The day has finally arrived when almost everyone understands the importance of a Cyber Crisis Tabletop Exercise. When we started educating our clients and the cybersecurity community on them 5 years ago, awareness was low. Today, both awareness and enthusiasm are high.
The significant surge in cybercrime over the past five years has greatly contributed to the growing popularity of cyber tabletop exercises. Additionally, the convenience and immense value of these cyber drills have driven an increasing number of our clients to request them more frequently each year.
An exercise that allows you to test your chances of surviving a cyber attack with minimal disruption to work, does it get better? It’s a cost-effective way of testing your true cyber resilience and if your team has been doing their job of staying updated with the current threat landscape and the organisational Incident Response Plans and Playbooks.
Throw in the right scenario and an expert facilitator and you’ve got yourself a reassuring simulation exercise that shows you your ability to handle cyber crime.
But is it really that simple? If it was, you’d not be reading this.
While it’s great to see more and more clients commissioning Cyber Attack Tabletop Exercises, sometimes things don’t go as per plan. There’s still a lot of room for improving Cyber Drills and the way they’re conducted. And this guide covers the 5 things you definitely don’t want to do if you’re looking for the best bang for your buck.
This guidance is based on our experiences with the 100s of clients we’ve conducted Cyber Tabletops for over the years. By simply avoiding these pitfalls, you can be sure that your cyber drill will be that much more effective at showing you where you really stand.
1. Generic Scenario: All too often we find clients practising generic scenarios that are very unlikely to affect their business deeply. Frankly, phishing attacks are boring and done to death. Your team probably already knows how to identify and manage one.
Think outside of the box but don’t over-complicate matters when it comes to the scenario for testing. It must always be specific to your organisation, not just to your industry or geography. The scenario mustn’t just be well thought out. It must also be built upon and layered to make it compelling for participants of the exercise. Use our exhaustive Cyber Attack Tabletop Exercise Scenarios list for inspiration.
2. Inadequate Representation: Don’t just fill up the participant list with IT folks. Cybersecurity stopped being just an IT problem a long time ago. Make sure your Cyber Drill sees participation from all important departments - HR, legal, Public Relations and Senior Management.
All of them will be heavily involved in responding to and communicating about a possible attack. Make sure they get the practice they need ahead of time. More rehearsal for the worst leads to better decision making when you’re in the midst of chaos.
3. Doing it All Yourself: We know it’s tempting to wind it all up internally - choose a scenario, put a team together, discuss the response. But it’s not the most effective way. And that’s why it’s always recommended to get an external facilitator for your Cyber Crisis Drill.
Expert facilitators work with your representative to understand team structures, the business model, cybersecurity infrastructure etc. They then work to create a scenario that will be equal parts shocking and realistic to your business.
But most importantly, an external facilitator brings complete objectivity and unmatched neutrality to the exercise. It’s hard for any internal facilitator to not bring bias into the simulation exercise. An outsider however, will call a spade a spade.
Internal team politics, hierarchies, interpersonal equations won’t impact the delivery or the assessment of the response capabilities. And that’s precisely what you need for the Cyber Tabletop Exercise to deliver authentic results.
5. Not following up: If your Cyber Attack Tabletop Exercise isn’t followed by a professional and insightful debrief, what’s the point of doing the drill at all? Our clients swear by the detailed Executive Summary we provide after their cyber simulation exercise. Again, this report isn’t enough on its own.
The recommendations have to be diligently implemented. They also need to be regularly reviewed and tested with additional Cyber Exercises. Remember that it’s never a one-time endeavour. Cybersecurity is an ongoing process and so must be your testing of it.