Cyber attack drills have become an essential component of any robust incident response strategy. These cyber attack simulation exercises recreate real-world attack scenarios to test and improve the readiness of an organisation’s cybersecurity team.
However, one of the most debated aspects of tabletop exercises is whether they should be announced in advance or conducted as a surprise.
Each approach has its pros and cons, and the decision largely depends on an organisation’s goals and maturity level.
This article is inspired by a recent poll we conducted on LinkedIn where we asked respondents to vote on this hot topic. The choices they were given were - Announced, Unannounced and Mixed.
We delve into what the benefits of each format of cyber attack drills is, what the respondents had to say and what our experts recommend when it comes to cyber attack drills.
What you'll find in this blog:
1. Our LinkedIn Poll: Should Cyber Drills be Announced or Unannounced?
2. The Case for Planned Cyber Attack Drills
3. The Case for Surprise Cyber Attack Drills
4. Our Opinion on the Question
5. How to Get the most of your Cyber Drill
Our CEO and Co-founder Amar Singh recently conducted a poll on LinkedIn posing this question to his wide network of followers from the cybersecurity community - Should Cyber Drills be Planned, a Surprise or a Mix of both?
As expected, the answers were interesting and it was refreshing to know the industry perspective on this hot topic. Here’s a quick look at the results:
A vast majority was in favour of conducting cyber tabletop exercises as a mix of planned and surprise drills. If you look at the comments, it’s apparent that some respondents vehemently believe that cyber drills should be a surprise. As they correctly argue, cyber attacks are never planned or predicted and cyber attack drills should ideally replicate the shock and chaos that real-life attacks create.
However, the argument that Catherine Butterill makes is hard to argue with too: “Selected mixed as let’s give teams the chance to have a controlled practice first then they are confident for a real event then it’s unannounced then on.”
Essentially, what the poll results indicate is that once an organisation has firmed up its Cyber Incident Response Plans and Playbooks, the organisation and especially first responders should be given some practice in damage control with a planned cyber tabletop exercise.
Once a couple of cyber drills have taken place, it would definitely be time for a surprise to see how the teams come together and respond to the simulated crisis as they would if the attack were real. However, for the sake of balance and a comprehensive perspective, let’s look at the virtues of both announced and unannounced cyber attack drills.
For organisations new to cybersecurity tabletop exercises, planning or announcing the first few sessions is a great idea. This can foster a constructive and stress-free environment for learning. Participants can understand what the expectations from them are. They can also be given a chance to familiarise themselves with incident response processes and their individual roles and responsibilities.
A planned cyber drill in such cases can save team members from feeling unnecessary stress and overwhelm the first few times. By focusing on skill-building and ensuring the participation of all critical stakeholders, planned exercises lay a strong foundation for cybersecurity readiness, which can later be tested under more realistic, surprise conditions.
Here are some benefits for planned Cyber Tabletop Exercises:
Announced tabletop exercises create a controlled environment where participants can focus on learning and improving. By knowing the exercise is coming, team members can:
A surprise exercise can induce unnecessary stress, particularly for newer team members or organisations with a less mature incident response framework. Announced exercises allow participants to feel more confident and prepare in order to make the exercise more fruitful.
Scheduling and announcing a tabletop exercise ensures that key stakeholders are available. This is particularly important for cross-departmental exercises where IT, legal, HR, and leadership teams need to collaborate.
Announced exercises allow participants to focus on providing detailed feedback and documentation, as they are not caught off guard. This can lead to more actionable insights and better refinement of incident response strategies.
If you are part of an organisation that already has a mature cybersecurity posture and you’ve invested enough time and resources on training your team in cyber incident response, a surprise cyber attack drill may just be what you need. Conducting cyber tabletop exercises as a surprise can provide a more accurate assessment of your readiness to handle real-world incidents. Unannounced attack scenarios test your team’s ability to react swiftly and effectively under pressure.
Surprise cyber drills can really be that litmus test for how effective your cybersecurity training and incident response planning so far has been. They can show up all the gaps in communication, decision-making, and technical response that still need to be plugged.
