To keep all employees on the same page regarding cybersecurity precautions, it is essential to be proactive. Tabletop exercises and simulations are a great way to test the security judgment of staff and pinpoint areas that need improvement.

A Tabletop Exercise is not a real-time simulated event, but a round table discussion of a hypothetical scenario. This allows diverse opinions to be heard. These exercises can also provide information on where each employee stands in their security knowledge.

A Simulation is a real-time, orchestrated event where the timeline of a true cybersecurity event is copied. Simulations are better for capturing the heat-of-the-moment instincts and decisions by employees.

Tabletop Exercise Ideas:

  1. Discuss how everybody should conduct themselves in the event of a large-scale phishing incident targeting every employee, both on-site and remote. The chain of escalation, analysis methods, and incident response actions for compromised accounts/systems should all be emphasized.
  2. Discuss the steps to take in the event of a data breach through a third-party vendor. Communication with stakeholders and customers, password changes, and vendor reappraisal should be major talking points.
  3. An Insider Threat scenario where a disgruntled employee defaces the company's social media pages and walks out with removable storage. The responsibilities of individual employees to report the actions of the threat actor should be highlighted. This scenario would also be a good opportunity to discuss policies regarding removable media.
  4. A critical ransomware infection scenario where several user workstations are compromised and the exploit appears to be spreading. This scenario raises discussions regarding quick incident response and playbook implementation, disaster recovery, backups, network isolation, and system re-imaging.

Simulation Ideas:

  1. A phishing simulation where a fake phishing message is generated by AI and sent to all employees from a burner email address. This could help you understand where employees stand with their phishing identification skills. Going back and forth between obvious scams and more sophisticated messages could be useful.
  2. Drop a few removable flash drives with random junk mail on them in locations like the parking lot or break room. Pay attention to see if employees report them right away or connect them to their devices to view the contents.
  3. Spin up a fake access point on an old Wi-Fi router and see how many employees attempt to connect to your rogue access point.
  4. A business continuity scenario where the on-premises network is turned off before work hours. When employees come in for work, measure the response times for pre-configured business continuity activities.

These activities should be done on a regular, but not intrusive, basis. It is important to remain ethical when performing these activities. You are not trying to blame or witch hunt any employees for their shortcomings in cybersecurity knowledge. These activities are nothing more than a way to gather data regarding the cybersecurity posture of your organization's people. Be open with the results of the activities and discuss them with your cybersecurity team and the individual employees themselves.