Tabletop exercises: Where to start

Knowing how to deal with the fallout from a major cyber incident is just as important as knowing how to prepare for one.

In cyber security terms, a ‘tabletop exercise’ is a simulated attack designed to drill relevant incident response teams for handling the real thing. Any kind of cyber threat can be rehearsed, from data loss to ransomware attack.

The exercise is typically led by incident response and cyber security experts, who take the teams through the phases of response as the ‘attack’ unfolds. While the technical aspects of the response are critical, they shouldn’t be the sole focus. A well-facilitated exercise will force your teams to work together under pressure to consider how the business should respond from a multitude of viewpoints – from legal to operational, and from supply chain to reputational.

The teams and the facilitators then review what worked and what could be improved.

Dare to ask, “What if…?”

A real attack can take an average of just ten minutes to execute, but the fallout may last for months, if not years. Worthwhile tabletop exercises will therefore be well-thought-out and take some time to plan and execute. It will also involve stakeholders from across the organisation, not just Security Operations and IT teams.

For that reason, the exercises should address your organisation’s worst-case scenario, not day-to-day cyber security and data management issues. There is little point in running a tabletop exercise simply to assess, for example, how long it takes your IT help desk to deal with an email flagged to it as spam.

Before designing an exercise for our clients, we encourage them to think the unthinkable. A cyber risk assessment helps to focus the exercise on what the organisation needs to prioritise.

What would be the worst thing that could happen if the organisation was taken offline, or suffered a catastrophic data breach? 

Would it suffer damaging financial losses? Would it have to interrupt vital services to vulnerable clients and patients?

Could someone’s life conceivably be put at risk, as happened with the Police Service of Northern Ireland breach in 2023?

And who, beyond the obvious technical roles, will need to be involved?

Have the right people at the table

Go beyond your security teams to look at other roles and responsibilities. 

A coordinated response to a real attack depends on people from across the organisation being ready to play their parts.

This does not necessarily mean that they all need to attend the same exercises – in fact, too large a group could derail things. Consider running several exercises for different teams, but based on the same scenario. Incident response planning will not look the same for everyone, but knowing how and what to communicate will be a common theme:

• Managers in every team and department will need to know what they can share with their people.
• Legal may need to communicate with threat actors and/or regulators.
• HR will field anxious questions about whether sensitive information is in the hands of criminals.
• After a security breach, external-facing teams must be ready to have difficult conversations with suppliers and clients.

Training people to handle these interactions efficiently is just one way to improve your incident response preparedness.

Use an experienced facilitator 

With organisations new to tabletop exercises, we often find some initial scepticism about the value of “another workplace role play.”

But that is precisely what a tabletop exercise is not. The classic role playing exercise shows participants how they should handle a given situation, but in a tabletop exercise facilitators are looking at how the teams would handle a cyber incident.

The facilitators will assess the strengths and weaknesses in the response, which means they should do more observation than instruction. So that they know when to step in, have a discussion with them during the planning stages about how mature your cyber security plans are and the skill levels of your team members.

Using their real-world experience, external facilitators will also create realistic simulations for your teams to work with.

This can heighten the experience for participants, and get them to meaningfully engage with how they’d approach recovering from an attack. You can use the lessons learned to create an incident response plan.

Apart from presenting no risk at all to your organisation, the other great thing about tabletop exercises is that (unlike a real cyber attack) they can be scheduled to fit your calendar. If you’re interested in finding out more about what’s involved in tabletop exercises, the Cyber Advisory Practice team will be happy to help.