- Tabletop exercises are used most frequently to prepare companies to respond to cyberattacks, however only one-third of organizations perceive the exercises as "highly effective" for preparation, according to a July study by Osterman Research in association with Immersive Labs, a company that develops human-readiness skills in cyber.
- Two-thirds of organizations perform tabletop exercises once a year or less, while 23% of organizations conduct them "without any sort of set schedule," according to the report, which surveyed more than 400 cybersecurity professionals with experience in tabletop exercises. Researchers concluded most organizations are likely performing tabletop exercises "less often than necessary" for meaningful cyberattack readiness.
- The majority of organizations spend an average of $30,000 per tabletop exercise, but 20% spent more than $50,000 on their most recent test. The price tag is largely based on how many employees participate in the exercise; half of the survey respondents said more than 10 people are involved in each exercise.
The fallout of a cyberattack is often measured by how well the victim company responds.
Tabletop exercises most commonly test for business continuity, followed by brand reputation, an organization's liquidity, and share price, according to the report.
The more often organizations engage in tabletop exercises, the more likely they are to practice a variety of response scenarios. However, because exercises aren't performed often, the most common tabletop scenarios are based on data breaches, ransomware attacks, and phishing attacks. Only 15% of organizations conduct five or more different attack scenarios, according to the report.
Sixty percent of respondents say to truly be better security, they need to buy more technology. But the board controls the purse strings, and it need to understand their ROI, whether for new technologies or more frequent tabletop exercises.
"The most important aspect of any crisis preparedness scenario is getting C-suite level buy-in. Without this, nothing happens," said Max Vetter, chief cyber officer at Immersive Labs. Because tabletop exercises are so expensive, organizations need quicker response times to prove to board members their necessity.
By adopting micro-drills, companies can delegate cross-section teams, or teams where expertise is divided into smaller groups. Micro-drills could facilitate more scenarios if an organization isn't conducting many tabletop exercises or different scenarios.
"It is crucial that teams switch thinking from being able to respond to a few set scenarios, to building the muscle memory," that allows them to respond to any kind of cyberattack, said Vetter.