Cybersecurity Tabletop Exercises for Leadership Teams

Article Incident Response
Tabletop Exercises


Over the past few years, ransomware attacks have evolved from disorganized groups and individuals to highly sophisticated and targeted operations. One of the first headlines that caught my eye this year read, “Ransomware in 2022: We’re All Screwed”. While maybe not the most optimistic approach, after Log4j, WannaCry, NotPetya, and the recent attacks on Kaseya, Kronos, and the Colonial Pipeline, it does seem things will get worse before they get better. According to a recent Trend Micro report, 84% of US organizations experienced either a phishing or ransomware attack in the last year, with the average ransomware payment over $500,000.

This year security experts predict a continued increase in the severity and volume of ransomware attacks. Whether you are a small organization or a large enterprise, at some point you will be targeted by a ransomware attack that will try to compromise your systems and encrypt your critical data.

Is your organization prepared?

One of the best ways to demonstrate how ready (or not ready) your teams are to respond to and handle a potential attack is through a tabletop exercise or breach simulation. A tabletop exercise is designed to test an organization’s incident response plan (IRP) and identify strengths and weaknesses, as well as promote proactive response efforts within your organization.

Organizations can greatly minimize the impact of a data breach by regularly conducting exercises. IBM’s Cost of a Data Breach Report 2021 revealed that breaches at organizations with incident response teams and incident response plan testing cost an average of $3.25 million compared to a cost of $5.71 million for organizations with no incident response capabilities.

Unfortunately, exercises aren’t planned nearly as often as they should be. Many organizations may be unsure how to start the process, have trouble gaining executive support for an exercise, or just struggle to obtain resources to get an exercise on the calendar. Below are some of the most common barriers organizations face when planning an incident response tabletop exercise:

1.) Confusion on where to start/who to include:

If this is an organization’s first exercise, the team may not be confident in their ability to coordinate and successfully perform the event. Who should be involved? What type of incident should be practiced? How is the exercise facilitated? Organizations may want to consider bringing in a qualified third-party to facilitate the exercise. It can also be helpful to plan a phased approach where you build off of a particular scenario and expand to additional teams as you move from one exercise to the next.

You can get your feet wet by starting with a limited scope and involving only your technical/operational team. In this phase one exercise you are primarily testing the continuity of services from an infrastructure perspective. Plan a concise scenario in which one system on campus is compromised. How would the IT team approach this event? How soon would the threat be detected? What is their initial response? How would they go about bringing the system back up? Does the plan outline the steps for keeping an incident log? Are there documented timeframes for acceptable downtime based on the priority or tier of the system(s)? Keep the incident simple so it does not get too complicated and expand out to other areas that are not involved in this initial phase. Following this exercise, you will have a better idea of how the overall process flows, and you can utilize lessons learned to clean up your incident response plan before involving other groups outside of IT.

Now that the initial response team is more comfortable, you can increase the scope of the incident a bit to include more of the tactical response efforts in phase two. In this exercise, you will include other departments, like communications, that might be impacted in a real-time breach, so they begin to understand their role in the response effort. This can be a great way to jumpstart conversations across the organization and connect departments that may typically be siloed. The participating teams and staff can strengthen relationships with other stakeholders and build a contact list they can refer to in future situations.

Phase three should include executive leadership and demonstrate how in a real-world incident or breach, a compromise can rapidly spread across multiple departments and systems. Leadership needs to understand their role in planning for the necessary communications, notifications to compromised users, necessary relationships with third-parties (i.e. law enforcement, FBI, cyber insurance, forensics teams, state attorney general, etc.). Leadership needs to also understand the possible business impact a ransomware attack can have if it takes down the campus network for one or multiple days. Staff may no longer have the ability to teach either in-person or remote classes, HR could be unable issue employee paychecks, campus safety may be without security cameras, etc.

From a leadership perspective, a tabletop exercise can help define roles and identify single points of failure or any missing links in the chain of command. The walk through of the IRP will also help determine who can make decisions, how decisions can be made when speed is of the essence, the potential impacts of certain decisions (i.e. paying a ransom), etc. The lessons learned from the exercise can also help teams prioritize security initiatives and determine if additional funding is needed to protect identified high value/targeted data or systems.

2.) Budget

This is a valid reason as budgets can be limited, but the cost to plan and execute a “fake” incident is always going to be significantly less than the cost of a real data breach. As mentioned above, the average cost of a data breach drops almost $2.5 million when organizations have incident response teams and are regularly testing their response plans.

