In this blog, we'll go over frequently asked questions about conducting a cybersecurity tabletop exercise, including how it works, why it's important for startups and SMBs, which voluntary and legal compliance requirements you need one for, and more.  

What Is a Cybersecurity Tabletop Exercise?

You're sitting in a meeting with your leadership team, the IT lead, and a couple of personnel from operations. Someone kicks things off by saying, "Alright, here's the situation: You've just received an email from a threat actor claiming they've gained access to our production environment. They've encrypted customer data and are demanding a $50,000 ransom in the 48 hours. What do we do first?". 

That's a cybersecurity tabletop exercise in action. A tabletop exercise allows your team to practice handling a cybersecurity incident without the actual crisis. Your team works through a realistic scenario step by step, discussing who's responsible for what and how decisions will be made. During the exercise, gaps in your existing plan and questions you need to answer going forward will likely surface:

Who decides if the ransom should be paid? What happens if legal or PR resources are tied up? Is your team ready to handle questions from customers or regulators? 

These are the types of issues that otherwise may not come up unless you are in the middle of a real incident, but a tabletop exercise allows you to address them before they actually happen. 

Cybersecurity Tabletop Exercise

These exercises enable you to see how your team will react when/if you experience a real threat, based on your specific situation: Maybe your team has a strong technical foundation but hasn't worked out all the details for responding to an attack. Or maybe you're growing quickly, and roles like security and IT are spread across multiple people who wear a lot of hats. 

Regardless of your situation, tabletop exercises strengthen your security posture by giving you a chance to run through various scenarios, fine-tune how to respond, and stress-test your existing processes. 

They also need to be conducted to meet many voluntary and legal requirements. For this reason, they're especially critical for organizations seeking to land bigger clients or meet compliance requirements like SOC 2 or ISO 27001. 

Why Do Startups and SMBs Need Tabletop Exercises? 

Let's say your startup just landed a major client. Part of the contract includes a requirement to prove you can handle a security incident without putting their data at risk (or, they simply ask to see your SOC 2 report). 

You've got your security policies written up, but when it comes to how your team would respond to a real incident, you need to make sure everyone is on the same page and that you have documented proof of your processes. 

Enter the tabletop exercise. 

Startups and SMBs often operate with lean teams, where people juggle multiple responsibilities. In a crisis, this reality can often cause confusion over who does what and how to make decisions. A cybersecurity tabletop exercise allows you to clarify responsibilities and builds confidence in your ability to respond to incidents. 

Besides disrupting your daily business operations and creating downtime, an incident like ransomware or a data breach can harm the trust of your customers and hurt your ability to grow. Knowing how you'll respond greatly reduces that risk and helps minimize the fallout. 

Compliance is another factor. Frameworks like SOC 2 require you to put your incident response policies and plan to the test, and tabletop exercises are an easy way to meet that requirement. Tabletop exercises are just as critical for startups and SMBs as they are for large enterprises. 

For startups looking to scale, being able to demonstrate that you've done this makes a big difference when building trust with investors, partners, and customers. 

Cybersecurity Tabletop Exercises and Compliance: SOC 2 and More

Under the SOC 2 Trust Services Criteria, tabletop exercises meet the incident response testing requirement of the security criteria (which is not amongst the optional criteria under SOC 2!). Criteria CC7.1 and CC7.2 require organizations to test out an incident response plan. Auditors will therefore ask to see evidence that you've actually put your plans to the test and don't simply have them written down as policies.

ISO 27001, often seen as the baseline for global security standards, also calls for incident response testing. Annex A.16.1.5 requires the periodic testing of information security incident response plans. Tabletop exercises are the simplest, most effective, and industry-standard way to satisfy this requirement. 

PCI DSS Version 4.0, which applies to organizations that handle payment card data, also includes a specific requirement for incident response testing. Noncompliance with PCI DSS can lead to fines and additional transaction fees. Requirement 12.10.2 states that companies must "test incident response procedures at least annually". Again, tabletop exercises are the most straightforward and widely accepted way to meet this requirement.

For privacy regulations like GDPR and the California Consumer Privacy Act (CCPA), there are various stipulations around the importance of having processes in place to be ready in the event of a security incident.

For instance, GDPR's Article 32 emphasizes the need for "…a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing." While tabletop exercises aren't explicitly named, CCPA has similar expectations for businesses handling sensitive consumer information. 

Putting your response to a security incident into practice through a tabletop exercise allows you to prove to auditors that you can meet these requirements. 

Enterprise clients in particular will want reassurance that you can handle incidents without putting their data at risk. Many enterprise contracts (which can be used as either an alternative or an add-on to compliance by some organizations) also include requirements for incident response testing. This can be especially important if your organization handles sensitive data or will be integrating with an enterprise client's systems.

