Cybersecurity tabletop exercises are a planning technique designed to evaluate an organization’s incident response plan. Tabletop exercises engage Incident Response Team members and help them manage their response to a hypothetical security incident and identify plan weaknesses to improve the team’s capabilities to respond to real security events.
Essentially, a cybersecurity tabletop exercise is a “What If?” scenario that allows an organization to safely simulate real-world security threats.
Amazingly, only 26% of organizations use an enterprise-wide cybersecurity incident response plan (Cyber Resilient Organization Report 2020, IBM Security). That’s startling, because incident response preparedness is the highest cost saver for businesses that experience a data breach. The average total cost of a breach for organizations with an IR team that tested its plan with tabletop exercises was $3.29 million, compared to $5.29 million for companies with neither an IR team nor tests of the IR plan, a difference of $2 million (Cost of a Data Breach 2020, IBM Security).
In any business, having a tried-and-tested plan is valuable. In cybersecurity, having a tried-and-tested incident response plan could save your business $2 million!
If your organization has an incident response plan in place, a tabletop exercise can validate the plan, or identify opportunities for improvement. However, if your organization does not have an IR plan, one will need to be created before a tabletop exercise can be executed.
What can an organization learn during a cybersecurity tabletop exercise?
During a tabletop exercise, all participants are encouraged to actively respond to the scenario as if it were real, and to interact with other functional areas that would also be impacted by a security incident. After, they review the actions taken and discuss how events could have been better handled.
Major learnings include:
What sorts of threats can be simulated in a cybersecurity tabletop exercise?
- An increased understanding and awareness of existing threats
- Identification of gaps in IR plan (technical, logistical, planning)
- Clarification of emergency roles and responsibilities
- Capability assessment (people, process, technology)
- Feedback to improve response and / or IR plan
- Runbook creation to speed up the incident response process
Any security threat that exists can be simulated in a tabletop exercise. Common simulations include:
What is a realistic timeline for a cybersecurity tabletop exercise?
- Business email compromise (BEC)
- Email account compromise (EAC)
- Insider threat
- Cloud compromise
- Cloud misconfiguration
- Distributed denial of service (DDoS)
- Unauthorized computer on network
- Malicious external scanning
- Malicious internal scanning
- Email phishing attack
Just because a tabletop exercise is a simulation doesn’t mean that it is simple to plan or easy to execute.
A tabletop exercise could take a few weeks to plan, but if the company running the exercise has it down to a science, it could be mapped out in a day. The planning includes creating a custom security breach scenario, then a story is created to frame the hypothetical incident and simulate the chaos which accompanies genuine security breaches. The most difficult part of planning a tabletop exercise is coordinating it around the participant’s schedules!
The actual tabletop exercise, if exceptionally well-planned by an expert, can be executed in under 4 hours, but can last multiple days, depending on the complexity of the scenario and organization.
Finally, an After Action Report documents correct and correctible actions taken during the exercise and provides recommendations for improvement. The AAR is typically delivered one to two weeks after a tabletop exercise.
It is worth noting that when it comes to tabletop exercises, they are best taught by people and companies that live and breathe cybersecurity every day.
What are the advantages to cybersecurity tabletop exercises?
What are the disadvantages to cybersecurity tabletop exercises?
- Low stress environment
- Low cost way to evaluate emergency plans, responses, and roles
- Facilitated discussion of problem areas
- Encourages cross-functional collaboration and communication
- Allows for remote participation
- Lacks realism and the chaos of the “fog of war”
- Not always an accurate test of operational capability
- Could create misperception that emergency planning and response is simple and straightforward
- Requires thorough documentation, pre- and post-exercise
Having a cybersecurity incident response plan is extremely important for any organization that manages or uses data. Equally as important is periodically testing the plan with tabletop exercises so that when faced with an actual security incident, an organization can respond with carefully practiced reactions rather than making panicked decisions on the fly. A strong incident response plan can help an organization better mitigate cyber risk and minimize potential damage.
MCPc is a global data protection company that helps organizations dramatically minimize their risk of disruption from unforeseen events like cyber-attacks. We can help you create an incident response plan or provide tabletop exercises to test your existing plan. Our goal is to help every client achieve the highest degree of security and the least amount of risk their organization can afford, or what we call, SecurityCertaintySM