Skip to main content
Security Scorecard

What are Tabletop Exercises? How They Can Improve Your Cyber Posture

Posted on September 12th, 2022

According to the latest IBM Cost of a Data Breach Report, the average breach costs $4.35M per incident, climbing by 12.7% from 3.86 million USD in IBM’s 2020 report. This does not account for lost business opportunities and lingering reputational damage.

A cybersecurity tabletop exercise could substantially reduce this amount simply by having a well-thought-out incident response plan and effectively exercising business continuity plans.

What is a tabletop exercise?

Tabletop exercises are informal, discussion-based exercises designed to help organizations identify gaps in their current incident response program. They simulate a cyber event or incident and stress-test an organization’s response policy, plan, and procedures to assess effectiveness within an organization’s business units.

The key objectives of a tabletop exercise

While the objectives for conducting a tabletop exercise vary, here are some that apply to many organizations:

  • Evaluate current cybersecurity protocols and procedures: Are there any? Do you have a plan on how to handle a cyber incident?

  • Identify gaps: Where is there room for improvement with current processes?

  • Understand roles and responsibilities: Each staff member should have a clear set of tasks and goals in the incident-handling timeline.

  • Test internal and external communication and escalation processes: Cyber incidents often require communication with other organizations, which may include law enforcement, media, public relations, investors, partners, customers, legal firms, and insurance providers.

  • Educate participants on emerging threats and trends: the cybersecurity landscape is constantly evolving. Tabletop exercises can help technical responders and senior leaders understand how scenarios could develop and the ways they could impact their business.

Stakeholders involved

The following personnel may participate in tabletop exercises:

  • C-suite and senior executives - A business's leadership needs to understand how cybersecurity incidents and data breaches may play out, as well as the legal responsibilities of the business and the decisions expected of leaders in the event of an incident. Tabletop exercises offer a way to educate senior executives in an interactive and engaging way.

  • Technical responders - Tabletop exercises can help technical teams quickly understand the tactics, techniques, and procedures they have available to respond to an incident, and identify gaps and areas in which process improvements and technology investment are needed. SecurityScorecard can design and facilitate bespoke tabletop exercises in as little as three weeks, helping businesses anticipate and plan for emerging threats and trends.

  • Personnel with roles assigned in the business’s Incident response plan - A business incident response plan will typically assign roles to a broad range of teams and personnel, including legal, HR, marketing, finance, and risk and compliance. Drawing together this group of stakeholders allows a business to comprehensively test its plans and processes.

How does a tabletop exercise work?

Tabletop exercises include the following staff:

  • Facilitators control the flow and pace of the exercise, stimulate discussion, and draw out answers and solutions from the group

  • Participants engage in the conversation and must be open to challenging others in a cordial manner

  • Optionally, there may be observers who will participate in the discussion when necessary

Facilitators and staff meet at a set time to discuss a specific scenario. The scenarios are relevant to the organization’s threat profile, allowing them to accurately test their security posture and rehearse incident response programs based on a realistic threat.

The length of the exercise largely depends on the audience, size of the company, and the sophistication of the incidents being exercised. Some discussions can easily last up to 4 hours, but it’s generally best to keep them to 1-2 hours on a quarterly basis to maximize time and cost-effectiveness.

Tabletop exercise examples

Typical Tabletop Exercise Scenarios may include:

  • Stolen or Compromised Credentials

  • Successful Threat Actor Phishing Campaigns

  • Cloud Misconfigurations

  • Business Email Compromise

  • Ransomware Containment

  • Insider Threat

  • SaaS Provider Data Breach

  • Social Media Compromise

  • GDPR Data Breach

  • Fraud Activity

Let’s look at an example scenario that could be used for a tabletop exercise:

Your organization is contacted by ransom operators who have seized and encrypted sensitive data. They are requesting $1 million ransom in Bitcoin payments in exchange for the data not being publicly released or deleted.

In this scenario, the main priority would be to secure other assets in your organization to prevent further damage. Exercise participants would discuss current policies and procedures; activate the company’s incident response plan, and utilize additional security controls that may prevent further escalation.

What needs to be done to ensure all other data is safe? Have you exercised your portion of the incident plan and are ready to contact your legal firm or partner who provides incident response services to support you?

Another factor to consider, among others, would be communication with external parties such as law enforcement or other government agencies. Who is responsible for maintaining that communication?

Is a tabletop exercise appropriate for your organization?

Rehearsing for a cybersecurity incident is preparation that pays off in the long run. Through an Incident Response Tabletop Exercise, real-life scenarios help security teams and business leaders uncover gaps in their incident response plan and test the team’s ability to respond effectively and efficiently to an incident such as a ransomware attack, significantly improving your response in the event of an actual attack.

Tabletop exercises are best for organizations that already have an incident response plan in place. Exercises will help them build on what they already have. Improvising during an exercise without a rehearsed plan could impact business continuity, cause reputational damage with customers, and lead to monetary losses .

Another key factor is institutional buy-in. A tabletop exercise should result in an outcome, which may include changes in current plans and policies. This requires approval and buy-in from stakeholders throughout an organization and starts with leadership.

How SecurityScorecard can help

Our highly trained and engaging consultants bring your tabletop exercise to life, inspiring your team to work through real-world incidents while exercising your incident response program. We currently offer the following exercise types:

  • Executive-level exercises - aimed at C-suite leaders

  • Technical stress tests - aimed at technical responders

  • Incident response plan exercises - aimed at technical responders, IT personnel, and anyone else with a designated role in an organization's incident response plan, such as legal, human resources, and public affairs

Afterward, SecurityScorecard consultants share industry best practices and stories from real-world incidents.

Our team will start by reviewing your business’s incident response plan and processes, and interviewing key personnel to understand your environment and the key risks and threats you are managing. We will then develop a bespoke scenario for your business, which reflects the specific nature of your organization. Exercises are structured to meet your objectives using simulated scenarios that have the potential to impact your company. You’ll walk away with identified gaps and recommendations on how to improve and bolster your cyber readiness.

For more information, speak with a member of SecurityScorecard’s Professional Services team today.

Return to Blog
Join us in making the world a safer place.