Regular testing of your incident response plan has many benefits. Learn more about how tabletop exercises can help you prepare for a variety of threats and risk scenarios. There are millions of reasons–literally–why companies should test their cybersecurity incident response plans regularly. According to IBM’s Cost of a Data Breach Report 2022, companies that didn’t test their IR plans paid on average $5.92 million in breach expenses, while those who tested their plans paid $3.26 millions. This is a significant increase of $200,000 over the previous year and demonstrates that your plan is causing more damage than it is worth.
Regular testing of incident response plans can have other benefits, such as faster recovery times and a lower chance of a cybersecurity incident. According to an IBM report, 27% of organizations don’t have incident response plans. 63% of those who do have plans regularly assess them. It’s a recipe to disaster that can be avoided if you practice your response and adjust it for improvements. Chris Loehr, executive vice-president and CTO at Solis Security, spoke during a breakout session called Developing and Executing Effective Tabletop Exercises at CompTIA ChannelCon 2022.
Tabletop exercises can help organizations and their employees better prepare for a variety of threats and risk scenarios. They also provide valuable feedback to cybersecurity teams responsible for protecting the business.
“We see bloodshed every day on the incident response side. There are companies that have an IR strategy, but they don’t test it. Loehr stated that it looks like they took a template and did an “find-and-replace” and then went to the races.
Related Blog: Why Practice Should Be Part of Your Incident Response Procedure Routine
Create a Tabletop Exercise
It is important to not make mistakes when testing your incident response plan. Instead, learn from them and improve your plans for the next time. “The point of testing your incident response plan is to identify gaps and efficiencies, and allow people to ask questions. Do not try to squeeze it all in 45 minutes. Loehr said that this is a learning exercise.
Here are some guidelines to help you implement a tabletop exercise that is successful:
For all roles, including backups, someone is available
Everyone present will be free from distractions (i.e. phones)
Give yourself plenty of time to complete the exercise
Facilitators should not be assigned a role in the exercise.
Everyone should be aware of the exercise before they begin (no surprises).
However, the exact scenarios shouldn’t be revealed in advance
Third parties involved in an incident should be accounted for
Do not be hard on yourself, but do your best to be productive

“If you do one in six months and the next in six months, they should be completely different.” These exercises should get larger and more complex as you do them,” Loehr said. You must also account for third parties, especially in the MSP business. It doesn’t make sense if your client does an incident response exercise without you and you are responsible for their IT. It is important to determine how everyone should participate in the exercise. This will help you to understand how they will react to an incident situation.
Plan a successful MSP Exercise
A solid incident response plan is the first step in a tabletop exercise. You might consider creating a plan that only you, the MSP, are affected and another that impacts clients.
Loehr stated, “You need someone to own the incident response plan(s), and that they are vigilant in making sure that changes and reviews are made.”
Second, it may be a good idea to let certain members of your team know that you are conducting an exercise. This is to reflect real-life situations where employees might not be able to help.
“What would you do in such a situation?” “What would happen in this situation?” You don’t want that for your first tabletop. Instead, you want to see what happens. Next, take John out. Loehr said that this forces other players to fill in for the roles.
Planning a successful exercise with clients
MSPs should not only conduct internal exercises but also conduct tabletop tests with customers. The logistics of getting multiple parties and organizations involved can quickly become complicated. Consider the client’s vertical industry, location, and possible regulatory requirements.
“You don’t want to spend 30 minutes, or an hour on a phone call.”