How to perform a tabletop exercise?

Performing tabletop exercises can play an important and critical part of any business, if done correctly. Tabletop exercises can be integrated into all aspects of a business from annual staff training to learning about what caused an incident and learning how to improve upon the incident to ensure it doesn’t happen again.

In this article we’re going to discuss what a tabletop exercise is, how it can benefit you and your business and how do you go about implementing these exercises.

What is a tabletop exercise?

To a lot of people, the term tabletop exercise means nothing to them, however it is a term that is used within a lot of businesses especially ones which are based around technical and cyber security.

A tabletop exercise is primarily a discussion-based session where people, usually team members, meet in an informal environment and start to discuss some sort of emergency. The discussions will start around a particular emergency that the business may have recently suffered from or may be flagged in their risk register as may happen one day.

Once the topic of discussion has been selected, for example a key service has failed in your environment having a knock-on impact to business activities and revenue. The team will discuss what theoretically went wrong, how it went wrong, what processes would they do and so forth, until they get to the conclusion of the activity.

The goal of a tabletop exercise is to uncover any possible issues which may incur, strength policies and procedures and help train and make staff aware of contingency plans.

The sessions should be relaxed and informal and be no blame, especially if this is based on an incident that has happened in the past. The goal is to achieve positive actions and to improve upon your incident response procedures, so if something similar should happen in the future, everyone knows what to do, who to call, what to action and so forth.

Developing a tabletop exercise

So now that we know what a tabletop exercise is, how do you go about implementing one within your own business?

The UK’s NCSC has the Exercise in a box which allows you to exercise against specific cyber related threats.

However, if you want a more specific one to your business, you should look at your risk register, your incident logs and highlight all the recurring incidents and risks that could seriously affect your business. Leave no stone unturned.

Then once you have a list you should look at what people and teams are associated against those risks and then draw out a plan.

You could start simply by saying that a specific system has gone offline and go from there with no further content, which allows the team to discuss all areas.

more structured approach, define a starting point and then have updates through out the exercise.  For example, a system has gone offline, then once identified, you notice that x system caused it by x requests and so forth.

How often should you run an exercise?

This can depend upon the business and what you are looking to get out of it, but at least annually, ideally quarterly and ensure that all teams and departments, where appropriate are included to ensure that the business is kept up to date.

Then, by the end of the first year, you should have updated plans, actions and more than likely a more hardened and resilient system from the outcome of these exercises.