3 Ways MSSPs Support Tabletop Exercises for Organizations

Organizations often choose to work with a Managed Security Services Provider (MSSP) in order to guide them through tabletop exercises. Here are three ways MSSPs offer valuable support through this process while ensuring you meet compliance requirements:

Cybersecurity Tabletop Exercise Infographic with 3 Benefits

1. Crafting Realistic Scenarios For Your Cybersecurity Tabletop Exercise 

Creating a scenario that makes sense for your business is critical. MSSPs can design scenarios tailored to the threats your organization is most likely to face and your compliance goals.

For example, if your company handles customer payment data and you are trying to obtain PCI DSS compliance, the exercise may focus on a ransomware attack targeting your payment processing systems. If you're in SaaS, it could take the form of a simulated compromise of user accounts.

2. Facilitating the Exercise

To conduct tabletop exercises, you need a neutral facilitator to guide the discussion and keep the team on track. A security expert (such as a Virtual CISO, vCISO) at an MSSP can take on this role, asking the right questions, tracking progress, and steering the conversation toward identifying gaps in your response plan.

Working with an outside expert allows your team to engage in the exercise without worrying about having to run it themselves. They bring an outsider's point of view, which can enable you to gain insight into areas your internal team may overlook.

3. Providing Actionable Feedback 

After the exercise, an MSSP delivers a report on what went well and what needs improvement. They can help you prioritize updates to your incident response plan and recommend additional security measures based on gaps uncovered during the exercise. They can also document the exercise for compliance audits. 

Working with an MSSP provides access to expertise, allows you to strengthen your response capabilities without pulling your internal team away from their day-to-day work, and provides deliverables you can use to demonstrate your security posture to auditors and customers. 

Getting Started: Partnering With Experts

Cybersecurity tabletop exercises can be used to meet a vast range of both legal and voluntary requirements, and having conducted them builds trust with your clients and prospects. They provide both the evidence auditors need and the confidence customers expect. 

However, startups and smaller organizations may lack the resources or internal expertise needed to effectively run cybersecurity tabletop exercises. An external expert, such as a vCISO, solves this issue and provides specialized knowledge. At Rhymetec, our vCISOs have walked dozens of organizations through their tabletop exercises and provided reports that fulfill compliance requirements.  

Check out details on our vCISO services to get started today if you are interested in conducting exercises for your organization. 

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.

About the Author

Metin Kortak has been the Chief Information Security Officer at Rhymetec since 2017. He began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC, ISO 27001, PCI, FEDRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. Metin joined Rhymetec to build data privacy and compliance as a service offering. Under his leadership, these offerings have grown to more than 700 customers, and the company is now a leading SaaS security service provider in the industry.

Interested in reading more? Check out more content on our blog.

Businesses of all sizes handle sensitive data, including customer information, employee records, and proprietary information. In today's world, there are millions of options for protecting that data from cyber attacks—firewalls for protecting corporate networks, anti-malware tools for identifying and blocking malware, penetration tests for exploiting vulnerabilities before attackers do, intrusion detection and prevention systems for monitoring and preventing security incidents.

There is only one risk that cannot be prevented by security systems, regardless of how sophisticated they are: people.

The Need For Cybersecurity Awareness

Errors made by uninformed staff pose one of the biggest risks to organizational cybersecurity. Employees who lack proper training often unwittingly open the door to cybercriminals through seemingly innocent actions, such as clicking on phishing emails or mismanaging sensitive information.

The consequences of such vulnerabilities can be devastating. A 2023 report by IBM shows the average data breach cost has soared to $4.45 million per incident, the highest in the 17-year history of IBM's report. These breaches can result in substantial financial losses, erode customer trust, and lead to legal ramifications and long-term reputational damage.

Providing Effective Cybersecurity Awareness Training

Successful cybersecurity awareness training prepares employees to defend their organizations against evolving threats. Here are a few proactive strategies leaders can implement into their employees' cybersecurity training:

1. Deliver Comprehensive Phishing Training

Phishing remains one of the most prevalent methods cybercriminals use to get unauthorized access to sensitive information. Deceptive emails mimic legitimate communications to entice users to click on malicious links or attachments.

For instance, the 2023 Microsoft Azure data breach used a phishing attack to target mid-level and senior Microsoft executives for financial fraud and data theft. Train your employees to recognize and avoid these tactics, and to report them whenever possible.

2. Perform Regular Security Assessments And Testing

Your organization's security infrastructure requires regular security assessments to maintain integrity. Penetration tests and vulnerability scans help identify and address security weaknesses before attackers can exploit them.

For example, routine testing at a financial institution could reveal previously unknown entry points in its network, allowing the company to fortify its defenses and prevent intrusions such as the breach experienced by Equifax in 2017.

