How to Run a Cybersecurity Tabletop Exercise for Your Small Business

ByJohn Farmer

What a tabletop exercise is

A cybersecurity tabletop exercise is a guided, discussion-based walkthrough of a hypothetical security incident. Your team gathers around a table — or a video call — and talks through how they would respond to a realistic scenario, such as a ransomware attack or a data breach, step by step. Nobody touches a keyboard or actually does anything to the systems; the value comes entirely from the conversation. It is the security equivalent of a fire drill, and for a small business it is one of the highest-value, lowest-cost preparedness activities available.

The point is to discover the gaps in your incident response plan before a real attacker does. Plans look complete on paper until you try to use them, at which point you find the unanswered questions: Who actually makes the call to shut systems down? Who contacts customers? Do we even have the after-hours number for our IT provider? A tabletop surfaces those problems in a calm, blameless setting where they cost nothing to fix.

Why small businesses should do them

Small businesses often assume exercises like this are only for large enterprises with dedicated security teams. The opposite is true. Large companies have layers of staff and documented procedures; a small business may have one or two people who would have to handle everything during a crisis, often while the business is bleeding money by the hour. That makes practicing the response even more important. A tabletop builds the muscle memory and shared understanding that lets a small team act decisively under pressure, and it does so for the price of an hour or two of everyone’s time.

How to plan your exercise

Choose a realistic scenario. Pick an incident that could genuinely happen to your business — ransomware locking your files, an employee falling for a phishing email, a stolen laptop, a vendor breach that exposes your data, or a wire fraud attempt. Realism keeps the discussion grounded.

Invite the right people. Include everyone who would have a role in a real incident: the owner, whoever handles IT (internal or your outside provider), the person who manages finances, and someone who would handle customer communication. The mix matters, because incident response is rarely one person’s job.

Assign a facilitator. One person guides the discussion, presents the scenario, and introduces complications along the way. This can be the owner, an IT lead, or an outside consultant. The facilitator’s job is to keep the conversation moving and probe for gaps.

Keep it short and focused. An hour to ninety minutes is plenty. The goal is a productive discussion, not exhaustion.

Running the exercise

Start by presenting the scenario as it would first appear — for example, “An employee reports that their files have been encrypted and there is a ransom note on their screen.” Then work through the response as a discussion. Walk the team through detection, containment, and recovery: How would we notice this? Who do we tell first? What do we shut down, and who has the authority to do it? How do we figure out what was affected? When and how do we notify customers, and are we legally required to? Do we have backups, and do we know they work?

As the conversation unfolds, the facilitator injects realistic twists to deepen it: the backups turn out to be a week old, the IT provider is unreachable, the attacker threatens to leak data, a customer or reporter starts asking questions. Each complication tests a different part of the plan and reveals where it falls short. The discussion almost always uncovers surprises — a missing contact, an unclear decision-maker, an assumption that does not hold.

Capturing the lessons

The exercise is only valuable if it produces action. Assign someone to take notes throughout, capturing every gap, question, and “we should really have X” that comes up. Afterward, turn those notes into a short list of concrete improvements: update the incident response plan with the missing steps, gather the contact numbers you did not have, fix the backup gap you discovered, clarify who has authority to make key decisions. Assign an owner and a due date to each item so the findings translate into real changes rather than a forgotten conversation.

Scenarios to get you started

If a blank page is the obstacle, start from a ready-made scenario and adapt it to your business. A ransomware scenario — an employee finds their files encrypted with a ransom note — tests detection, backups, and the decision about whether to pay. A stolen or lost laptop scenario tests device encryption, remote wipe, and what data was exposed. A business email compromise scenario, where a fake “owner” or vendor email triggers a wire transfer, tests your payment verification controls. A vendor breach scenario, where a supplier reports that your shared data was exposed, tests notification and customer communication. A phishing scenario, where someone clicks a link and enters credentials, tests account lockdown and detection. Run a different one each time so you cover the range of threats your business actually faces. Reputable organizations like CISA and NIST publish free tabletop materials and templates you can borrow from, so you do not have to build the exercise from scratch.

Making it a habit

One tabletop is far better than none, but the real benefit comes from repetition. Run an exercise once or twice a year, varying the scenario each time so you cover different threats — ransomware one time, a business email compromise or insider mistake the next. Each round reinforces the team’s readiness and catches the new gaps that appear as your business, staff, and technology change. Over time, these short, inexpensive sessions transform incident response from a document nobody has read into a practiced capability — so that when a real incident strikes, your small team responds with clarity instead of panic.

If you have never run one, do not let the fear of doing it imperfectly stop you. A rough first exercise that surfaces even two or three gaps is a clear success, and each round gets sharper. Simply getting the right people in a room to think through a crisis together is itself the win, and the polished process comes with practice.

John Farmer is a veteran and the founder of Veteran Forge Strategies LLC, a veteran-owned firm focused on IT, compliance, and security for small business. He writes Small Biz Security Guide to give owners practical, no-jargon cybersecurity guidance they can act on. Educational content — not formal security or legal advice.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *