Incident response tabletop exercises are an easy way to boost your organization’s cyber health
We all know that exercising is important, but many of us don’t make it a habit. Often the problem is that establishing a routine can seem daunting. But, when you do get into the swing of it, it’s amazing how a little regular exercise can contribute to your overall health. The same is true of cybersecurity.
Doing cybersecurity drills or exercises is one of the most important things you can do for the health and wellbeing of your security program. I have always said security awareness training is the cheapest risk reducing measure you can do, but not everybody does it or does it frequently enough.
Let’s take a look at incident response. Honestly, when was the last time your company conducted a simple exercise of your incident response plan? A lot of feedback I get is, “We don’t have time; they’re not real; or they’re too complicated.” It sounds like the same excuses people make to get out of going to the gym in the morning!
But it’s okay. To get you over the cybersecurity health hump, let’s start with a simple program that is easy to do and does not involve a significant investment. It should be done annually, if not more. It’s called incident response tabletop exercises.
Tabletop exercises are discussion-based exercises in which your staff meets in a classroom style setting or in breakout groups to discuss their roles during an incident and their responses to a particular cyber incident situation.
A leader presents a scenario and asks the participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination and decision-making. These tabletop exercises are discussion-based only and do not involve deploying equipment or other resources.
Six basic objectives for tabletop exercises:
- Assess the ability of the organization to detect and properly react to hostile activity during the exercise.
- Assess the organization’s capability to determine operational impacts of cyber attacks and implement proper recovery procedures for the exercise.
- Understand the implications of losing trust in IT systems and capture the workarounds for such losses.
- Expose and identify weaknesses in the organization’s incident response plan.
- Determine what enhancements or capabilities are needed to protect an information system and provide for operations in a hostile environment.
- Enhance cyber awareness, readiness and coordination.
As you know risk management is a C-suite priority today. Risk management oversight needs to be integrated into the DNA of the entire board of directors and an effective incident response plan ultimately relies on executive sponsorship. Their strategy should include setting the policy for communicating with employees, partners, the general public, shareholders, regulators and law enforcement such as the FBI or local police.
Development and institutionalization of rules and procedures for making and monitoring decisions on strategic concerns, specifically internal and external threats to businesses, is also a key element of the executive commitment in incident response.
A healthy organization should be able to implement six basic foundational principles for incident response according to NIST SP 800-61, Computer Security Incident Handling Guide: preparation, identification, containment, eradication, recovery and follow-up. Given how critical incident response is for the health of your organization, doesn’t a little exercise make sense?
So get busy and start exercising! I know I feel better already. Now it’s your turn!