So You Have a Cyber Incident Response Plan, Now What?

Seven Best Practices for Conducting Cyber Security Tabletop Exercises

Tabletop Exercises Explained

Cyberattacks have quickly become a significant threat for organizations of all sizes and sectors. As a result, many organizations have developed cyber incident response plans as a means of identifying effective protocols to take in the event of an attack—thus minimizing potential damages. However, simply having such a plan in place isn’t enough to protect your organization. After all, it’s important to routinely evaluate this plan to discover any shortcomings and make necessary improvements.

Fortunately, that’s where tabletop exercises can help. Put simply, a tabletop exercise is an activity that allows your organization to simulate a realistic cyberattack scenario to test your cyber incident response plan’s efficiency. In other words, this exercise serves as a cyberattack drill, giving participants (typically the members of your incident response team) the opportunity to practice responding to an attack. Conducting tabletop exercises is a valuable way to assess the overall reliability of your organization’s cyber incident response plan, as well as ensure the plan will run smoothly in the midst of an actual attack.

Review this guidance to learn more about the benefits of tabletop exercises and how your organization can successfully carry out such an activity.

Benefits of Tabletop Exercises

Tabletop exercises can offer a wide range of advantages to your organization, including the following:

  • Decreased response plan deficiencies—Because tabletop exercises allow you to test your organization’s cyber incident response plan through varying attack scenarios, such exercises will enable you to more easily identify what’s working and what’s not. That being said, these exercises will either validate the effectiveness of your plan, or highlight areas that need improvement. From there, you will be able to make any necessary changes to the plan—whether that entails updated security software, additional incident response team training or an adjustment in team members’ responsibilities.
  • Bolstered cybersecurity awareness—By running through relevant cyberattack scenarios, tabletop exercises will provide your incident response team with have a deeper understanding of the latest cyber threats and how to appropriately respond to a variety of different attack methods.
  • Elevated cyberattack preparedness—Lastly, tabletop exercises will promote increased cyberattack preparedness within your organization be ensuring each member of the incident response team is familiar with the cyber incident response plan and fully capable of upholding their designated roles. What’s more, rehearsing realistic cyberattack scenarios will help boost incident response team members’ overall confidence in handling an attack—allowing them to remain calm and collected in the event that a legitimate incident arises.

Best Practices for Conducting Tabletop Exercises

Consider these steps in order to execute a successful tabletop exercise:

  1. Establish objectives. First and foremost, it’s important to determine what you want to accomplish from the tabletop exercise. Keep in mind that exercise objectives should be specific, measurable, attainable, relevant and time-bound. As such, be sure to decide which elements of your cyber incident response plan you want to test through the exercise, how you plan to evaluate these elements and the amount of time that you want to dedicate to the exercise as a whole.
  2. Develop an appropriate scenario. Leverage industry knowledge and government resources to create a realistic cyberattack scenario for your organization. This scenario should describe a specific type of cyberattack (e.g., phishing, ransomware or denial-of-service) and be designed in a way that permits participants to reasonably achieve the exercise objectives.
  3. Include the entire incident response team. Enlist all members of your organization’s incident response team to participate in the tabletop exercise. Members of your incident response team should include experienced employees from various departments—including HR professionals, legal experts, IT leaders and communication specialists.
  4. Explain expectations clearly. Provide participants with detailed, written information on the tabletop exercise before it begins. Specifically, this information should explain the format of the exercise and expectations regarding participation. For example, the exercise could consist of an open discussion, in which participants simply talk through measures they would implement to resolve the proposed cyberattack. On the other hand, the exercise could require participants to physically act out steps they would take within the attack scenario.
  5. Select an effective facilitator. In addition to offering written resources, make sure to choose a trusted and competent employee to be the facilitator of the tabletop exercise. This employee will act as a guide throughout the exercise by introducing the cyberattack scenario, reinforcing exercise expectations and promoting proper participation.
  6. Document the exercises. Be sure to adequately document the tabletop exercise by either recording it or having the facilitator take notes throughout the activity. Consider asking participants to provide written feedback on the exercise as well to supplement this documentation.
  7. Evaluate the results. Utilize exercise documentation and participants’ feedback to evaluate whether the activity objectives were met. In particular, determine whether your organization’s existing cyber incident response plan provided participants with the guidance and resources needed to handle the cyberattack scenario. If not, make necessary modifications to the plan with your incident response team to eliminate any gaps.
  8. Maintain a routine. Going forward, make sure to execute tabletop exercises on a routine schedule. Generally speaking, it’s best to conduct these exercises quarterly.

For more risk management guidance, contact us today.