26 October 2023

7 min read

Good preparation means practice: the importance of cyber incident tabletop exercises

Cyber security
Cyber tabletop exercise to build organisational resilience to cyber attacks

In this article, packed with tips and advice, S-RM cyber expert Olly Burnand discusses the importance of running tabletop exercises as a key part of building organisational resilience to cyber attacks.

If your organisation was hit by a major cyber attack tomorrow, how much confidence would you have in the people, processes, and technology you have in place to respond to it? Do you trust that the incident would be detected quickly, contained immediately, analysed correctly and completely, and escalated to the appropriate level of authority? Would you be confident that the threat had been eradicated, once any malware had been removed, any compromised user accounts had been reset or deactivated, any vulnerable systems had been patched, and any compromised systems had been restored or rebuilt? Would you inform everybody that needed to know, or that you were legally obliged to tell, both internally and externally? Would you strike the right balance between remaining honest and transparent, whilst keeping what must be kept confidential secret?

When discovered, major cyber incidents pose too many challenges to think about at once. Some of our clients are overwhelmed by these challenges, but some respond with composure and efficiency: they are quick to pose pragmatic solutions to problems, they know who is responsible for each important response task, they know how serious an incident is based upon the information currently available to them, and therefore know when to escalate to the level of authority above them, and who it should be escalated to. They are aware of their obligations to regulators, customers, employees, and shareholders, and follow structured, pre-prepared communication plans to meet these obligations. They organise their responses into phases, establish clear reporting channels, and embed lessons learned from previous incidents into their incident response function in order to continuously improve.

But developing this level of maturity is no easy task, and it doesn't happen overnight. It requires practice, by responding to simulated but realistic, serious cyber attacks. Practising your response to cyber incidents in a consequence-free environment is a great way to develop the skills, knowledge, and documentation necessary to successfully handle real incidents, and we help our clients to do this by preparing, designing, and facilitating cyber incident tabletop exercises for them. 


Here are the top areas to know about tabletop exercising: 


1. What is meant by cyber tabletop exercising?

A tabletop exercise is a group workshop in which response teams gather to rehearse or test their response to a serious cyber incident. Participants are presented with information injects at pre-planned intervals throughout the workshop, simulating a hypothetical, evolving worst case scenario cyber attack, and facilitators guide the participants through the exercise phases. Well designed exercises challenge participants to consider the full range of problems that an organisation faces during a cyber attack, from notifying regulators and third parties to managing media scrutiny, and should simulate a real attack as much as practically possible. After the exercise, participants should analyse and discuss what went well, and identify room for improvement to further develop their cyber incident preparedness.


2. Who should take part in the exercise?

Responding to a complex cyber incident requires input and skills from a variety of teams at multiple levels of authority:

  • Security Operations and IT, for example, are responsible for detecting, triaging, escalating, containing, and recovering from cyber attacks. They are the first line of defence, so to speak, and their actions during the critical first minutes of compromise are directly correlated to the final impact of the breach.
  • Mid-to-Senior Management are tasked with deciding to shut down systems, informing appropriate internal and external parties, ensuring autonomous teams work together, and deciding when to escalate the incident as a crisis. They are informed of cyber incidents by the time that they are already serious, and must act quickly to minimise the impact that they have, and recover as quickly as possible.
  • The Executive Committee is responsible for public messaging, internal communications, reporting to regulatory bodies, providing or seeking professional legal input, and potentially communicating with a threat actor. These domains require cool heads, which is only possible when the members are experienced - through either handling real events or rehearsal.

While it is possible to exercise all three groups at once, it is best practice to test them separately, as exercises with too many participants quickly become disorganised and fragmented, making it difficult to encourage focused and productive discussion.


