Beyond Prepared: Practical steps to using Tabletop Exercises

Eddie: Oh yeah, so my name is Eddie Phillips. I’m with Threat Down, and my title is a very long mouthful—Senior Manager of Channel Sales OEM. But I’m also one of the cybersecurity evangelists for Threat Down, and so I’m absolutely thrilled and honored to be here with you today, Muna, and all the wonderful people with Atera and the people that are joining us today. We’re going to have a blast today, I’m sure. So, what’s in store for us today? What are we going to cover, and do we need to be prepared? Does the audience need to bring anything to be prepared for today’s session? 

Muna: Hey, you know what? I think I’ve got a QR code somewhere along the way, so you want to have your phone handy or take a screenshot. I’ve got a URL for some resources I want to share. But really, today is about overcoming some challenges. So, I mean, I’m going to get into just a little bit of my background, but I did own an MSP for 14 years. Prior to that, I worked in the enterprise, and I know what it’s like to get, and I hate to use the word stagnant, but a lot of companies and a lot of IT professionals get a bit stagnant, right? Because the change is so constant with IT and around security that we just kind of need that bump to make sure that we’re raising the bar, increasing that awareness, and doing the best for our clients. So that’s a sneak peek of what we’re about to get into. I absolutely agree, Eddie. And obviously, with a lot of the MSPs and even with corporate IT, I mean, we see it today within our own organizations. The demands are changing daily, and you know, you gotta stay on top of it if you want to differentiate, if you want your services to be top-notch. So I think you never always know it all, so it’s great that we’re having this session. Just a reminder to the audience, we are recording this session, and it will be available in about 24 hours after the session. We’ll send out an email with the link and any resources that Eddie’s providing us, we’ll share those as well. And yeah, let’s get started. Eddie, I’m giving you the floor. I do invite everyone to share questions, please. We will be addressing them towards the end, so if you’ve got any questions for myself or for Eddie, feel free to write them, and we will be addressing those. Thanks, Eddie. The floor is yours. 

Eddie: Fantastic. Just to confirm, Muna, you can see my first slide? 

Muna: I can. 

Eddie: Awesome. All right, perfect. So here’s what we’re gonna do, everybody. We’re gonna talk about being prepared, practical next steps, you know, with tabletop exercises. Just a step back before we get into it, and this session is targeted towards anybody who’s in IT, certainly around cybersecurity, whether it is on the enterprise side or the small business side. And certainly, if you know, you’re an MSP. I already hinted at the fact that we’re going to talk about raising the bar in security, about making sure we’re positioning ourselves in the best light possible. But let’s be honest, we also want to grow our business. So you’re going to notice something as we talk about this. A lot of the talk around being prepared, around preparedness, around tabletop exercises is going to be increasing services, right? So it doesn’t fall short on me, and it shouldn’t fall short on you, that talking about the things we’re going to talk about today, putting your clients in the position that we’re going to be putting them in so that they have to address the current cybersecurity crisis is going to force them to invest in bigger and better solutions. 

