What 22,000 breaches teach us about incident preparedness

The source recommends that organizations conduct tabletop exercises (simulated incident response drills) that reflect real ransomware and third-party breach scenarios. Specifically, it states: 'Organizations that rehearse only the payment question are practicing the opening scene and skipping the rest of the play' and should instead practice 'sustaining operations without primary systems, coordinating with legal counsel and law enforcement, managing customer and investor communications under regulatory deadlines, deciding what to disclose and when.' For third-party breaches, the source advises: 'Tabletop exercises should simulate that friction. Participants should practice asking precise questions: What data of ours did you hold? What is the confirmed scope? What logs exist? How are you notifying other affected customers?' It also emphasizes practicing communication discipline with customers by 'communicating what you know and what y[ou do not know]' to build trust while avoiding premature attribution.