Background
Two companies in the energy sector partnered with Blackink IT to proactively prepare for cybersecurity incidents by participating in simulated cybersecurity incident tabletop exercise. These organizations understood the importance of evaluating their dependencies on information systems and identifying what would happen if critical resources were unavailable. They wanted to determine how quickly those resources would need to be restored to maintain business continuity. The exercise was designed to help them think through their response in the heat of the moment, especially how and when communication would occur during an incident. It also served as an educational opportunity to guide them through the process of incident response.
The Opportunity
The companies realized the need to become more proactive in their cybersecurity approach. While technical controls – such as NERC Reliability Standards and CIS v8.1 Controls – are important to a cyber defense strategy, organizations also need to consider the human element of how their teams would respond and react during a real-world scenario. The exercise also helped fulfill requirements of regulatory frameworks and cyber insurance.. Increasingly, insurance providers are requiring organizations to conduct formal incident response tabletop exercises as part of their coverage criteria, making this initiative not only strategic but necessary. The tabletop exercise provided a safe and structured way to explore these challenges. It allowed them to uncover gaps in knowledge and communication, giving them the opportunity to address vulnerabilities before facing an actual incident.
Both organizations approached the exercise with the understanding that cybersecurity incidents are no longer a matter of “if,” but “when.” This mindset helped frame the importance of the exercise and reinforced the need for proactive planning and preparedness.
The Implementation
Blackink IT conducted the tabletop exercise in person with key stakeholders from both organizations. The session was led by Blackink’s security experts and required no preparation from participants. The goal was to challenge the organizations to respond as they would in a real incident, without anticipating the scenario. Participants were asked to consider what they knew at that moment and how Blackink IT could help them learn more to become proactive. The exercise focused on identifying roles and responsibilities during an incident, including who should be contacted, who communicates with staff, clients, and the IT team, and who manages relationships with the cyber insurer, broker, and legal counsel. Confidentiality and reputational risk were also key considerations.
The Results
The results of the tabletop exercise were twofold. First, it raised awareness across both organizations about the importance of having a structured response plan. Second, it resulted in the creation of a formal written incident response plan. This plan not only clarified roles and responsibilities but also demonstrated evidence that the organizations had prepared for such scenarios. It supported insurance compliance and provided a documented framework for future incidents.
The exercise improved communication by providing guidelines for internal and external messaging, which helps ensure stakeholders are informed and reduces the spread of misinformation. It helped participants understand what they were protecting and how to minimize the damage a cyber incident could cause. It also highlighted how their information systems were protected and where vulnerabilities existed.
The exercise demonstrated that a well-defined response plan can help contain and mitigate the effects of a cyber incident, reduce potential damage to systems and data, and ensure a quicker recovery. It guided decision-making by clarifying roles and responsibilities, protected sensitive data by ensuring compliance with regulations, and reduced costs by preventing prolonged disruptions. Additionally, it enhanced the organizations’ overall security posture and built customer trust by showing preparedness. The exercise helped participants understand the data they were collecting and what needed to be done to protect it. It surfaced awareness that allowed them to implement solutions for timely recovery and potential cost savings.