Let me start off with a story. I’m going to give you a little bit of it now, and we’re going to finish it as it becomes relevant throughout this presentation. So I mentioned I owned an MSP for 14 years—actually, two MSPs. I sold my latest MSP in 2022. But prior to that, we used to leverage tabletop exercises quite a bit. In fact, some of the time, some of the clients were so enamored with tabletop exercises that we were able to introduce better and better scenarios, right down to being able to do disaster simulations. Let me tell you about this one client just to get us going. We had a client that was a manufacturer, and they were really concerned about the stability of their environment. They were really concerned about what would happen because of some of the education that we were doing and because we were leveraging the techniques I’m going to talk to you about today. We ended up doing a disaster simulation. We decided to simulate a server outage, whether it be ransomware or hardware failure, but it was a disaster nonetheless. So we decided that on a Friday morning, we spoke with leadership, we planned it out, we would shut down the server and just let it play out. So on a Friday morning, we did exactly that. We remoted in, shut down their server, and their staff came in to find that they couldn’t get to their applications. This is a non-remote environment, and they couldn’t get to their applications; they couldn’t function. So they called in a ticket, and we reacted. Our team reacted as if the server was down, and we went through our incident response plan, which we’re going to talk a little about today too. We did what we needed to do. We had a backup and disaster recovery system where we could virtualize the server had it gone down. We did that, and by the end of the process, by the time we got the server back up and everybody connected to the new instance, it took six to eight hours. Something really interesting happened after we had that incident. We had a lessons-learned meeting the next week, and we sat down with the business owners, and they were actually a little bit upset. They were upset because they didn’t feel they could be down as long as we were during that simulation. Here’s the interesting part: it wasn’t because we didn’t communicate it; it wasn’t because we didn’t ask what they thought their requirements were. It was because the reality of it didn’t match up with their imagination around it. So what happened was it drove towards change. It put them in a situation where they had to actually think about what was happening. So that’s what we’re going to drive towards today. We’re going to drive towards eliciting that emotional response because it is emotional, right? When your business is down and you can’t send out an invoice or you can’t receive invoices or you can’t pay your staff and a disaster is actually happening in real-time, it does become emotional. So this is the scenario we’re going to attempt to drive our clients to or our organization to when we talk about tabletop exercises. 

Alright, so let’s get into it. I already introduced myself, so we won’t spend too much time on that. Today, we’re going to talk about tabletop exercises. We’re going to talk about preparing, educating, and ultimately selling or introducing new solutions, and then we’re going to talk about how that feeds into your security roadmap so that you can communicate and show value. Alright, let’s go. We’ve got a lot to cover here, not a whole lot of time. What is a Tabletop Exercise? If you’re not familiar with what a tabletop exercise is, essentially, it’s a cyber crisis rehearsal. It’s putting people in a situation where they have to face a crisis. Did you know that when you imagine something versus something actually happening in your life, your body and your brain respond in the exact same way? If you’re walking down a street at nighttime and there’s a dark alley and you have to go down that dark alley, your imagination begins to run rampant. If you think there might be a mugger down that alleyway, even though there probably isn’t, but if your mind runs away, your body begins to respond. The adrenaline starts to flow, your blood flows to your extremities in order so that you can do the fight or flight, even though nothing’s actually happened. You haven’t seen anybody or had an interaction, but if your brain puts you in a particular situation, you’re going to respond. So this is what we’re looking at when it comes to tabletop exercises. It puts everybody in a situation where they have to respond, where they have to think through the process so that they know what to do when the actual event happens. It’s essentially a role-playing game. The cool thing about, you know, I’m a Gen Xer, and so when I was growing up, I played a lot of role-playing games, whether it was Dungeons and Dragons or whatever is out there. I’m sure a lot of you can relate. So this is essentially what we’re doing. It’s a role-playing game around a cybersecurity incident, and what it does is it provides a communication check and planned troubleshooting. Goals of Tabletop Exercises So what’s the goal? Why exactly are we doing this, other than that emotional response? There’s a practical side to it, right? There’s a very foundational approach to how we go through a response. 

1. Response Readiness: Not only for your client. In fact, when we talk about tabletop exercises today, when we talk about these scenarios, I highly encourage you and your company or your department to put yourselves through these. What happens if you can’t use one of your trusted tools? What happens if you have a ransomware attack? Begin to put yourself through that so you know how to respond within your close circle, whether it be your MSP or your department, and then begin to reach out and talk to the departments. So it becomes a response readiness not only for you but also for your client, whether your client is external or internal. 

2. Team Coordination: How does the communication work? How do your systems work? That communication and coordination begin to take shape for you and your client. 

3. Increased Revenue: For those MSPs out there, those service providers, increased revenue. 

I’m going to show you exactly how that works too. Resources and Preparation I talked about some of the resources that I have, so again, if you want to go ahead and scan that QR code, I promise I’m not Rick Rolling you. If you don’t trust me, the URL is at the bottom of the screen too. Here are my tips when you begin to prepare to do a tabletop exercise: 

1. Plan for Plenty of Time: One thing that we did with my MSP is we began to incorporate these at the end of our QBRs, our quarterly business reviews. That’s the first key. If I’m talking about quarterly business reviews, if you’re not putting those in place, if you don’t have a scenario where you’re talking to your client about where your business is going and what challenges they have and how you should be helping them, that is a first big step. Establish those because this is a natural evolution of those types of conversations to begin to talk about what to do in these scenarios. 

