Imagine you’re hiring a bodyguard. There are two candidates for the position, and Candidate A has read every security book that there is. Candidate B may not have such an encyclopaedic understanding of the industry, but what he does bring is ten years of proven experience of real security scenarios. Unless Candidate A can read a book while conducting a high-speed pursuit, it’s clear who is best for the job.

Whether it’s in fire drills or first aid training, we’ve all practised emergency protocols to prepare for real disasters. And cybersecurity is no different: your organisation could have an exhaustive library of safety protocols and incident response procedures, but if your team has no experience, they’re going to lack preparation in a crisis.

However, it’s not always easy to develop practical experience when the crisis you’re preparing for is virtual. This is where tabletop exercises come in.

Practical experience for a virtual crisis

Tabletop exercises are a form of team training meant to prepare personnel for cybersecurity threats; re-consider the approach to various security scenarios; and raise cybersecurity awareness. These exercises are inexpensive but extremely beneficial: all attendees get a clear understanding of their actions and how these affect other parts of a company.

Normally, these exercises begin with a simulation of an incident, supervised by an exercise conductor. It might make sense to introduce some complicating factors – such as staff absence, or a time limit. Once they’ve been briefed, the different departments can simulate their response in real-time. And when it’s all over, the exercise conductor chairs an evaluation process, to help highlight and institutionalise the lessons learned.

Designing your own

No two tabletop exercises are the same – they will vary according to your team’s procedures, priorities, and risk factors—but the basic steps for designing an exercise should be fairly consistent:

  1. Assess your needs: which areas need the most attention?
  2. Define the scope: how many teams will be involved? How many systems, or locations, will be implicated?
  3. Develop a purpose statement: what is the central goal of the exercise? Are you testing response times, or how effectively do your teams collaborate?
  4. Define your objectives: what are the activities which will ensure your purpose statement is achieved
  5. Simulate the incident: once you are briefed by the exercise coordinator, how does your organisation react?
  6. Evaluate the process: how many objectives did you meet? What are the lessons learned?

Last year, the CyberEdge group found that low security awareness among employees is “the number one barrier to IT security’s success“. Three billion fraudulent emails are sent every day. Training activities, such as tabletop simulations, give organisations the power to identify weaknesses in their security plan and prepare their teams for worst case scenarios.

If you need support planning and executing security events, HewardMills can help kickstart your training. We offer a comprehensive approach which includes development of training suites, and modules on specific aspects of GDPR, as well as tabletop exercises.

For further details on tabletop exercises or other training, please contact us at