A major U.S. healthcare organization, seeking to practice their recently updated cybersecurity incident response plan, turned to Bryghtpath to conduct a multi-day complex ransomware exercise.
The Opportunity
Previously, the organization had worked with Bryghtpath to develop a crisis management framework and plan along with a detailed Cybersecurity incident response plan that was tightly integrated into their crisis management strategy.
Bryghtpath was retained by the Chief Compliance Officer and General Counsel to design and facilitate a multi-day complex ransomware exercise utilizing their recently updated plans and framework. The company was specifically interested in stressing all aspects of the response, including crisis communications, business continuity & disaster recovery, executive decision-making, and their integration of specific third-party service providers into their response process.
Approach and Results
We kicked off the three-month effort by hosting an initial planning session virtually with the core project team and stakeholders to capture goals and desired outcomes for the exercise. We then consulted directly with technical teams to ensure our exercise scenario was realistic and technically sound.
We spent several weeks developing a detailed timeline for the exercise with a handful of linear exercise moves and dozens of injects that would be used throughout the exercise to steer the scenario. Our inject approach was to deliver communication to players using the same methods they would receive it in a real incident, through Microsoft Teams, text messages, e-mails, and phone calls. This was intended to create additional friction that would have to be managed throughout the exercise, just as in a real crisis.
Once planning was complete, we facilitated a three-day exercise virtually with more than sixty exercise players involved in the main data incident response portion of the exercise. On day two of the exercise, the CEO and Executive Leadership Team became directly involved to manage certain strategic and reputational aspects of the crisis. Heavy emphasis in the exercise was placed on doing all the various actions required as if this was a real-life incident, including drafting communications, spinning up support teams and functions, and escalating decisions to executives.
Following the successful exercise, we wrote a detailed after-action report that included our observations, findings, and specific recommendations for improvement. The after-action report has since been used by the organization to further improve its crisis management and cybersecurity incident response processes.
Key Activities
- Review of current crisis management, information security, and cybersecurity incident plans
- Planning sessions with compliance, legal, information security, & global security teams
- Review of key learnings from previous exercises
Outcomes
- Successful completion of the exercise
- Enhancements to C-Level/Executive engagement for crisis response
- After-action report and 40+ recommended actions adopted by client
- Follow-up engagement for 4 crisis & continuity exercises for the following year
Download a PDF copy of this case study
We can help.
Let the experts at Bryghtpath put their decades of experience to work for your organization
We’ve designed, facilitated, and evaluated active shooter exercises for
Fortune 500 organizations around the world.
Our team has the experience, tools, and partnerships to help your organization successfully navigate the rough waters ahead – and ensure your organization is prepared.