2. Get Commitment from Key Decision Makers and Managers: At the end of the day, if you’re going to go through all this trouble, you’re going to prepare for this, you’re going to do the exercises on your own, then you’re going to start to involve your client. You need somebody who can make decisions. You need somebody who’s going to feel that pain if that client’s revenue is interrupted, if that client’s ability to do their business is interrupted. You want somebody who is going to be impacted and can make the decisions to make it better. 

3. Prepare the Situation: Go to that URL, scan that QR code. The government of Washington state has some freely available scenarios. 

They’re great; they’re PDF files. They walk through the scenario; they walk through some of what we call injects. I’ll talk about those, but it’s a great way to get started. Quite honestly, another good resource is language models like ChatGPT. Tell it that you want to do a role-playing or a tabletop exercise, and it’ll help you come up with them. Execution of Tabletop Exercises Here we go. This is some more key items to keep in mind: 

1. Focus on the Symptoms: Step through the scenario focusing on the symptoms. You don’t want to give a lot of background when you’re talking about what’s going on because the reality is when an incident happens, if ransomware hits a business, don’t spend a lot of time in the backstory. What is the client going to face? They’re going to face a screen that says, “Hey, your files have been encrypted. Pay us X amount of ransom, or you can’t get your files back.” 

2. Describe the Scenario: Describe to them that scenario. This is what you see. How do you respond? What would you do when X happens? If none of the staff can log into their computers, if none of the staff can access their IT, what are you going to do? 

3. Document the Answers: Note and set aside non-answers, meaning the “I don’t knows” or the simple “Well, I guess I’ll just call you guys.” That’s not enough. We need to detect the holes in the process. 

Alright, so let’s talk about the actual play of a tabletop exercise. The play we’re going to go through right now is a ransomware attack. Like I just said a second ago, describe the symptom of discovering ransomware. What are they seeing? Is a person logging into their computer, and they try to open up a document, and it’s just gibberish because it’s encrypted? Are they seeing the ransomware screen? Pick a symptom and have them walk through it. Ask them, “What would you do now? Who would you contact?” If they say, “Oh, well, I would contact you as the MSP,” great, but what if you can’t reach us? What if it’s after hours, and you can’t get through? What is your next step? Push them to think beyond the easy answers. By walking through these scenarios, you’re helping them prepare for the real thing, ensuring they’re better equipped to handle crises when they arise.

So, let’s talk about the practical aspects of contacting your MSP. Do they have access to your information outside of their resources? Do they have it in their cell phone? Do they know your website address? It could be as simple as that. Have they memorized the number? Where are they? How are they going to contact you? And is that the right decision? Should they be contacting somebody in their company first? This is when you start to have these discussions about who’s going to be impacted.

Let’s say they have that red and white screen indicating their files are encrypted and stolen. At this point, the CFO hopefully is in the room with you during these tabletop exercises because they will be key in convincing the organization why they need to invest to improve the systems. Let’s assume the CFO discovered it. He suggests they call you. Again, is that documented? How do they know to call you? Is that really the right thing to do? Should they be calling their lawyer first? Should they be calling a PR firm? Should they be calling their cybersecurity insurance broker? These are all things we need to think about. 

So, continue with the scenario. The servers are down, data is unavailable, and they’ve called you while you work on the issues. Dive into the operational issues. Let them know that, okay, you’ve called us, we’re researching the incident. What are you as a company doing? What’s impacted? If you can’t access your data, finances—are you able to do payroll? What if it’s payroll day and they can’t access the payroll information? If they can’t access their systems, if they can’t access their time clocks or however they track time, is production impacted? How heavily do they rely on their resources like their servers or their workstations to do projects? Has everything come to a halt? Are there other ways that they can continue operations while this incident is happening? What’s their tolerance? If something like this happens, can they afford to be down for 4 days, 6 days, 4 hours? This is where you start to get the feeling of how this is going to impact the customer. 

