How to host a successful virtual, scenario-based cyber tabletop exercise

In February, we discussed what a Cyber Tabletop Exercise is and why you need to conduct one regularly. To recap quickly – a Cyber Crisis Tabletop Exercise is one which simulates a cybersecurity attack scenario that can actually impact your business and it forces all the participants to think and act in the way they would in case of a real attack. The tabletop exercise enables all key stakeholders and decision-makers to understand their roles and responsibilities and reorient themselves in order to be prepared for the worst! 

While conducting regular scenario-based cyber exercises has become almost imperative in many countries from a regulatory perspective, several businesses worldwide are investing in these workshops to be fully prepared for a cyber-attack. Considering the massive upswing in cyber incidents worldwide, this approach isn’t just wise, it’s downright essential to ensure business continuity and for mitigating the impact of malicious activity.

Yet, thanks to the pandemic itself, getting all important executive and senior management into one room for the exercise is near impossible. Further, it’s highly unlikely that when an attack on your organisation does occur, all stakeholders will be in the same room together. In fact, there’s a high probability that they may not even be in the same country. Therefore, it’s wise to start looking at virtual cyber tabletop exercises as a viable, effective and cost-efficient alternative in the pandemic era.

How then, do you ensure that your virtual cyber exercise is a success and actually manages to keep people engaged and alert? Here are some tips that I’ve penned down from the 100+ cyber tabletop exercises we, at Cyber Management Alliance, have conducted over the last 3 years:

When you bring an external specialist on board to conduct your cyber tabletop exercise, they’re able to bring in a unique outsider’s perspective and more comprehensive experience to the table that an insider may not have. Further, an external facilitator isn’t weighed down by internal hierarchies and inter-departmental competition, making the exercise and the following audit report completely objective and invaluable. 

Don’t base your cyber exercise in 2021 only on phishing. Honestly, it’s boring now and yet, your scenario doesn’t have to be all sci-fi. Work with the practitioner you’ve hired to make the scenario as compelling and as realistic as possible.

Death by PowerPoint is bad enough in physical workshops. However, there’s still the allure of human interaction and perhaps some nice grub at the end – advantages that aren’t available online. So, make sure your facilitator doesn’t bore the participants with mundane, theoretical stuff. The virtual exercise has to be as engaging, interactive and powerful as possible in an online environment. Call out names of individual participants and ask them questions to make sure nobody is snoozing with their eyes open.

Make sure that you’ve ironed out all logistical challenges before the workshop begins. Teach people how to mute and unmute themselves if need be, make sure they’ve turned on their cameras. Encourage them to use chat to communicate with the host and other participants. Most importantly, apologize in advance that people may be interrupted or cut short but only due to time constraints.

Unlike other regular workshops, having an external observer for a cyber tabletop exercise is a must. This person captures the reactions and responses that every participant has during the exercise and these observations can be invaluable for the formal audit report that you should be receiving at the end of the workshop. If having a dedicated observer is not an option, you can also record the exercise on Zoom and the recording can be reviewed later for creating the report.  It is, after all, this report that will show you where the lacunae in your current incident response plans lie and what you need to do to be able to bolster your defences better!