3. When should we carry out a tabletop exercise?


Incident response tabletop exercises should be carried out at minimum once per year for the following reasons:

  • They are compliance requirements for the ISO 27001:2022, SOC2, PCI DSS, and HIPAA compliance standards. Even if you are not yet compliant with them, exercising now will simplify the process down the line if you are considering certification.
  • Information Security teams change frequently, with people joining, adopting new positions, and leaving regularly. Last year's tabletop exercise may well have tested a very different incident response team to the one you have in place now.
  • Developing a strong incident response function is hard. Regular practice is needed to develop the 'muscle-memory' characteristic of the mature teams described at the beginning of this article.


On top of this, there are specific events that should trigger the need to run a tabletop exercise:

  • Your organisation has recently acquired, or merged with, a separate organisation. Integrating separate incident response teams is challenging, but essential for avoiding poor crisis response. Exercises are an excellent way to introduce autonomous teams, and begin the process of rationalising documentation, technology, and processes, to create a single incident response function.
  • You have recently experienced a cyber incident during which your incident response team was overwhelmed. If you have recently suffered a high-impact breach, or experienced a ‘near-miss’ that could have had a significant and lasting impact, you should consider responding to the same incident in a hypothetical setting.
  • You have noticed that your incident response team members are not clear on their roles and responsibilities. Documenting roles and responsibilities in an incident response plan is not enough - stakeholders need to act out their roles to fully understand what would be expected of them during a real cyber incident.

4. What should the exercise include? 

Serious cyber incidents are the result of failing to protect the confidentiality, integrity, or availability of important data and IT systems, and how this would materialise for you is unique to your organisation.

  • For one organisation, the loss of its intellectual property promising advantage over competitors could have a negative impact on financial performance for multiple years.
  • For another, the exposure of its customers' sensitive personal data might damage its reputation beyond repair.
  • And for another, a ransomware attack bringing all operations to a halt for 2 weeks might run the company out of business.

Understanding what a crisis-level cyber incident looks like for your organisation takes time, but is a critical factor in successful exercising. Begin with the three following questions:

  • What are you most worried about, in terms of data and IT systems, and why?
  • If this data or IT system was compromised - what would happen, how would you find out about it, and who would this impact?
  • Who would need to know about this?

From these questions, you have your exercise narrative and list of participants, and you can get to work designing and building the materials.

5. Any final tips?

Getting the most from your investment in tabletop exercising is important. Here are a few tips to keep in mind when you are working with your provider.

  • Make sure participants are clear on the objectives of the exercise: be clear on what you want to test during the exercise. This might be rehearsing escalation procedures, preparing communications strategies, or reaching a consensus on ransom demand payment decisions. Whatever these objectives are, define them carefully and share them with participants prior to the exercise date.
  • Spend time ensuring the incident underpinning the exercise is realistic: it is vital that participants believe the incident unfolding during the exercise is a plausible scenario, else they may not give the exercise sufficient focus and attention. Taking time to discuss the incident narrative with security operations and business continuity stakeholders, as well as relevant system and data owners, prior to the exercise is vital for ensuring its success. Be wary also of complacency when presuming that a particular incident would not be possible - threat actors are continuously innovating and catching even secure organisations by surprise.
  • Put effort into making the exercise injects look realistic: the information presented to participants during the exercise should reflect a real incident as much as practically possible. Use email templates, voice and video recordings, role players, and newspaper headlines to capture participant attention and maintain immersion throughout the exercise.
  • Ensure facilitators aren’t too active or too passive: the effectiveness of a tabletop exercise depends on facilitators finding the right balance between learning and testing. Facilitators should understand the participants' experience in cyber incident response, and adjust their approach accordingly. When participants are new to exercising or more broadly to incident response, a more active facilitation style is needed, with facilitators leading the discussions. If participants have experience in exercising or incident response, facilitators should play a more passive role, intervening only when required.


If you’d like to hear more about our cyber incident tabletop exercise offering, we’d welcome the opportunity to discuss it further with you. Contact an S-RM expert.


Subscribe to our insights

Get industry news and expert insights straight to your inbox.