A surprise cyber security tabletop exercise will help you build a culture of vigilance. It will make team members more prepared for the unpredictable nature of cyber threats. While it may introduce temporary stress, a surprise exercise ultimately strengthens the organisation’s resilience.
Below are the top reasons for conducting a Surprise Cyber Attack Drill:
Cyber attacks are always unannounced. They will most likely come when you least expect them. It’s highly possible that all important stakeholders will not be available when an attack is detected. So a surprise cyber drill is actually the closest you can come to a real-life cyber attack. There’s truly no better way to assess your team’s real-time reaction to unexpected incidents than to simulate the unpredictability of a genuine cyber crisis.
When exercises are announced, participants may rely on pre-prepared scripts or ideal conditions. They can also make the time to go over Incident Response Plans and Processes which should ideally already be a part of their muscle memory. Some can argue that none of this accurately reflects real-world challenges or the stress of responding to a real crisis.
Surprise exercises can make gaps in communication and coordination crystal clear. They also make it apparent if any team members need more guidance or training on their roles during an attack situation.
By conducting surprise exercises, you can instill a mindset of constant readiness in your team. Team members are more likely to remain vigilant, knowing they could be tested at any time. They are more likely to stay updated on current cyber threats and abreast with your latest Incident Response Playbooks and Plans.
As might be clear from the discussion above, the right choice of format for a cyber drill depends entirely on your organisation and its cybersecurity maturity. Essentially, if you’re just beginning your journey towards cyber resilience, planned cyber drills might be right for you.
As you progress towards better cyber readiness, you could opt for a mix of cybersecurity tabletop exercises. This might include planned cyber drills for new employees and/or surprise ones for those that have already received substantial training. Once you gain considerable confidence in your key team members’ ability to identify and respond to cyber crisis situations, unannounced cyber simulations might be the right way forward.
Here are some points to consider before you zero in on the format that’s right for your business:
1. Consider your organisational maturity: Are you just laying the foundation for a strong cybersecurity posture? Announced exercises will certainly be more beneficial for your staff. For mature organisations with established cyber incident response plans, surprise exercises can provide a more realistic test of readiness.
2. Define Clear Objectives: Understanding the purpose of the exercise is crucial. If the goal is to train and educate, an announced exercise may be more effective. If the objective is to evaluate real-world readiness, a surprise approach is ideal.
3. Evaluate Results and Adapt: Regardless of the approach, it’s essential to analyse the outcomes of the exercise and adapt your strategy. Continuous improvement should be at the core of any cybersecurity programme. Try a format that you feel might be most effective for your team, analyse the results. If you feel that your team needs more training after a surprise cyber drill, plan an announced one next time.
Both announced and surprise tabletop exercises have their place in a comprehensive cybersecurity strategy. The choice between the two depends on your organisation’s goals, maturity level, and the outcomes you wish to achieve.
If you are uncertain about which format is right for you or how to get the most out of your cyber attack drill, consider enlisting the help of an expert. Our Cyber Drill facilitators have helped over 400 organisations identify the kind of cyber tabletop exercise they should conduct. They work closely with them to plan, design and execute a cyber drill that’s most effective for their organisation. The final result always is heightened confidence in our clients about their organisational cybersecurity. Read this Cyber Tabletop Exercise Case Study to know more.
Apart from just the surprise or planned element, it is also imperative to choose the right tabletop exercise scenarios. The cyber security drill scenario must be relevant to your business in order to evoke realistic responses from your team.
You might also want to consider our Cyber Tabletop Exercise Masterclass. You can learn from the world’s top cyber drill facilitator how to plan, produce and conduct an incident response tabletop exercise that gives you the results you need.
By planning and executing effective cyber attack drills, you can enhance your organisation’s resilience against cyber threats and build a robust culture of preparedness. Whether announced or surprise, the key is to ensure that every exercise is relevant, compelling and contributes to a stronger and more coordinated incident response capability.