Cyber Tabletop Exercises – What are they & why you need to conduct them regularly?

If the pandemic era has reinforced one fact, it is that every business can and will become a victim of a cyber-attack.  Having robust security infrastructure, a well-trained staff and a solid cyber incident response plan are some essential ways in which businesses can ensure that they have good defences in place against a cyber-attack. However, in spite of making all these investments, many find that they are still vulnerable to cyber-crime and when an incident does occur, the impact on their brand image and bottom-line is immense.

Where, then, is the gap?

Unfortunately, just having incident response plans and playbooks that have never been rehearsed or tested serve little purpose in an actual crisis. Unless your staff is well-versed with every step of the response plan and the checklists are part of their muscle memory, they will panic and take the wrong steps when things get downright chaotic and there’s pressure from every corner.

This is where Tabletop Exercises come in. We prefer to call these Cyber Crisis Tabletop Exercises or CCTEs.

A Cyber Crisis Tabletop Exercise is the best and most effective way to evaluate if your incident response plans hold water. The simplest way to describe this exercise is as a verbally-simulated scenario that can have a serious impact on your business were it to occur in reality. 

During the exercise, attendees have to act, think and make decisions as if the scenario were real. This approach places the attendees in a life-like situation and exposes any loopholes in the incident response plan and in the organisational communication and collaboration frameworks. 

Any organisation that is serious about business continuity and about mitigating the impact of cyber-attacks needs to ensure they are prepared for all eventualities. Conducting regular Cyber Tabletop Exercises is an effective way to ensure such overall preparedness. Further, several regulators worldwide are becoming more stringent about compliance standards and are making it mandatory for organisations, especially those in critical national infrastructure and banking, to test Incident Response Plans regularly through Tabletop exercises. Testing response plans on the regular also has several other advantages, regardless of regulatory compulsions, such as the following:

1. A good cyber tabletop workshop must  always focus on business-impacting attack scenarios that are relevant, contextual and cognisant of the geopolitical realities of the business. When such scenarios are played out in front of the stakeholders and participants, they can act as an eye-opener for many. Several business executives and people in key managerial positions may have never imagined a scenario or thought their way through it until they’ve been exposed to it during a tabletop workshop.
2. As people are put under intense pressure and are forced to think how they would in a real crisis, decision-making becomes faster as the worst-case scenario has already been practiced for. There is no scope for disagreements or disputes on what the next steps should be, when an attack takes place, as all of them would have been rehearsed during the tabletop workshop. 
3. Tabletop exercises make it clear to the senior management whether any specific members of the staff have to be re-trained for a cyber crisis or with respect to their responsibilities in case of an attack. 
4. Tabletop workshops facilitate better inter-departmental coordination and communication as the exercise involves all key stakeholders sitting together in one room, working their way out of a crisis. This has long-term implications on teamwork and cross-departmental collaboration. 
5. Cyber tabletop exercises are a cost-effective way of ramping up one’s security defences without creating any disruption to business or IT systems. 
6. A formal audit report is usually prepared at the end of a cyber tabletop workshop. This report clearly lists out the strengths and weaknesses of the processes, the group’s collective capability to respond and more. This output can then become a solid blueprint on which the business can build its capabilities through the rest of the year.