Ransomware Readiness in 90 Minutes: A Tabletop Exercise You Can Run This Week
Stop confusing 'we have backups' with 'we are ready.' Here's a 90-minute tabletop that exposes what your team actually does in the first hour of a real incident.
Most SMBs have a ransomware plan. Very few have one that survives contact with reality.
The gap shows up the same way every time: the plan describes what the team will do but never tests how. Who actually has the authority to declare an incident at 2 AM? Where is the offline copy of the contact list when Outlook is encrypted? Who tells the cyber insurance carrier, and within how many hours?
A 90-minute tabletop exercise — done right — surfaces all of this without the actual breach.
How to set up
Get five to seven people in a room or on a call: owner or CFO, IT lead (internal or your MSP's account manager), operations head, someone who handles communications, and one person who'll act as the scribe.
Tell them in advance: this is a no-blame exercise, no laptops open, no emails sent. The goal is to find what's broken in the plan, not to show how prepared anyone is.
The scenario
It is Tuesday at 7:42 AM. The first employee in the office cannot log in to her workstation. Her screen shows a ransomware note demanding $480,000 in Bitcoin within 72 hours, with the threat to publish exfiltrated data afterward. The same note appears on every workstation as employees arrive.
Your file server is unreachable. Your line-of-business application is down. Your phone system, which runs on the same internal network, is also down.
Begin the clock.
The six injects
Spaced roughly 10 minutes apart, the facilitator drops these in:
Inject 1 (T+10 min): Your cyber insurance broker calls. They've seen the news (your DNS provider's status page is showing your domain hijacked) and want to know if you're declaring a claim. Question to the room: who has the authority to say yes, and what is the policy number?
Inject 2 (T+20 min): Three of your largest customers email asking if their data is safe. Your director of sales wants to send a reassuring reply. Question: who approves outbound communications during an incident? Is there a holding statement on file?
Inject 3 (T+30 min): Your MSP's response team needs the credentials to the offline backup repository. The credentials are in your password manager. Your password manager is single-sign-on through M365. M365 is locked. Question: where is the break-glass credential and who has it?
Inject 4 (T+45 min): Local TV news calls your front desk. Question: does your front desk know what to say? Have they been trained?
Inject 5 (T+60 min): Law enforcement (FBI Cyber field office) is asking whether you'd like them to engage. Your attorney is asking whether engaging FBI affects your insurance coverage. Question: who decides, and on what timeline?
Inject 6 (T+80 min): A junior employee posts on LinkedIn that the company has been "hacked." It is shared 47 times in 15 minutes. Question: what does your social media policy say about incidents? Has it ever been communicated?
The point of these injects isn't the answers. It's the silences. Whenever the room goes quiet, you've found a gap worth documenting.
What good looks like
After the exercise, the scribe writes a one-page after-action report covering: what worked, what didn't, three specific gaps with owners and deadlines, and one decision the leadership team needs to make that they couldn't make in the room.
That document is the artifact your cyber insurance carrier wants to see. It is also the document that makes your next tabletop better.
What it costs you not to do this
A real ransomware incident at an SMB costs, conservatively, $150,000 to $500,000 in direct response costs alone — before factoring in lost revenue, customer churn, or premium increases at renewal. A 90-minute exercise costs you one morning.
The decision math is straightforward.