Making From a CFO’s perspective, maybe he can do without it for eight hours, but for the operations manager of this company, maybe they can’t go two hours without being heavily impacted—whether it be their clients, their vendors, their staff. This is where that emotional response I talked about earlier comes into play. We’re putting these people under the gun; they actually have to answer the questions. They can no longer just shuffle it off as “we’ll just cross that bridge when we get to it.” That’s not sufficient when you start to talk about the impacts on a business, their clients, their vendors, and their staff. It becomes real.

So, continue with the scenario. When they begin to say, “okay, we can operate in operations because we have paper copies,” ask, “who’s getting the paper copies? Who’s making sure those are available?” How do you know that’s the right step? What’s the communication look like if they can’t use Teams to communicate? Do they have another method? Do they have each other’s phone numbers for text? Do they have someone who can deliver messages within the company? What actions, what other tools need to be put in place to face off against this event? Lastly, is it documented and is it offline? It’s no good if their processes and incident response plan are just a Word document on their server and they get hit by ransomware.

Remember, you’re the game master. You get to put the client in a situation where they have to face up against maybe some of the decisions they’ve made in the past. Maybe you’ve got a client—I sure hope this isn’t the case—but I know when I had my MSP, we even had clients push back against multi-factor authentication. It is a no-brainer; everybody needs to have multi-factor authentication. But if that’s something that you’re struggling with, or maybe you’re struggling to urge your client down a particular path in order to incorporate a solution, embed those challenges inside of your tabletop exercise. It helps them understand why you’re recommending a certain path. 

Finally, let’s say the inject is you’re contacted by the threat actors and they’re threatening to release the data if you don’t pay by a certain date. What are they going to do? Are they in a position to sacrifice the fact that these threat actors now have their data? Are they going to talk to public relations? Are they confident enough to say, “hey, we’ve segmented our data enough, we’re confident they didn’t get access to personal information”? How are they going to deal with the fact that maybe they did get personal information? These are the decisions they need to understand when it comes to legal and cyber insurance as well. 

Here’s what we need to do to make this effective. Once you’ve played through that scenario, sometimes you’re going to find that we found this early on—we would put a scenario together and get like the first four or five steps into the scenario, and quite honestly, it was showing that the ability to respond was severely lacking. We would just end it there and say, “you know what, we need to sit down and figure out baby steps before we start to run towards actual recovery from the incident.” So, let’s go back to the drawing board, let’s figure out who should be involved in communications, let’s figure out what those first steps are and how we deal with them, and then we’ll come back and continue the scenario once we have those in place. That’s completely acceptable.

Track your process, track your scenario summary. Track how the organization communicates. Note your wins. This is so important. This can’t be a negative experience; this needs to be a positive, forward-motion experience. Sometimes they’re going to have the answers, or sometimes they’re going to come up with a revolutionary idea on how to work on a problem. Document those and celebrate them. But also document where the improvement needs to lie and the key learnings you pulled out of the tabletop exercise.

Give kudos and note actionable items. What worked, what didn’t? What other actions are missing? What entire sections of processes do we need to work on to make sure that you’re going to be able to survive this incident? Operational improvements: create your plan. What kind of notification improvements, what process and technology improvements are you going to make?

Example: Lessons Learned I told you at the beginning of this session the story about that manufacturer. When we had that lessons-learned meeting afterwards, they weren’t super happy with the fact that it took us 6 to 8 hours to get that server back up and running and everybody back into full production. They were like, “forget this, this is ridiculous. We can’t have that; the impact on our business is too great.” Their question to us was, “what do we need to do to improve our ability to respond?” Ah, success! When you hear those words and your client says, “what do I need to do to become better?” That’s what you want to hear. This is when we start to talk about things like better planning, better systems. In our case, in that particular scenario, it was better ways to recover faster—hard drives, better systems. Whether you’re an internal department looking for more budget or an MSP looking to grow and offer more services to better protect your client, when you start looking at EDR and MDR and some of the other solutions out there, this is how you get that conversation going. 

