How to Create a Successful Tabletop Exercise
Even the best-laid plans can go wrong with the simple introduction of the “human factor.” Implement this in the emergency response planning, when the stakes are high, and even the most thorough plan can begin to fall apart.
The best way to eliminate the human factor is to test your plans during tabletop exercises. It is equally important to have a high degree of accuracy in exercising.
Tabletops are group exercises that examine the response of your crisis team to a specific scenario and quickly detect previously undetected gaps in your plan or issues that need to be addressed. Such exercises also work as a reminder of small yet crucial details, for example, whose responsibility it is to provide comments to the media if the VP of Communications is on vacation.
These are some of the essential tips for maximizing an outcome of a tabletop exercise:
Choose a Realistic Threat
A successful tabletop exercise should resemble the real world as closely as possible. This means choosing threats that are viable to the organization, as well as designing a scenario that includes realistic attacker behavior.
Examples of real-world cybersecurity threats include a network infrastructure breach with data exfiltration, website-hosted malware, denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks, rogue wireless access points, or something as commonplace as a lost laptop that contains sensitive data or passwords.
The type of threat chosen for a tabletop exercise will vary by industry and from one organization to another, but it must mimic a threat that’s likely for that specific environment.
During the Exercise: Have Clear Objectives and Follow the Schedule
Make copies of your emergency response and business continuity plans and a whiteboard to track the progress. Before you begin, the moderator needs to review the objectives and scope of the exercise. Note that the crisis leader has the final say if there are conflicting opinions. It’s also important to keep track of time; the moderator needs to set time limits for each action item.
Once the imaginary threat has been set into motion, each member of the group should perform – in real time – the actions they would take were that threat actually playing out. These will be based on the organization’s security plan that should be already in place.
These actions include sending specific organizations to talk to the press, communicating to employees within the organization, and notifying clients and third-parties. They also include making decisions about whether to shut down systems, as well as collecting information and utilizing forensic software to identify the type of threat at play before working to remediate it.
After the exercise is complete, review the process to understand what worked and what needs improvement. The rules of any successful meeting or a tabletop are: start on time, finish early, and offer refreshments.
After the Exercise: Act on What Was Learned
In addition to allowing the entire team to practice their response in real-time, the value in tabletop exercises is that they can help identify weaknesses and gaps in an organization’s response. Confusion about responsibilities, poor decisions, identifying new vulnerabilities, and finding weak points in the processes don’t indicate failure; rather, these are precisely what tabletop exercises are designed to weed out.
After each exercise, it’s essential for the team to debrief and discuss any shortcomings in the response. They should also document what worked as well as what didn’t so the organization can identify vulnerabilities and missing links and work to patch and fill them. These recommendations will not only help the next exercise run more smoothly; they’ll ensure a more effective response when an actual threat strikes.
Make sure action items are circulated after the exercise is complete and review and update your plans accordingly.