3.) Lack of Buy-in

Executive Leadership may be hesitant to book time on their busy calendars if they don’t believe their participation is necessary. They may also not approve a time-consuming exercise (half-day or full-day) for their staff if the relevance has not been appropriately conveyed.

Cyber incidents are arguably the largest threat to organizations today. A lack of preparedness can be an institution’s biggest liability, which makes testing your incident response efforts critical to your bottom line. Communicate the importance of a cybersecurity tabletop exercise and reinforce the need for leadership’s support, as well as their participation. The more you can tie the response team’s goals and activities to real, measurable risk reduction, the more likely they will be to stay engaged.

4.) Remote Staff

Don’t let the comment, “We’ll plan something when everyone is back in the office,” be an excuse for delaying the exercise. Many organizations have shifted teams permanently to remote positions or now allow a hybrid work environment. It is important to recognize that if the team or part of the team is working remotely, there should be capabilities for responding to a breach or incident from those same remote locations and the organization should be testing that staff can still communicate across various environments. Plan the exercise with team members calling in from their remote environments to verify the response plan flows effectively with some team members on campus and some located off campus, and update the plan accordingly as you identify changes that may need to be made in VPN access, call lists, meeting and incident tracking tools, etc.

A tabletop exercise can be conducted easily via Zoom or WebEx and the teams can facilitate communications with small tricks like using the “raise hand” button. You can create and share slides referencing the various steps from your IRP to help remote and in-office participants stay on the same page. You can also utilize the tools to plan for break-out sessions amongst different group of participants to help increase engagement and simulate how teams would operate during a real-world incident.

5.) Finding Time on Overbooked Calendars

Whether your teams are working remotely or in the office, it seems most senior staff members are jumping from one web meeting to the next. Booking a date/time for an exercise can be difficult when you want to involve the campus leadership team. It will be important to schedule well in advance. Having buy-in before the event invite is sent is also important so all participants understand the meeting’s importance and that their attendance is critical.

The explosion in high-profile ransomware attacks will work to your advantage in getting the leadership team to dedicate resources to incident response. Unfortunately, the increase in attacks has also caused shifts in cyber insurance and premiums, with many policies dropping coverage for ransomware incidents. With ransom payouts now reaching millions of dollars, cyber insurers are re-examining if coverage can be offered, and if so, they are imposing stricter requirements within their policies for payout, including requirements for adherence to industry accepted security standards, multi-factor authentication, employee awareness training, etc. If your organization is no longer able to rely on insurance, ensuring you have a plan in place to respond effectively is critical.

Scheduling the first tabletop exercise for an organization really is the biggest hurdle. It may be difficult to get full support and participation for the initial session. However, each exercise tends to promote more buy-in among staff and once the process becomes familiar to the organization, participation (and overall value) will continue to increase.

If you have questions regarding how to structure a tabletop exercise with your teams, connect with us today.

Below is some additional guidance from the Security Advisor Team:

[Lewis]: Having been involved in many tabletop exercises in both an operations and business role, I can attest to the tremendous value an effective tabletop will bring to a company. Being able to walk through a scenario/breach without the pressure of a real emergency allows thoughtful and mature decision making to occur without the emotions that often surface in a live event. It is natural to feel apprehensive and nervous to attend a tabletop exercise, which is exactly why they are needed. Experiencing a scenario is the best way to remove the butterflies in your stomach and overcome emotions to deliver a strong response. After the first tabletop is completed, the involvement will often grow as the excitement of a tabletop can be infectious (and not in a bad way, like ransomware).

Tabletop exercises have become more important since the pandemic. More workers are remote and communication in an incident becomes paramount. Whether your organization uses WebEx, Microsoft Teams or Zoom, a backup communication plan should be identified. Personal cell phones are what most people turn to in case of an emergency, but these are often found ineffective for larger organizations. Consider the type of communication your organization needs for a tabletop exercise since visual aids are very effective for planning and execution.

The threat landscape is constantly changing, so start small and slowly build your tabletop exercises. Much like New Years resolutions, it is tempting to start with more ambition than time. Since an organization can create its own tabletop scenario, it’s easy to start with a simple event that can evolve over time. The importance of tabletop exercises is to build confidence in the actions an organization will take when a real incident does occur.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.