How Cybersecurity Tabletop Exercises Can Help Your Business’ Cybersecurity PreparednessOctober 30, 2023

If your business was to experience a cyber incident today, are you confident that you have the tools and training to respond appropriately? If you have an incident response plan, are you certain that it will function seamlessly? Alternatively, if your organization lacks such a plan, do you know where to initiate the process? If you answered “no” to any of these questions (and even if you answered “yes”) you should strongly consider reviewing or developing an incident response plan and testing it through a tabletop exercise.

Tabletop exercises involve taking participants through the process of assessing and responding to a simulated incident in order to provide hands-on training and testing of the effectiveness of an incident response plan. More broadly, tabletop exercises serve as valuable tools for businesses to conduct planning exercises on a wide variety of threat scenarios. They validate the contents of cybersecurity risk management plans, contingency plans, and incident response plans while also highlighting vulnerabilities or gaps in the same. Here are a few considerations in selecting and proceeding with a tabletop exercise.

1. Selecting the Proper Type of Tabletop Exercise

When considering a tabletop exercise, you should make sure that the type of exercise aligns with your industry and the current threat landscape for your business. For example, there is no benefit for a manufacturing company to conduct a tabletop exercise designed for threats relevant to a K-12 school system. Tabletop exercises can simulate various cybersecurity events, such as ransomware attacks, malware incidents, insider threats, supply chain disruptions, and even physical threats. Depending on your industry, you may be able to use one or more of the cybersecurity scenarios provided by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Alternatively, there are many security companies that specialize in designing and facilitating tabletop exercises for more specialized industries or scenarios.

2. Identify the Relevant Stakeholders

The specific internal stakeholders that need to be present at a tabletop exercise will really depend on the type and size of your organization. For example, you may want to run an exercise with a dedicated incident response team within your company. Alternatively, it may be appropriate to include some or all of your IT department, top management, department managers, and/or key employees. In some instances, it may be beneficial to have your entire organization involved in the tabletop exercise. At a minimum, you should have at least one person representing IT, customer support, managers, executives, and your legal department.

3. Running a Successful Tabletop Exercise

Each tabletop exercise will be run by a facilitator. Prior to the exercise itself, you should meet with the facilitator to identify the goal(s) of the exercise and to make sure the facilitator is familiar with the levels of management and scope of employee involvement that will be present during your exercise. This is important because the facilitator develops or modifies the exercise to meet a specific level of management, as well as the appropriate technical personnel and account for all others who be involved in incident response decisions. You should also make sure that you and the facilitator are on the same page regarding any deliverables to be received after the exercise.

The exercise generally begins with a brief overview of its scope and objectives, followed by a discussion. All outcomes and insights are documented in an after-action report, containing observations and recommendations to improve the organization’s cybersecurity preparedness. Tabletop exercises play a vital role in clarifying roles and responsibilities, and so it is important that participants engage in conversations, discuss alternatives, and challenge co-workers during the exercise. Each team or stakeholder should be able to answer specific questions tailored to their responsibilities after a tabletop exercise.

4. Post-Exercise Review

After the exercise, you will receive deliverables that document the type of scenario, the discussion that ensued, and how well your team/stakeholders responded. The deliverables should include the outcome, lessons learned, and summary of feedback (including positive observations and areas for improvement) relating to your company’s readiness to handle an incident. Once reviewed, action items are assigned to specific personnel to incorporate this feedback and update the incident response plan. As needed, your organization can conduct additional exercises to test the updated plans and procedures.

5. Overall Goals of a Tabletop Exercise

A tabletop exercise should empower your business to make changes that increase security preparedness and resilience. You should be able to document your existing process or add improvements to your incident response plan that are directly relevant to the tabletop scenario(s). You should also be able to improve the speed and effectiveness of post-incident internal reporting, including automatic alerts, incident updates, and/or generating incident documentation required for insurance. Similarly, you should have the tools to clarify and identify the legally compliant process for reporting incidents to external parties, such as customers, federal agencies, or state attorneys general.

Sarah M.D. Luth is an Intellectual Property Attorney in the MVS Biotechnology & Chemical Practice Group. She is also Co-Chair of the MVS Data Privacy and Cybersecurity Practice Group. To learn more, visit our MVS website.