Plans Finally, the key learnings: validate and do a sanity check. What were the key risk areas? What did you identify that was maybe a risk that you didn’t realize was a risk? Key systems: what systems or departments were impacted that maybe you didn’t realize were going to be impacted? What’s great about that communication and documentation is it all leads you down the path of creating an incident response plan. When you start to analyze the weaknesses or even the strengths and document that, it creates that communication structure. It creates the framework of the entire process to get through this incident or event. Operational improvements: seek to improve your RTO (recovery time objective) or RPO (recovery point objective). Recovery time objective is how much time can the business go without being operational. Recovery point objective is how often do your backups or systems need to be up before you start to impact operations. Finally, the key learnings feed into the ability to create an incident response plan.

I alluded to this a couple of times, but I want to have a quick note on non-IT security findings. You’re going to bump up against areas that are not necessarily around IT and cybersecurity. Things like cyber insurance: who are the contacts? What are the guidelines? When does your cybersecurity insurance require you to contact them? Do they have resources like an incident response team or forensics teams that need to get involved to make sure they’re covered? Public relations: what happens if you decide not to pay the ransom and lean into your recovery systems? What do you tell your clients? What do you tell the press when the threat actors announce that they’re going to release your data? Be ready for those kinds of things. Legal: what legal requirements does your organization have? Many organizations, certainly in both Europe and North America, have requirements depending on your vertical and what you have to do when you have an event. HR, how are you contacting people? What are the impacts on them? How are you communicating and structuring your team so that they can survive through this incident or event? 

Here’s what I want to lean into. I get it, I’ve been in your shoes. I’ve seen over the last 15 years how things have evolved so quickly. Fifteen years ago cybersecurity challenges were a sliver of what they are today. With the migration to the cloud, the advent of everything from SD-WAN to EDR solutions, hybrid solutions, and working from home because of COVID, there are so many threats out there that it becomes overwhelming to understand them all and to be able to tackle them. But then you have to pivot towards your organization or your client to help them understand and explain the ROI—the return on investment. 

When you start to approach these tabletop exercises, keep in mind what you’re after. If you’re struggling to sell, for example, MDR to your clients or push it within your organization, create a tabletop exercise that shows the value of your managed detection response. An attack that happens after hours or at 3:00 a.m. on Christmas Day—who’s going to tackle that? Who’s going to help that organization make sure they aren’t severely impacted? Consider DNS filtering: maybe a user visits a malicious website through phishing or malvertising and gets impacted. Lead them down the path to understand why there are solutions like DNS filtering. There are so many others. If you’re looking to leverage and build that roadmap and actually flesh it out and make it a reality, talk to Atera. Talk to some of the solutions they have out there for you. If you haven’t spent enough time investigating the solutions that are out there, begin to raise the bar. Talk to Atera, talk to your rep, and make sure you are building a holistic, comprehensive solution. This is your ticket, your methodology to introduce this to your clients. 

After the Webinar What do you do as soon as you get off this webinar? First off, plan and execute your own internal tabletop exercise. Talk to ChatGPT, go to the website I gave you earlier, pull down one of those scenarios, and walk it through within your internal department or your internal MSP. Determine how you would respond. Be ready for those answers when the client says, “What are you guys doing now?” Have your internal incident response plan ready. This is what we’re doing in the background. You tell us how you’re being impacted. The idea is to progress your client’s knowledge. Introduce the idea and the expectations and goals in your next QBR. If you’re not doing QBRs, if you’re not doing quarterly business reviews, schedule one today. Get it on the calendar, begin to talk about your client’s challenges, and introduce the idea of tabletop exercises. Lastly, schedule and execute. You will not be sorry. If you’re looking for a way to grow, if you’re looking for a way to introduce new solutions, tabletop exercises are the way to go. I can’t stress enough what a great solution it is to further down the path to raise that bar on security and to make sure at the end of the day that we’re servicing our clients in the best possible way.

Muna: That sums up my tabletop exercise summary. I hope you got some value out of it. Have we gotten any questions? 

