Knowing how to deal with the fallout from a major cyber incident is just as important as knowing how to prepare for one.

In cyber security terms, a ‘tabletop exercise’ is a simulated attack designed to drill relevant incident response teams for handling the real thing. Any kind of cyber threat can be rehearsed, from data loss to ransomware attack.

Edward Starkie
Edward Starkie

Director, GRC | Cyber Risk

estarkie@thomasmurray.com

The exercise is typically led by incident response and cyber security experts, who take the teams through the phases of response as the incident unfolds. While the technical aspects of the response are critical, they shouldn’t be the sole focus. A well-facilitated exercise will force your teams to work together under pressure to consider how the business should respond from a multitude of viewpoints – from legal to operational, and from supply chain to reputational.

The teams and the facilitators then review what worked and what could be improved

Dare to ask, “What if…?”

A real incident can manifest itself in a matter of minutes, but the fallout may last for months, if not years. A thoughtful tabletop exercise will therefore be expertly designed to stress-test your organisational responses to every aspect of managing an incident. It will draw in stakeholders from across the organisation, not just security, operations and IT teams, demonstrating how the realities of dealing with a cyber incident requires support from across a business.

The exercises should address your organisation’s worst-case scenario, not day-to-day cyber security and data management issues. There is little point in running a tabletop exercise simply to assess, for example, how long it takes your IT help desk to deal with an email flagged to it as spam. Consider other elements, such as the importance and value of independence (for example, your SOC provider running a tabletop exercise would have its limitations), encouraging challenge, and – most importantly – ensuring that the context of the business is understood, as is the focus of the exercise. 

Before designing an exercise for our clients, we encourage them to think the unthinkable: 

What would be the worst thing that could happen if the organisation was taken offline, or suffered a catastrophic data breach? 

Would it suffer damaging financial losses? Would it have to interrupt vital services to vulnerable clients and patients?

Could someone’s life conceivably be put at risk, as happened with the Police Service of Northern Ireland breach in 2023?

And who, beyond the obvious technical roles, will need to be involved?

Have the right people at the table

Go beyond your security teams to look at other roles and responsibilities. 

A coordinated response to a real attack depends on people from across the organisation being ready to play their parts.

This does not necessarily mean that they all need to attend the same exercises – in fact, too large a group could derail things. Consider running several exercises for different teams but based on the same scenario and feeding their responses into each session. How will the finance team adapt if you’re unable to restore your finance system in time for the monthly payroll? 

Incident response planning will not look the same for everyone, but knowing how and what to communicate will be a common theme:

  • Managers in every team and department will need to know what they can share with their people.
  • Legal may need to communicate with threat actors and/or regulators and should have specialist support to do so. 
  • HR will field anxious questions about whether sensitive information is in the hands of criminals.
  • After a security breach, external-facing teams must be ready to have difficult conversations with suppliers and clients.

Training people to handle these interactions efficiently is just one way to improve your incident response preparedness.

Use an experienced facilitator 

With organisations new to tabletop exercises, we often find some initial scepticism about the value of “another workplace role play.”

But that is precisely what a well-executed tabletop exercise is not. The classic role-playing exercise shows participants how they should handle a given situation. But in a tabletop exercise participants are given space to explore their own response in a controlled environment. 

The facilitators will assess the strengths and weaknesses in the response, which means they should do more observation than instruction. So that they know when to step in, have a discussion with them during the planning stages about how mature your cyber security plans are and the skill levels of your team members. They should also be able to challenge any assumptions held by those attending and provide an environment that allows individuals to air concerns. 

Using their real-world experience, external facilitators will also create realistic simulations for your teams to work with. These should be crafted to present a realistic scenario with clear implications for the organisation.

This heightens the experience for participants and gets them to meaningfully engage with how they’d approach recovering from an incident. An experienced facilitator can identify recommendations for improvement, which allows actionable improvements to be made to your incident response plan. 

Apart from presenting no risk at all to your organisation, the other great thing about tabletop exercises is that (unlike a real cyber incident) they can be scheduled to fit your calendar.  

If you’re interested in finding out more about what’s involved in tabletop exercises, the Cyber Risk team will be happy to help. 

Cyber Risk

Cyber Risk

We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.

Learn more