Exercising Ransomware With A World-Leading Research Institute

Our client is a prominent UK-based, world-leading research organisation focused on sustainable land use, food security, and environmental science. With a wide-ranging operational footprint and complex data systems, cyber resilience is critical to protecting its research, partnerships, and public trust.

The organisation engaged Beyond Blue to design and facilitate a ransomware tabletop exercise to assess and enhance its incident response readiness. Key challenges included assessing the effectiveness of the current Cyber Incident Response Plan (CIRP) and identifying areas for improvement, determining critical departmental data and establishing data recovery priorities and clarifying the roles and responsibilities of key personnel during a ransomware attack. We also needed to evaluate the operational impact of a cyberattack, including dependencies on suppliers and the broader supply chain.

The exercise aimed to ensure the Cyber Incident Response Team (CIRT) could respond confidently and effectively to a ransomware incident aligned with the organisation’s unique operational and technical landscape.

Beyond Blue began with targeted consultations to understand the client’s current CIRT, system architecture, data flows, and organisational structure. The scenario design incorporated specific concerns such as research data protection, supply chain interdependencies, and internal coordination challenges.

• Discovery & Evidence Base: Targeted consultations with IT, research leads, information governance, HR, communications and procurement established how data moves, where it’s stored, and how the current CIRP is actually used. Parallel reviews of CIRP documents, BCPs, backup schedules, SLAs and data classifications created an evidence base and surfaced early assumptions about impact, recovery options and supplier touchpoints.

• Scenario Development: We engineered a threat‑led ransomware narrative built on contemporary attacker tradecraft (initial access vectors, lateral movement, data exfiltration and double‑extortion) and mapped it directly to the client’s technology stack. A sequenced decision timeline and inject library-ransom note, regulator interest, media enquiry, supplier outage was designed to apply pressure at specific points and test both technical containment and executive judgement.

• Tabletop Exercise Delivery: We then delivered a bespoke in‑person tabletop for the CIRT, facilitated by two senior practitioners. The session tested decision‑making across technical, operational and leadership layers, encouraging open discussion and focused problem‑solving. Activities included mapping and stress‑testing departmental data‑recovery priorities, role‑clarification drills for response and recovery, and exploration of escalation pathways and supplier communications. Real‑time reflection segments captured lessons on operational disruption and continuity planning.

• Comprehensive Feedback: Following the session, the facilitators navigated a hot debrief and a comprehensive written report. This included detailed observations, priority recommendations, and a practical implementation plan to enhance cyber resilience, regarding sector best practices and tailored to the client’s context.

• Report Writing: The post‑exercise report synthesised all observations into clear thematic groupings (e.g. data recovery governance, supplier and third‑party dependencies, internal/external communications, technical containment and forensics). For each gap we captured the evidence observed during the exercise, articulated the associated risk/operational impact, and paired it with a concrete, actionable recommendation. We then triaged every recommendation into High, Medium or Low priority using agreed criteria: business impact, recovery criticality and implementation effort. A recommendation matrix set out the themes, gaps, proposed actions and indicative time horizons, giving the client a transparent, defensible basis for sequencing next steps.

The ransomware tabletop exercise delivered several tangible outcomes for our client. It enabled the Cyber Incident Response Team (CIRT) to identify both strengths and areas for improvement within the existing Cyber Incident Response Plan (CIRP). Participants gained greater clarity on data recovery priorities across key departments, which is essential for minimising downtime and ensuring continuity of critical research operations. The exercise also deepened the team’s understanding of individual and collective roles during a ransomware incident, fostering a more coordinated and confident response posture. Additionally, the session surfaced important supplier and operational dependencies that are vital to maintaining continuity during a cyber disruption. These insights were captured in a concise, actionable report that was tailored to the client’s operational needs and aligned with its risk profile.

The outcomes of the exercise have had a lasting impact on the client’s approach to cyber preparedness. Key learnings and recommendations have been integrated into ongoing resilience initiatives, leading to a revised CIRP, clearer response roles, and heightened team awareness. These changes have contributed to embedding a more resilient incident response culture within the organisation - one that is better equipped to handle future cyber threats with confidence and agility.

Client quote:

“The research put into personalising the exercise fostered enthusiasm for acting out the scenario, and the facilitators, David and Sam, nurtured open discussion, which undoubtedly enhanced the experience and what our team took away from it. The report we received demonstrates a thorough understanding of our organisation and illustrates the experience and expertise of those involved in its creation.”