How to run a successful Business Continuity Tabletop Exercise

Companies of all sizes, in many industries, have a common challenge - cybersecurity and how to protect their sensitive data. Organizations that store PII (Personally Identifiable Information) and PHI (Protected Health Information) have an even bigger challenge of protecting that data based on regulatory requirements. In a recent blog post we asked, “Do you know where your data is and who has access to it?” If you don’t know where your data is located how can you protect it? So now, if you have an established data security program and understand the data that your organization holds and where it is stored, it is time to run a tabletop exercise to test how well your team would handle a security incident.

What is a tabletop exercise in data security?

As the saying goes, “practice makes perfect” and the same is true in data security where your organization has the opportunity to run a Tabletop Exercise and practice how it would react to an incident, such as a data loss or cyber attack.  

A Tabletop Exercise is a simulation of one or more scenarios that test the ability of an organization to recover from serious or catastrophic events. Participants discuss how they would respond, based on their role in the exercise, and their response is evaluated both by other participants and knowledgeable facilitators. The Tabletop Exercise is scripted to probe the response plans for weaknesses that are identified and addressed before a real incident causes serious harm to an organization.

Ostendio runs Tabletop Exercises for customers to help them understand how it feels should they have to deal with an emergency situation. Our Professional Services team has years of experience preparing real-life scenarios that test the reactions of Incident Response Teams.  Lizzie Schoff is a member of our Professional Services team and she regularly works with customers running Tabletop Exercises. Lizzie recently answered some questions about how she works with organizations that request a Tabletop Exercise.

Q: What are the benefits of running a Tabletop Exercise?

A: There are many benefits to running a business continuity tabletop exercise. Incident Response Teams think they are ready for anything, and that’s their purpose, but it’s not until they are faced with a real-life example of an emergency, a cyber attack, or potential ransomware, that they are really tested to see what works and what doesn’t. Running a tabletop exercise is the best way to show you where the gaps are in your planning so that when it happens for real, you will be ready.

Q: What surprises do clients get from running a Tabletop exercise?

A: There are always surprises!  On the plus side, it is a great way for an Incident Response team to see how well they work together. Some people do really well under pressure and come out as natural leaders. However, sometimes teams realize there are options they hadn’t considered. That’s the point of running these exercises, you can see what is working well but also what still needs to be done. The most significant gap I have seen, over and over, is the notion that somehow incident response and business continuity are the responsibility of the IT Team. That’s a mistake because customers and partners don’t care about internal workings; executives, marketing departments, and client success teams are the visible face of the company and they will be pressured to respond correctly or the organization will suffer the consequences. 

Q: What is a tabletop exercise inject?

A: I use the word ‘inject’ as a shortcut for ‘injection’. Essentially, as a facilitator, I have semi-scripted, with the help of an organizational ‘insider’, a few scenarios that we play out with content that we ‘inject’ into the team’s interactions. It’s fun to use mockups that I create to give the team a sense of what may be going on - like a defaced company website or a call message from a concerned customer. While we are all role-playing, it is still important that the team gets a sense of the seriousness of a situation and responds accordingly. Some organizations have never recovered from serious incidents when they were not able to respond effectively. Others have had high costs to recover the confidence of their clients. That is not a position that any organization wants to be in and running a tabletop exercise helps companies know how to react to reduce those risks. 

Q: How often should a company run a tabletop exercise for their Incident response team?

A: An annual tabletop exercise is a good idea.  There are two reasons for this. First, organizational changes such as staff leaving or coming onboard, or organizational growth or new products, mean that plans that worked before won’t work anymore. I once saw a plan that had a list of Incident Response team members where half the staff had moved on. Secondly, each exercise builds on the previous one. One exercise cannot cover a large number of scenarios. And gaps identified in one exercise need to be addressed - the next exercise ensures the implemented changes are successful. So it really helps to run these regularly so everyone is prepared.

Q: How do I start planning a business continuity tabletop exercise?

A: Companies have a choice whether to run their own business continuity tabletop exercise or whether to bring in an external expert to run it for them.  Having an external facilitator can add an extra element of realism to your tabletop exercise that an internal facilitator might not have. Also, the external facilitator can objectively engage with staff members from across the departments - so the exercise is not just owned by IT. Did I mention that business continuity is NOT just an IT responsibility? At Ostendio, we have had a lot of success with creating a customized tabletop exercise that really pushes the organization to find those areas of risk that are most critical. We have scribes that assess the team’s response and we provide a final report that gives a synopsis of the exercise. This report can be shared with those who did not participate and a corrective action plan can be built for gaps that were identified. 

What benefits do clients get from Tabletop Exercises?

Ostendio clients report multiple benefits from participating in Tabletop Exercises including becoming aware of the need for better inter-departmental communication, the need for more concise documentation, and the request to participate in these kinds of exercises more often in order to raise security awareness across all teams.

The next steps

The importance of responding quickly and effectively to a serious incident cannot be overemphasized in today’s environment. Tabletop exercises can be the difference between a company recovering and retaining their competitive edge or spending lots of time and money trying to gain back from a significant loss. When your data security and risk management programs are in place and everyone on the Incident Response Team knows their roles, you have a better chance of this recovery. Using an external facilitator to run your Incident Response & Business Continuity Tabletop Exercise is a choice made by many businesses. By using an external facilitator, organizations get expert help and guidance during the process which increases the benefits of completing the exercise.

The Ostendio Professional Services team runs regular Incident Response and Business Continuity Tabletop Exercises for our customers. Speak to an Ostendio expert about how running a Tabletop Exercise at your organization could prepare you to respond to the challenge.