How to Develop and Implement Effective Cybersecurity Tabletop Exercises

There are millions of reasons—literally—why companies should test their cybersecurity incident response plans regularly. To wit: companies that didn’t test their IR plans in 2021 paid an average of $5.92 million in breach costs, while those that tested their plans paid $3.26 million, according to IBM’s Cost of a Data Breach Report 2022. That difference of almost $2.7 million is about $200,000 higher than the previous year, evidence that the damage caused by not testing your plan is getting worse.

There are other benefits to regularly testing incident response plans too, including faster recovery times and potentially lower risk of having a cybersecurity incident in the first place. And yet 27% of organizations don’t even have incident response plans and only 63% of those with plans assess them regularly, according to the IBM report. All told, it’s a recipe for disaster that can be avoided by simply practicing your response and adjusting it for improvements, said Chris Loehr, executive vice president and CTO of Solis Security and a member of the CompTIA ISAO Partner Advisory Council, during a breakout session at CompTIA ChannelCon 2022 called Developing and Executing Effective Tabletop Exercises.

Tabletop exercises help organizations—and their employees—better prepare for a multitude of risk scenarios and threats, providing valuable insights and feedback for cybersecurity teams charged with securing the business.

“On the incident response side of our business, we see bloodshed every single day. We have companies that have an IR plan [but they don’t test.] It looks like they grabbed a template and did a find-and-replace and off to the races they went,” Loehr said.

Related Blog: Why Practice Should be Part of Your Incident Response Routine

Developing a Tabletop Exercise

The key to testing your incident response plan is not to get it wrong, but to learn from your mistakes and correct them for the next time—and for a potential real-life incident. “The whole point is to find gaps and efficiencies, allow people to ask questions. Don’t try to squeeze it into 45 minutes. This is a learning exercise,” said Loehr.

Some rules to consider for implementing a successful tabletop exercise:

• Someone is present for all roles, including backups
• No distractions (i.e., phones) for everyone present
• Allow plenty of time to complete the exercise
• Facilitators should not have an assigned role in the exercise
• Everyone should know about the exercise beforehand (no surprises) …
• But the exact scenarios should not be revealed ahead of time
• Account for third parties that may be involved in an incident
• Be hard on yourself in a productive way

“If you do one now, and another in six months, they should be different scenarios. As you do these exercises, they should get bigger and better,” said Loehr. “Especially in the [MSP] business, you must account for third parties. If your client is doing an incident response exercise without you, and you’re responsible for their IT, it doesn’t make a lot of sense. You should try to figure out how [everyone] should be a part of the exercise because you want to know how well they will respond in an incident situation.”

Planning a Successful MSP Exercise

The first step to conducting a successful tabletop exercise is to ensure that you have a solid incident response plan—or plans. Consider developing a plan in which just you—the MSP—is attacked, another in which a client is impacted and a third that affects everyone.

“You need to make sure someone owns that incident response plan(s) and that they are vigilant and making sure that the people that need to contribute to changes and reviews do so,” Loehr said.

Second, when you conduct an exercise, it might be wise to leave certain team members out of the exercise, to mirror possible real-life situations in which employees may be out of the office and unavailable to help.

“What would happen in this situation? ‘We’d go to John.’ Well, what if John is in the hospital, or out of the country? You don’t want to do that for your first tabletop, because you want to see how much that happens. Then for the second, yank John out. That forces other players to kind of fill in for those roles,” said Loehr.

Planning a Successful Exercise with Clients

In addition to conducting internal exercises, MSPs should also conduct regular tabletop tests with their customers too. However, the logistics of getting multiple organizations and parties involved can quickly become more complex. In that case, consider the client’s vertical industry, size, location and potential legal or regulatory requirements.

“You want to spend 30 minutes or an hour on a call so they can ask you a bunch of questions about how the process works, who they need to call, and guide them through who is going to be involved. Those people are in front of things,” Loehr said. “But 99% of our cases, the company has no idea what’s going on because they’re calling the cyber insurance company for the first time once an incident occurs. Very rarely do they try to [test] ahead of time so they can prepare for it.”