Tabletop Exercises for Algerian SMEs: Running Your First Ransomware Drill in 2026

Why a Tabletop, Not a Policy Document

Most Algerian SMEs that say they “have an incident response plan” have a Word document — not a plan. The difference becomes painfully clear during the first real attack. A tabletop exercise is a facilitated, scenario-driven conversation that walks the leadership team through a ransomware incident in real time: who answers the first phone call, who decides to pay or not pay, who talks to customers, who restores the backup. It surfaces the gaps the policy document never shows.

The threat environment justifies the effort. BlackFog’s State of Ransomware report for March 2026 documents a sustained rise in publicly disclosed attacks across the first quarter. Industrial Cyber’s analysis of ransomware reaching an elevated new normal frames the trend as structural rather than cyclical, while Breached.Company reports that ransomware attacks soared roughly 30% in 2026. CM-Alliance’s round-up of the biggest cyber attacks, data breaches and ransomware attacks of March 2026 lists healthcare providers, school districts and mid-market manufacturers among the month’s victims — exactly the company profiles most Algerian SMEs recognise.

What is new in 2026 is not the attack technique — most ransomware still starts with a phishing email or an exposed RDP port — but the professionalisation of the affiliate ecosystem and the normalisation of data-theft-plus-encryption double extortion. The implication for SMEs: even a paid ransom does not guarantee the data will not also appear on a leak site.

The 90-Minute Tabletop: Structure and Roles

A first tabletop does not need to be a multi-day exercise. Ninety minutes in a conference room with the right people and a simple scenario extracts most of the value. The structure below is the one most facilitators in the region use.

Duration: 90 minutes, split into four phases.

Participants: 6-10 people maximum. More becomes a town hall, not a drill.

Format: Facilitated discussion, not a live technical simulation.

Required roles in the room:

• Facilitator — reads the scenario, injects new information, keeps time. Ideally someone external to daily operations who will not be pulled back into the role.
• General Manager or CEO — makes the ultimate pay/don’t-pay and public-communication calls.
• IT lead or CISO — describes what is technically possible at each injection.
• Finance director — speaks to insurance coverage, ransom payment mechanics, and downstream payroll/supplier impact.
• Legal counsel or external advisor — raises disclosure obligations and contract implications.
• Communications / HR lead — handles customer, employee, and press messaging.
• Operations lead — translates IT downtime into real-world production, shipping or service impact.

Optional but valuable: an external MSP or MSSP representative, and someone to take notes who is not participating.

Four phases:

1. Minutes 0-15 — Initial alert. The scenario drops: a Tuesday at 08:40, the accounting team cannot open files, screens show a ransom note, a 72-hour timer is counting down. Discussion: who do you call first? Is anyone on PTO? Is there a formal incident commander?
2. Minutes 15-45 — Triage and containment. Facilitator injects: the IT lead confirms the file server is encrypted, a second inject reveals the backup share is also encrypted because it was mounted writable. Discussion: can you isolate the network? Do you know which systems are affected? Do you have offline backups?
3. Minutes 45-75 — Decision and communication. Facilitator injects: the attacker posts a countdown on their leak site with screenshots of customer data. Discussion: pay or not pay? Who tells the customers? Do you have to notify regulators or card schemes? What does your cyber insurance policy actually cover?
4. Minutes 75-90 — Debrief. Everyone writes down the three gaps they noticed. Read them out, cluster them, assign an owner and a deadline to each.

The last fifteen minutes are the most valuable part of the exercise. Without a written gap list and owners, the drill is theatre.

Three Scenario Templates to Start From

Scenario A — Classic encryption. Monday morning, finance cannot open Excel files, a ransom note demands 30,000 USD in Bitcoin within 72 hours. Backups exist but no one has tested a restore in six months. This is the most common real-world scenario and the best one for a first exercise.

Scenario B — Double extortion. Same trigger as Scenario A, but by the second injection the attacker also claims to have exfiltrated 120 GB of customer data and HR files, and posts sample records on a leak site to prove it. Tests whether the organisation has a data-breach communication plan, not just an IT-recovery plan.

Scenario C — Cloud-only business. A SaaS-dependent SME where the ransomware is not on local endpoints but in a compromised Microsoft 365 tenant — OneDrive files encrypted via a malicious OAuth app. Tests whether the team understands that “we are all in the cloud” does not mean “we cannot be ransomwared.” This is increasingly the relevant scenario for Algerian digital-first SMEs.

Pick one for the first exercise. Save the others for subsequent quarters.

The Roles, Decision Gates and Backup-Restore Test

Three elements separate a useful exercise from a performative one.

Clear roles. Every participant must know what their function is before the scenario starts. A printed one-page role card for each seat — “You are the CFO. You authorise payments up to X. You hold the cyber-insurance policy. You report to the CEO” — prevents the drill from collapsing into a monologue by whoever is loudest.

Explicit decision gates. The facilitator must force specific binary decisions, not vague discussion. Sample gates:

• Gate 1 (minute 10): Who is the incident commander for the next 24 hours? Name one person.
• Gate 2 (minute 30): Do we disconnect the internet for the whole office? Yes/no.
• Gate 3 (minute 55): Do we engage a ransomware negotiator? Yes/no, and by when?
• Gate 4 (minute 70): Do we issue a public statement today? Yes/no, drafted by whom?

A decision the team cannot make in the drill is a decision they will not make at 3am when it actually matters.

A live backup-restore mini-test. Tabletops are discussion, but the one-hour mark is the right moment to pause and ask IT to demonstrate — right now, on a laptop — that they can successfully restore one test file from the backup system. This single step exposes the gap between “we have backups” and “we have recoverable backups.” Teams that cannot restore a single file in fifteen minutes have a real problem, and the tabletop is the right place to discover it.

Cadence, Output and Follow-Through

A first tabletop should be followed by:

• A written two-page report within one week — scenario summary, observed gaps, owners, deadlines. No more than two pages; longer reports do not get read.
• A repeat exercise within six months — same scenario or a harder one, to measure whether the gaps from round one were actually closed.
• Board-level visibility — the CEO or General Manager should brief the board (or equivalent governance body) on the exercise result. Tabletops that stay inside IT do not drive budget.

The measurable outcome after two cycles is a shortened time-to-decision in the next drill, a tested backup restore, and a one-page incident-response plan that replaces the forgotten Word document. For most Algerian SMEs, that level of preparedness puts them ahead of their threat model.

Frequently Asked Questions

Sources & Further Reading

• The State of Ransomware — March 2026 — BlackFog
• Ransomware Reaches Elevated New Normal — Industrial Cyber
• Ransomware Attacks Soar 30% in 2026 — Breached.Company
• Biggest Cyber Attacks, Data Breaches & Ransomware of March 2026 — CM-Alliance