By 
The past year was the worst on record for ransomware attacks around the globe
In the past year, ransomware attacks were the worst on record due to an estimated 92% year-on-year global increase. Criminals made off with more than $1 billion in cryptocurrency payments from victims and left a trail of destruction in their wake.
RELATED: Cybersecurity Awareness Month: How to mitigate an SQL Injection Attack
This is why ransomware preparedness – and more specifically “tabletop” simulation exercises – are more critical than ever, especially where customer data, business continuity and the very integrity of national payment systems are at stake, according to a top financial services cybersecurity expert.
A Global Response to Ransomware
Global guidelines to help organisations prepare for ransomware attacks include the US Cybersecurity and Infrastructure Security Agency (CISA) Ransomware Guide of 2023, and the Counter Ransomware Initiative’s new voluntary ransomware guidance, released this month when cybersecurity experts from 70 countries gathered at the White House to address the global scourge. 2300 attacks have happened in 2024 so far, following 4500 in 2023. Central banks also offer guidance to protect the financial system, such as the South African Reserve Bank’s (SARB’s) cyber-resilience directive.
“Any industry with the duty to protect sensitive customer data should follow global and local guidance on ransomware. The stakes are particularly high for financial services and banking-as-a-service (BaaS) providers who are integral to the national payment system. This is why, in addition to following important guidelines, we must make prevention a very practical and regular real-life internal exercise. This can be done by running annual “Tabletop Ransomware Simulation” exercises,” says Dirk Labuschagne, Chief Information Security Officer at Direct Transact (DT).
As the pioneer of BaaS in South Africa, DT’s network includes several banks, corporates and payment providers, and due to its pivotal position in the financial ecosystem, Labuschagne also serves on the special SARB task team guarding against nationwide financial system collapse in case of a blackout.
“Simulation exercises allow organisations to evaluate their weaknesses and incident responses in a controlled environment. As financial services providers, in particular, we need to practise how to safeguard our operations, customer data, and reputation. I strongly recommend bringing in external experts to guide the process, such as Rubrik, who we’ve worked with for several years and who has an excellent white paper guiding our simulation,” he says.
Labuschagne says Tabletop Ransomware Exercises are essential for three reasons:
1. Tabletop Exercises are a dress rehearsal for real ransomware attacks
“Structured simulations allow organisations to rehearse their response to get a clear view of how to react to an attack. A well-executed tabletop exercise helps organisations test and refine incident response plans, improve communication between departments, and develop a more coordinated and efficient response.
“Simulations could begin with phishing emails that lead to a network breach or direct attacks on the organisation’s customer data or operational systems. It’s crucial to simulate real-time decision-making, test response and recovery protocols, and evaluate containment strategies from every possible angle.”
2. Ransomware response exercises involve all key departments
“Don’t isolate cybersecurity exercises to the IT team – attacks affect every department. In financial institutions like ours, where both customer trust and regulatory compliance are critical, simulations ensure that all departments know their roles during an attack.”
During a ransomware attack, he says IT must handle the technical aspects of containment and recovery, Legal needs to ensure compliance with notification laws and regulations, Compliance should focus on notifying law enforcement, compliance authorities and monitoring service level agreements (SLAs), Operations should focus on maintaining business continuity, Back Office must secure transactional data, Marketing and PR should manage external communication and reputational crisis management, and the executive team should work with highly skilled ransomware negotiators while managing high-level stakeholder engagements.
“By working as a team, organisations can create a comprehensive mitigation strategy. This is particularly important in BaaS, where continuous service availability and customer data security are non-negotiable. Maintaining the integrity of transactional data during recovery minimises operational disruption and restores trust,” says Labuschagne.
3. Ransomware exercises go beyond containment and also focus on recovery and resilience
Tabletop Ransomware Exercises should not stop at the point of containment. “A major part of ransomware resilience is recovery. A simulation should test your backup and data restoration capabilities, and provide a comprehensive systems review to see where the chinks in the armour are.”
“After the simulation, it’s essential to conduct a post-mortem analysis to assess performance, identify gaps, and make improvements. Regular tabletop exercises help teams stay sharp against rapidly evolving threats.”
Conclusion: Prepare for the inevitable
“It’s time for all organisations in this space to become more prepared so that we can mount a collective response to the growing ransomware crisis,” says Labuschagne.
“We’ve learnt that it is possible to build a holistic defence and resilience strategy. We want to encourage other financial services organisations to do the same, so that we can together ensure greater cybersecurity in our shared networks, economies and national payment systems in the face of skyrocketing ransomware statistics. Don’t wait – run simulations now so that we can be better prepared together against this growing threat.”
