challenging times.

Do you know what a crisis is? A crisis is an extreme situation, which includes an urgent need for decisions, insufficient available resources and uncertainty of the outcome. Scenarios such as  significant IT disruption, massive data leakage or fire in a datacenter are examples of a crisis.

 Various plans help ensure comprehensive crisis management. They include:

  • Business Impact Analysis (BIA) & Application Impact Analysis (AIA): identifies potential threats and assesses their likelihood and potential impact.
  • Business Continuity Plan (BCP): outlines the procedures to ensure the continuity of the business through failover techniques or workarounds.
  • Disaster Recovery Plan (DRP): outlines the procedures to restore operations and applications to their “normal state”.
  • Communication Plan (CM): comprises the inventory of employees, customers and third party contacts, as well as templates of communications for different situations.
  • Incident Response Plan (IRP): outlines the management of emergencies and evacuations.

Tabletop exercises

However, even the best crisis management plan can fall short if it has not been tested. Tabletop exercises can be performed to identify potential gaps in the plan and ensure that everyone involved is familiar with the procedures, their roles, and responsibilities. A tabletop exercise is a discussion-based activity that involves a group of participants (usually the board and heads of key divisions), called the Crisis Unit, working through a hypothetical crisis scenario. They will have to react to incoming stimuli combined to form a plausible scenario. They can vary in form (e.g. incoming email, phone call, news article), sender (e.g. employee, client, supplier, journalist), and content (e.g. notification of incident, malfunction, complaints, interview request).

Most common tabletop exercise mistakes

One of the most encountered scenario during a tabletop exercise is the infection of the organization’s systems by a ransomware attack. Often, participants repeat the same mistakes. Here is the Top 10:

  • Paying the ransom: It is tempting to pay the ransom if the amount is not too high, but it might not solve anything. Victims have no guarantee that they will get their data back, or that the attackers are not going to strike again in a few days or weeks. Additionally, the more often attackers are rewarded, the more incentivized they are to keep their illegal activity going.
  • Not giving enough instructions to employees: Instructions  must be given as soon as possible to employees to follow the adequate procedure and take early measures.
  • Not isolating the devices from the network: One of the first technical actions to take, and the most important one, is to isolate the infected devices from the network. This will stop the propagation of the ransomware. The Crisis Unit should give such instruction to all of the employees.
  • Shutdown the computers: Many think that shutting down their computer is the reflex to have in a ransomware scenario. However, it is advisable simply to put computers in sleep mode to allow potential forensic investigations.
  • Notifying third parties or customers before employees: In a sense of urge, you may forget to notify someone or notify people in the wrong order. What happens if the journalists are aware of the attack prior to your employees? Remember to follow your crisis communication plan to the letter. It should specify the following order: employees, suppliers, customers and the Press.
  • Hiding the ransomware attack from third parties and customers: Assume that your third parties and customers will be aware of the attack going on. Hiding the situation or lying will not improve the relationship of trust you have with them. Be honest, be transparent while staying reassuring and optimistic; they will have some understanding.
  • Contacting the Data Protection Authorities too late in case of a data leak: In the middle of a ransomware scenario, faced with an attacker threatening to leak data, participants often forget to notify the Data Protection Authority. Remember that you need to notify them by completing a form within 72 hours. This is why the Data Protection Officer is often part of the Crisis Unit. For information, the European Data Protection Board lists all EU Data Protection Authorities at Our Members | European Data Protection Board (
  • Writing all of the messages from scratch: The hurry of the moment will not give you enough time to prepare well-written messages. This is why it is highly recommended to include several templates of communications in your communication plan for different scenarios.
  • Infected backups used for the recovery: Often, participants mention to recover from the attack using the last backups. However, that last backup probably also contains the ransomware that will encrypt all of your data again. Be sure to identify where the attack comes from or when it happened and then use the last backup anterior to that event. Another option is to make a forensic investigation.
  • Not enough communication between the members of the Crisis Unit: The Crisis Unit is a group of 6 to 12 people designated to manage the crisis. It generally comprises the CEO, the CISO, the DPO, and representatives of the IT and HR departments and other important departments of the company. A great level of communication and coordination is required since they need to have a global view of the situation in order to take action and determine the next steps.

Resilience Lab, HeadMind Partners Belgium