How to Perform a Security Incident Response Tabletop Exercise?
Date: 14 May 2021
Conducting regular security incident response tabletop exercises is the only non-destructive way to prepare your organisation for ransomware or other types of cyber attacks. Given the new ‘normal’ brought on by the pandemic, it’s even more critical to make cyber incident response exercises a mandatory and repeating drill.
Cyber Incident Response Planning & Incident Response Tabletop Exercises have become a necessity for modern, digital businesses. Just having an incident response team to deal with cyber threats is not adequate anymore. Cyber-attack simulation exercises are vital to the well-being of any business today.
The SolarWinds hack proves that no organisation or even government is immune to a cyber security attack today. This attack is also known as the Solorigate cyber-attack and is considered the most advanced cyber-attack. Its list of victims include:
This is why a focus on cyber incident planning & response is imperative. What is even more important is continuously testing and validating the effectiveness of your plans.
What are tabletop exercises in security?
A good Cyber Incident Response Plan or “IR Plan” tells you what should be done in case of a cybersecurity incident. This plan should ideally be a short, crisp and to-the-point document. It should specify the roles and responsibilities of each team member. The IR Plan should also ideally be based on the NIST Cybersecurity Framework and the recommended phases.
An Incident Response Tabletop Exercise, on the other hand, is a cost effective way to test the efficacy of these plans. These cybersecurity tabletop exercises are a safe way to conduct attack simulation drills. One of the objectives is to put key stakeholders in an environment of intense pressure. They are forced to think and act like they would when under a real cyber attack.
Benefits of Security Incident Response Tabletop Exercises
There are several benefits of running regular cyber security incident response tabletop exercises including:
- Shedding light on how prepared your organisation is for a cyber attack.
- Building muscle memory for staff and executives who will respond to the attack.
- Improving your organisation’s readiness to combat a data breach or cyber attack.
- Checking if your incident response plans are fit for purpose
- Evaluating if management & key decision-makers know their roles and responsibilities.
- Assessing if budgetary allocations towards Incident Response tech and infrastructure are adequate.
Are tabletop exercises important for regulatory compliance?
Yes, cyber crisis tabletop exercises take your organisational cyber security to the next level. But that's not all. For many businesses, conducting regular incident response tabletop exercises is a regulatory requirement.
- In the Middle East, the Central Bank of Bahrain says, “The Board and senior management must ensure that the cyber security controls are periodically evaluated for adequacy.”
- Qatar’s Central Bank clearly specifies the need for Business Continuity Management, Incident Management and Tabletop Testing in its Technology Risks Circular.
- The Saudi Arabian Monetary Authority (SAMA), in its Cybersecurity Framework says, “The Member Organisation should periodically conduct BCP (Business Continuity Plan) test exercises. The tests should consider appropriate scenarios that are well planned with clearly defined objectives.”
For more information on the regulatory requirements for Business Continuity Planning & Testing in the Middle East, read our detailed blog here.
Recently, even the Monetary Authority of Singapore has advised organisations in the financial technology space to regularly conduct incident response tabletop exercises. In its revised Technology Risk Management Guidelines 2021, section 13.3 of the compliance checklist covers the critical aspect of Cyber Security Assessment.
This section talks of Incident Response Cyber Exercises as a vital step forward towards ensuring cyber resilience of the business. The TRM guidelines 2021 advise regular incident response cyber exercises that validate the organisation’s response and recovery strategy. Read more about these guidelines here.
How do you do a cyber crisis tabletop exercise?
An Incident Response Tabletop Exercise is a Cybersecurity mock drill in the simplest definition. It is a cyber attack simulation exercise. An attack scenario that is extremely relevant to the business is simulated during the workshop.
The first step in conducting a security incident response tabletop exercise is choosing the right participants. Don’t limit yourself to members of the Information Security team. You have to involve important business decision makers and even C-suite executives as part of the exercise. The right people make the exercise really effective.
Next, comes the scenario. Incident Response Scenario Examples could range from a basic phishing attack to an attack on the crown jewels of the business. The scenario is usually based on the specific nature and industry of the client. It is often also led by threat intelligence-based research.
For the actual exercise, it is important that the host create an intense atmosphere. The pressure inside the room (or virtual environment) should be akin to what an actual attack will feel like. All participants must be forced to think on their feet.
Only then will you know if all participants know their duties when an attack takes place. This is also the only way to know if they’re familiar with the incident response plans at all. Their ability to collaborate and coordinate with other teams will also be tested.
This is precisely why it is always a good idea to hire external experts to conduct an Incident Response Tabletop Exercise. Your organisation will benefit from the years of experience and knowledge of an external facilitator. An external host will also be able to look at your company’s level of preparedness from an objective, external perspective.
Most reputed facilitators of Cyber Incident Tabletop Exercises will present your business with a formal report at the end. This report highlights the strengths and improvement areas of the business. So it can be used to enhance security measures and plug the gaps in your incident response plans.
For more details on what happens in an incident response tabletop exercise, read our detailed blog here.
Cyber Management Alliance is the global front-runner in conducting incident response tabletop exercises for businesses. We have the expertise & the experience to support you in hosting a productive and effective cyber crisis tabletop exercise.
We work with you on planning, creating scenarios, producing the scripts and artefacts and running the actual workshop. We can run a complete cyber tabletop exercise virtually using Zoom, Microsoft Teams or Google's Meet (previously known as Hangout).
We also present our clients with a formal audit report of the exercise. This provides them with important data including a cyber breach-readiness score. This score gives a good indication about how ready they are to respond to a specific cyber-attack scenario.
If you’d like more information on our Cyber Crisis Tabletop Exercises click here. You can also call us on +44 (0) 203 189 1422 or email us here.