With cybersecurity attacks and costly data breaches on the rise, and a wide range of industries being targeted, companies of all sizes should be preparing for the worst. Just as we prepare for a natural disaster, companies should prepare for a cybersecurity disaster, and in both instances, proper planning, preparation, and practicing potential scenarios is key.
When it comes to cybersecurity, tabletop exercises are a powerful tool to help your organization perform better during real-world cybersecurity attacks. A tabletop exercise can be defined as an activity in which key personnel gathers to discuss a simulated crisis situation and their potential response. It is important to understand that a table exercise is not an active simulation, exercise, or drill, it’s an exercise that aids preparation.
As you prepare to tackle your first exercise? Consider these 6 questions to ask before you begin your tabletop exercise:
Question 1: What are my Exercise Goals?
The goal of a tabletop exercise is not to produce a comprehensive cybersecurity attack incident response plan, instead, it should be a planning activity where you discuss and identify deficiencies, along with corresponding corrective actions, that leads to a comprehensive plan. The most common goals we see in practice today are:
- To achieve compliance with a regulation, policy, or standard
- To validate the effectiveness of cybersecurity attack incident response plans
- To evaluate the need for external cyber support resources
- To enhance cybersecurity attack awareness and readiness
Question 2: What is the context of the Cybersecurity Attack?
Before beginning, you’ll need to create a fictional scenario for your team to use as the basis of discussion. Scenarios can be taken from news headlines or created for your specific business needs. Above all, we recommend they be realistic, relevant, and engaging, as well as applicable to your business model.
Question 3: Who are the Exercise Participants?
To ensure a successful tabletop exercise to prepare you for cybersecurity attacks, it’s important to designate key roles:
- The Facilitator: This person leads and guides participants through the exercise. This person can “make or break” the exercise, so choose carefully. Ideally, he or she will have some experience with cybersecurity attack response.
- The Players: Those who will go through the exercise, offering their thoughts and input on how the organization would respond to the cybersecurity attack in this scenario. The participants should be pulled from various departments across the organization.
- The Observers: Those whose primary function will be to take detailed notes of the exercise.
Question 4: Where will the cybersecurity attack exercise take place?
Depending on the size of the group, we suggest scheduling at least 90 minutes and no more than 4 hours for the session, and participants should be invited three weeks in advance. Other factors to consider:
- Do you have a comfortable location and proper room size?
- Will you be serving food and beverages?
- Do you have the equipment you will need such as dry erase boards, microphones, projectors, teleconference/web meeting technology, etc.?
Question 5: How will I conduct the cybersecurity exercise?
We recommend the Facilitator use a PowerPoint presentation to walk the Players through the exercise while following the recommended session flow:
- The Facilitator presents the scenario.
- The Facilitator walks the Players through the exercise, asking questions to facilitate a discussion, drilling down into certain areas of responses when applicable.
- After the discussion, the Facilitator will summarize and re-state the events that have occurred thus far in the fictional cybersecurity attack.
- Once the discussion has been restated, or checkpoint one, the Facilitator should introduce a scenario injection or poke holes in the initial approach. This is designed to stimulate the unforeseen occurrences that invariably occur during a real-world incident response.
- It’s good to then have a second checkpoint where the findings from the meeting are restated before moving on to the debriefing to ensure all points have been made.
Question 6: How should I Debrief & Report back?
The initial debriefing should be done verbally with all participants before the exercise is concluded. This is the ideal opportunity to get feedback from the participants while the information is fresh on their minds. During the debriefing, ask three simple questions:
- “What worked well?”
- “What did not work well?”
- “Which areas require improvement?”
The result of the debrief will serve as the basis of the findings, observations, and recommendations for the written report. The final cybersecurity attack report should be distributed to the appropriate stakeholders, ensuring that someone is accountable for tracking the corrective actions that will help your organization be prepared.
The Outcome: An Incident Response Plan
The findings of your tabletop exercise should lead to an incident response plan which will detail how a cybersecurity attack should be handled. While the contents may vary from organization to organization, most consist of standard operating procedures, processes, and communication plans. The benefit of working with an incident response service provider is knowing what is best to include in the plan.