3. Adapt Training To Technological Advancements

Keep your organization's cybersecurity training up to date with the latest threats and technological advancements. Use artificial intelligence (AI) and machine learning tools to simulate real-time cyber-attacks. Give employees practical, hands-on experience in responding to threats, to ensure they understand theoretical concepts and can apply practical skills in real-world scenarios.

Facing Challenges In Implementing Training

Implementing effective cybersecurity awareness training is fraught with challenges ranging from financial constraints to employee resistance. These issues can hinder the development of a security-conscious culture within an organization.

Budget Constraints

Many companies struggle with budget limitations, making it difficult to allocate sufficient funds for comprehensive cybersecurity training programs. Although global cybersecurity spending is expected to reach US $273.60bn by 2028, businesses often allocate only a minimal portion of this budget to employee training. This underfunding results in inadequate knowledge, leaving employees ill-equipped to handle new cyber threats.

Educating upper management on the risks facing your organization may encourage them to allocate more funds to cybersecurity. Highlighting past cybersecurity incidents and their financial implications on businesses similar to yours in size or industry can underscore the value of proactive investment.

Employee Resistance

Resistance to cybersecurity awareness training is another significant hurdle, often due to a lack of understanding of its importance. Employees may view these sessions as disruptions rather than as crucial investments in digital safety. This issue is compounded by many workers not fully engaging with the training material, and companies frequently failing to verify learning retention.

To combat employee resistance, make your training programs engaging and relevant to employees' daily tasks. Simulating real-life scenarios and incorporating gamification techniques can increase engagement and make learning more impactful.

Threat Complexity

Continuously evolving cybersecurity risks mean companies must regularly update training content and methods. Organizations must remain vigilant and proactive, allocating significant resources to keep training programs aligned with the latest threats. Invest in advanced training tools that use AI and machine learning to simulate real-time attacks and provide your employees with practical, relevant experience.

Fostering a culture of continuous learning helps maintain high levels of awareness and preparedness among staff. Sound strategies include regularly scheduled updates, security drills, and the integration of real-world scenarios into training sessions.

Cybersecurity Awareness For Employees

Reducing Vulnerability Through Education

As the risks of becoming a cybersecurity attack victim increase, the need for training and awareness also rises. Effective education equips employees with the tools to recognize and respond to threats. It also fosters a culture of cybersecurity awareness that infuses all levels of the organization. By proactively safeguarding sensitive information, your organization will maintain the trust of clients and stakeholders.

Invest in continuous and effective cybersecurity training programs to ensure your workforce can deal with current cyber threats and adapt to future challenges. Emphasize the necessity of targeted training, realistic simulations, and ongoing education that can reduce vulnerabilities and enhance your organization's security posture, boost resilience, and support future success.

You can read the original article posted in Fast Company by Rhymetec CISO, Metin Kortak.

About The Author: Metin Kortak, CISO

Metin Kortak is the Chief Information Security Officer at Rhymetec. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FedRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. He joined Rhymetec to build data privacy and compliance as a service offering.

Under Metin’s leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry.

About Rhymetec  

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We’ve worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business.

Interested in reading more? Check out additional content on our blog:

An incident response policy is a comprehensive plan for the role of personnel and technologies in the aftermath of a cybersecurity incident. The primary goal is to minimize damage, contain threats, and quickly restore normal operations. The policies should be specific, tailored to the types of assets your organization has, and crafted according to best practices as laid out by entities like NIST.

Ever received a lengthy security questionnaire from a potential customer? 

Your organization's incident response policy is one area that security questionnaires may focus on. Here are several questions you may find on a security questionnaire on this topic:

These are just some of the questions you may see on a lengthy security questionnaire. Additionally, under SOC 2, Incident Response & Business Continuity/Disaster Recovery appear throughout the criteria all organizations must meet (the Common Criteria) regardless of the selected Trust Services Criteria. 

This article will give you the tools to develop a robust incident response policy or to assess the strength of your existing policies and ensure they will hold up under scrutiny from potential customers, partners, and other stakeholders. 

 

What Is The Role of An Incident Response Policy? 

There is an asymmetry between attackers and defenders. 

Even organizations that spend tens or hundreds of millions of dollars on cybersecurity can be breached. Building a cybersecurity program based on the warfare principle of defense in depth is absolutely critical, and so is planning for when it fails. 

A robust incident response policy and planning exercises should equip your team, your executives, and your board to deal with a range of potential incidents and scenarios if the worst happens. An incident response policy provides a plan to carry out a set of concrete and specific actions that your organization will take to manage the aftermath of a major security incident. 

Security incidents can come in many shapes and sizes. An employee losing a laptop in an airport with customer data is a security incident, and so is a ransomware group exfiltrating ten terabytes of data. The difference is in scale. Your incident response plan should serve as a business enabler that allows you to react quickly in the event of both small and large security incidents. 

