5 steps to stronger cyber oversight and action: Running tabletop exercises for your board
If a cyber attack takes your central resources offline, how ready are you to respond? Does your leadership team know how to present the situation to donors and the press?
If a cyber criminal is holding your data for ransom, does the organisation have an answer? What about risks to the mission, and your reputation?
In today’s cybersecurity landscape of heightened scrutiny and greater expectations of transparency, nonprofit boards often take the blame for mistakes and mishaps. You need to be ready for anything — and that’s where tabletop exercises come in.
These face-to-face, high-intensity stress tests offer an opportunity to practice next steps and short-term recovery in a risk-free environment. The discussions that follow uncover weaknesses and gaps critical to long-term resilience, and can inform strategic decisions about resource allocation and build community confidence by demonstrating how seriously you take your mission, donor contributions and the communities you serve.
“Cybersecurity is not something that just impacts big companies. It impacts really all of us at an individual level and on an organisational level and nonprofit organisations are very much in the crosshairs of cyber criminals.” – Dottie Schindlinger, Vice President, Thought Leadership
Diligent Institute
Real-time tabletop exercises provide a unique, outside-in perspective on cybersecurity and help you find vulnerabilities you might otherwise miss. Here is a five-step walkthrough for productive tabletop exercises.
5 steps to stronger cyber oversight and action: Running tabletop exercises for your nonprofit’s board
1. Establish the who, where and when
Any tabletop exercise starts with bringing the right people to the table.
For administrators testing the cybersecurity readiness of their charity, school board or city council, your invite list should include at least these key players:
- The designated leader for incident response in your organisation.
- The CEO to oversee everything and keep the board informed.
- General and outside legal counsel to ensure the organisation adheres to legal requirements, coordinates with law enforcement and advises on all communications.
- The donor relations lead to handle media requests and coordinate communications.
- Board members to ask questions, review reports and provide oversight — and ultimately decide on a high-level response to the incident.
- The board chair to identify the company’s risk appetite and sign off on communications with major donors, stakeholders and affected community members.
During the exercise, these participants perform their regular roles and responsibilities, discussing and initiating actions in response to the simulated emergency. Facilitators moderate interactions and play the role of all outside forces, answering questions and providing updates on the simulated situation. Facilitators may also bring in subject matter experts or observers to provide extra realism and support.
One vital but often-overlooked team member: notetakers. They should be equipped with pen and paper or a fully charged laptop for documenting discussions and activities for future reference.
Once you’ve decided who should attend, establish a time and place, and block out up to two hours, ideally in a single meeting, and pay attention to participants’ time zones when scheduling. Set up a meeting room with the necessary A/V capabilities and high-speed connectivity — and keep accessibility top-of-mind for in-person and virtual attendees alike.
Finally, assemble the materials participants will need throughout the exercise. These likely include a copy of your organisation’s cyber insurance policy, incident response plans and templates for crisis communications.
2. Create your scenario
Now it’s time to design the heart of the exercise: the simulated threats your board and other leaders will need to respond to.
The event should kick off with a plausible form of emergency alert. That might be a phone call reporting a data breach or an email identifying unusual network activity. Think about what threats are likely and what forms of risk are trending in your industry or sector, then draw on real-world situations and lived experience.
Unfold elements of the attack in phases, as would likely take place in an actual cybersecurity breach. Common stages include:
- The incident itself
- The investigation
- Assessment of impact — on regulatory compliance, reputation, donations and beyond
- “Injects” of new developments, like an attempt to disrupt services to vulnerable populations or new phishing emails sent out using the organisation’s email lists
- Response and recovery
Finally, incorporate quick “knowledge checks” throughout, like multiple choice questions or “select all that apply” checklists. These assess learning and progress.
3. Put the exercise into action
With the plan and components in place, it’s go time! Even though these scenarios are fictional, instruct participants to act as though events are really happening. Encourage open communication and active participation: asking for clarification, questioning assumptions and more.
Framing is important to the exercise’s long-term value. Reassure participants that this is a learning experience, not a blame game. They should expect to make missteps and identify gaps — that’s what this experience is for, and it’s better to find them now instead of during a real incident.
4. Talk through how everything went
The after-action review is your opportunity to discuss what went well, challenges you encountered and areas that need improvement. For example:
- Did the CISO’s briefing include all necessary information, and did board members ask the right questions in response?
- How well are departments communicating and coordinating throughout the response process? Are there any missing steps in their processes or missing links in the chain of command?
- Are incident response, business continuity and communication plans up to date and up to the challenge? Are there gaps to fill or amendments to make?
5. Put your learnings to work
Too often, organisations conduct a tabletop exercise only to leave valuable learnings behind in the event notes. Other times, they fail to implement necessary changes to their response, recovery and communications plans until it’s too late.
For this reason, treat tabletop exercises as an ongoing journey, not a one-and-done task or standalone item to check off your to-do list. Incorporate findings into your policies and procedures. Use feedback to guide future investments and improvements. And regularly update your scenarios to reflect evolving threats and technologies.
BoardEffect streamlines tabletop scenarios and solutions
If this all sounds like a lot to keep organised, updated and secure, you’re right — it’s an exercise that demands an appropriate toolkit. Next-generation board management software like BoardEffect is here to help, offering an all-in-one platform through which you can plan, coordinate and carry out complex exercises or real-world responses.
BoardEffect’s comprehensive array of features empower boards to navigate today’s cybersecurity landscape and manage risk:
- Hosting plans, policies, briefings, after-action reports and other documents in a secure, central repository
- Replacing ad hoc communication over unsecured personal channels with a secure portal
- Streamlining interactions between board members, from meeting planning to holding votes
Digitise old workflows and simplify meeting preparation. Move key details online — and protect them with the most recent innovations in cybersecurity. Then, with your technological foundations secure and everyone on the same page, move into testing mode.
In today’s cybersecurity climate, tabletop exercises are an ideal opportunity to lead by example and keep your board prepared and proactive. Schedule a call with Diligent to talk about BoardEffect and available educational resources.
