data security training, tabletop exercise, cyber security tabletop exercise, incident response plan

Learn how to prepare for a data breach by conducting drills, exercises, and trainings. 

david ellis, tabletop exercises, data security training, cyber security tabletop exercise, incident response plan, employee training
David Ellis
SVP, Investigations
Massive data breaches—and their devastating aftermath—are increasing in frequency. Businesses have taken renewed interest in planning for inevitable attacks on, and possible breaches of, their cardholder data environment. In this post, we’ll cover best practices for holding “tabletop exercises” like drills, discussions, and trainings, to make sure your business is prepared and protected in the event of a breach.

In their Guide for Cybersecurity Event Recovery, The National Institute of Standards and Technology (NIST) states that your Incident Response Plan will have 6 phases:

    data security training, tabletop exercise, cyber security tabletop exercise, incident response plan
  1. Preparation
  2. Identification 
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

This article focuses on parts of Phase 1— “Preparation”— as it’s different from the other five phases. It is the foundation of your entire incident response plan. Technically, you should always be in Phase 1, by holding regular training, drills, and incident-response-plan review. You will perform the vast majority of your planning and work during phase 1. During this phase, you should:

  • Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event of data breach.
  • Develop incident response drill scenarios and conduct mock data breaches, at least annually, to evaluate the effectiveness of your incident response plan.
  • Ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved, funded, available, and inventoried, in advance.

Your response plan should be thoroughly written, explaining everyone’s roles and responsibilities in detail, and you should document to whom it is distributed as well as the dates they received training regarding their role(s). Then the plan must be tested in order to assure that your employees will perform as they were trained.  The more prepared your employees are, the less likely they’ll make critical mistakes in the event of an actual breach incident.

SEE ALSO: 5 Things Your Incident Response Plan Needs

Types of Cyber Security Training Exercises

The point of running security incident response exercises is to increase awareness, test training effectiveness, and start discussions. Everyday drills and exercises can be as short as 15 minutes; where large-scale coordinated drills can last up to a day or two.  Your annual training should include at least one large-scale drill, while smaller table-top drills may be conducted more frequently according to your company needs.

In a discussion-based table exercise, you and your staff discuss response roles in hypothetical situations. A discussion-based tabletop exercise is a great starting point because it doesn’t require extensive preparation or resources, while still testing your team’s understanding of their incident response roles to potential real-life scenarios without risk to your organization. However, this exercise doesn’t fully test your incident response plan or your team’s actual response actions.

In a simulation exercise, your team tests their incident responses through a live walk-through that has been highly choreographed and planned. This exercise allows participants to experience how events actually happen in semi-real time, helping your team better understand their roles. Simulation exercises require more time to plan and coordinate, while still not completely testing your team’s capabilities.

In parallel testing, your incident response team actually tests their incident response roles in a safe test environment.  Parallel testing is the most realistic simulation possible and provides your team with the best feedback about their roles. However, parallel testing is more expensive
and requires more time planning than other exercise because you need to simulate an actual production environment (e.g., segregated systems, networks).

Data Security Training Tips

data security training, tabletop exercise, cyber security tabletop exercise, incident response plan
Before running through your exercises, consider these questions:

  • Have your security policies and incident response plan been approved by appropriate management?
  • Has everyone been trained on your security policies?
  • Does the Incident Response Team understand their roles, including making any required notifications?
  • Are all Incident Response Team members prepared to participate in mock drills?

When designing your tabletop exercise, prepare the following exercise information:

  • A facilitator guide that documents your exercise’s purpose, scope, objective, and scenario
  • A list of questions to address your exercise’s objectives
  • A participant briefing that includes the exercise agenda and logistics information
  • A participant guide that includes the same information as the facilitator guide, without the facilitator guide questions (or it may include a shorter list of questions designed to prepare participants)
  • An after-action report that documents the evaluations, observations, and lessons learned from your tabletop exercise staff

As you conduct your exercises, keep an eye out for a few things:

Task Timing:  Note how long certain tasks and operations seem to take under pressure. How long does it take to disconnect all of your potentially affected systems from the internet? How quickly can the team get a formal statement together? How quickly can they pull together a list of affected customers? If you do experience a data breach, there may be requirements for how soon you need to report it—especially if the suspected breach includes either HIPAA or PCI data.

Increased Volume:  You should test the ability of departments (like your call center, IT department, website, etc.) to expand and meet the demands of a data breach’s aftermath. Can your IT team handle an increase in internal requests? How many customer support calls can you realistically handle? Who will deal with the increase in customer questions on your website or your social media accounts?

Snags in the Plan:  Expect that some things may not go as planned.  This is not a cause for panic, as discovering issues that you were not prepared for is one of the primary reasons for conducting mock breach exercises.  Simply watch out for anomalies, note them, and address them either during the course of the mock exercise, or through the after-action process. This will also help you to develop contingency plans and alternative action scenarios. For instance, if someone plays a critical role in the incident response plan but happens to be out of office that day, what will you do?

After conducting a mock data breach exercise, be sure to set up a debrief meeting to discuss response successes and weaknesses. Your team’s input will help you know where and how to make necessary revisions to your incident response plan and training processes.


A Different Kind of Prevention

While it would be great to be able to prevent each and every data breach before it happens, in today’s world it’s often just not possible. While you still need to take all appropriate security measures and comply with all PCI and/or HIPAA requirements, it’s important to keep a “not if, but when” mindset when creating your incident response plan—remember, the designers of the Titanic didn’t think that it could sink. These exercises are an important part of your company’s security habit, and are intended to test your response plan, increase confidence, identify related strengths and weaknesses, and decrease collateral damage.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.