 

Big Picture Elements of Your Incident Response Policy 

Incident Response Policy And Plan 5-Step Infographic

An incident response plan should be comprised of a set of policies and procedures that provide a clear game plan for:

1. Understanding the scope of the incident: The first and most important question to answer during an incident response process is to get a handle on the scope. Is customer data affected? Is employee data compromised? What IT systems or infrastructure is affected? What else could be affected? What core business processes do the IT systems enable? These are just some of the myriad of questions that need to be answered early. 

2. Containing the incident: Your incident response plan should also spell out specific policies that will guide how you contain the incident. Critical systems may need to be shut off - who is responsible for making the decision? What is the backup plan if, for example, your company's CRM is unavailable for an extended period of time? These types of questions around incident response planning need a robust and coherent answer. 

3. Notification: All 50 U.S. states have data breach notification laws, requiring companies to notify consumers when their data has been stolen. In addition, organizations such as the U.S. Securities and Exchange Commission have regularly implemented new rules requiring financial institutions to notify them of a breach within 24 hours. 

4. PR and Communication: For a severe enough event, particularly one that falls under notification requirements, it is likely that you will need to issue a formal statement. We recommend being clear, concise, and not attempting to hide or obfuscate information. It is a good practice to explain which systems were affected, which types of data may have been compromised - and which types were not compromised - in addition to any recommended actions for customers or others who may have had sensitive data exposed. 

5. Lessons Learned: After an incident is resolved, you should perform lessons learned. Ask questions like: How did the plan work? Were there any failures or portions that weren't adequately carried out? Was it clear who was responsible for each piece of the incident response process?

 

Putting Your Incident Response Plan Into Practice

Incident response plans are only as valuable as the amount of damage they mitigate in a real-life incident. At Rhymetec, we recommend doing tabletop exercises. Schedule time every year to practice going through an imagined incident in order to understand how well your plan works in practice. This gives your team hands-on practice in reacting to real-life incidents, quickly getting a grasp on what has been compromised, and examining which systems and core business functions will be compromised. 

During incident response planning exercises, it's also important to involve different stakeholders across the organization that may be impacted by sudden outages or other problems. Test out different scenarios to better understand which systems are essential for the business to continue to operate with and which controls might fail in the event of a real incident. 

Incident Response Plan

Let's go over the phases of an incident response plan. Here's what you should do before an incident, during an incident, and after an incident:

 

Before An Incident: Pre-Conditions For Effective Recovery

Not all incident response teams are equally effective. NIST regularly publishes general guidance on cybersecurity event recovery. NIST's special publications serve as a great resource for in-depth incident response steps for malware incident handling and ransomware protection and response

Here are a few best practices for pre-conditions to enable effective recovery. These are things you should already have in place before an incident occurs and should be continuously updated:

 

During & After The Incident 

Here are a few best practices, again based on the guidelines set forth by NIST, that you can use to make sure you are maximally efficient when responding to a serious IT infrastructure or security incident: 

 

In Conclusion: The Importance of Having A Documented Incident Response Policy

According to IBM, it takes companies nearly 70 days to contain a security incident on average, and only 45% of companies have an incident response plan in place. Going forward, it is important to get that number up across the board, especially for smaller organizations that often lack the same in-house security resources large companies have. 

Cybersecurity for startups and SMBs is just as critical as it is for large companies. Organizations are increasingly using similar services and infrastructure, which means companies' attack surface looks more and more similar regardless of size. 

Having a plan in place enables organizations to respond swiftly and effectively in the event of a security incident. At Rhymetec, we work closely with our clients to respond effectively to incidents, document the recovery process, and create detailed post-mortem reports based on lessons learned. 

About Rhymetec

Our experts have been disrupting the cybersecurity, compliance, and data privacy space since 2015. We make security simple and accessible so you can put more time and energy into other critical areas of your business. What makes us unique is that we act as an extension of your team. We consult on developing stronger information security programs within your environment and provide the services to meet these standards. Most organizations offer one or the other. 

From compliance readiness (SOC 2, ISO/IEC 27001, HIPAA, GDPR, and more) to Penetration Testing (Web Application Pentest, API Pentest, External Network Pentest, and Mobile Application Pentest) and ISO Internal Audits/ISO Compliance, we offer a wide range of consulting, security, vendor management, and compliance management services that can be tailored to your business environment.

If you're ready to learn about how Rhymetec can help you, contact us today to meet with our team.

About The Author: Metin Kortak, CISO

Metin Kortak is the Chief Information Security Officer at Rhymetec. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FedRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. He joined Rhymetec to build data privacy and compliance as a service offering. Under Metin’s leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry.

Interested in reading more? Check out additional content on our blog