Eddie: I don’t see any questions come in just yet, but I do invite the audience: please, if you’ve got any questions for Eddie, feel free to type those in the Q&A chat box. First of all, Eddie, this was great. I think it was very informative, very practical, with a lot of insight. Thank you for sharing the QR code and data. I may have missed it, but based on your recommendation, how often should you do tabletop exercises with a given client or within your organization? 

That’s a super question. What we found in the beginning is it was a bit of a tough slog because you’re going to find when you start doing these that there’s going to be a lot of work and communication. My suggestion is once per year. But here’s what’s going to happen: you’re going to schedule that first one, let’s say next month. Keep it a nice, simple scenario. When you go through that, you’re probably going to run into a roadblock, or it’s going to take some time to introduce it. There will be some deliverables. Don’t be upset if the first one only takes 20-30 minutes because you run into areas where the client simply says, “You know what, I don’t know. We need to figure that out or get back to you.” Then put it on pause. When you have your next quarterly meeting, bring it up again and see if you can progress it. As you get better with it, you’ll probably start to have them once, maybe twice a year, as you work through different scenarios. It’s going to get easier, and your clients are going to embrace cybersecurity more and more because they understand the ROI. 

Muna: Wonderful. There is a question here: what would be the best way to set up such a tabletop exercise? 

Eddie: Okay, I get a lot of what you talked about, but if we can summarize it. First off, download one of those scenarios I talked about, understand it thoroughly, tweak it however you feel you need to tweak it to best suit your client, but make it simple. Introduce it to your client, give them the why. Say, “Hey, we’re really concerned about X scenario, whatever it may be—maybe it’s ransomware or business email compromise. I’d like to walk through a scenario to make sure we’re ready in case this happens.” Those are great ways to get it started. As far as documentation, have a look at those templates. They’re already laid out in such a great fashion. Use that same type of approach to get you started. Getting started with tabletop exercises is really a lot simpler than you might think once you get into it. 

Muna: Do you recommend charging for performing such tabletop exercises? 

Eddie: Here’s what we did: as part of our backup and disaster recovery solutions, we incorporated that cost inside of there. I’ve never been a big fan of charging separately because there’s a lot of value here. It depends on how your contracts are structured. We always structured our contracts to include that type of thing. The return on your investment—the time you put into it—does pay back in dividends. If you can get your client to invest the time into it, you’re going to see a return. That being said, if they don’t pay for it upfront, there might be a lack of perceived value. I would say a nominal fee to get them interested because your real payoff at the end of the day will be having them embrace the ideas around cybersecurity. 

Muna: Perfect. That gets me to the next question: is a business continuity plan part of the post-tabletop exercise? 

Eddie: For sure. What you discover through a tabletop exercise will include some business continuity planning, which is less cybersecurity and more overall disaster recovery. If you do a disaster scenario—I’m in Tampa right now, so off the top of my head, I’m thinking about hurricanes—if you get hit by a hurricane and it impacts your business, what are the steps to get around that? You start to talk about business continuity. Do they need a warm site? What actions do they need to take? You’ll find that if you can get buy-in from a company, it will change the culture of the way they think about dealing with disaster. 

Muna: There’s a question here from Phillip regarding whether a tabletop exercise would work for phishing tests or if there are different recommendations for that. 

Eddie: There are all sorts of tools out there. Phishing simulations are a tool; they’re not the end-all-be-all. I don’t personally think so. It’s just one piece you can use. If you’re struggling with phishing simulations and finding that the company continuously fails or has people who struggle with paying enough attention, include these in their tabletop exercises. Make the exercise, “Hey, one of your staff fell for a phishing attempt, visited a malicious website, and ended up getting a keylogger. Their social media accounts got compromised.” If they begin to understand how falling for phishing can impact the entire company, that will get their attention and change the culture of how they look at security. 

Muna: Katie asks, who should be included in tabletop exercises? Who are the personnel or personas you should be pulling into this? 

Eddie: It can vary based on the scenario, but typically we always included our primary contact at the organization. We always included the CFO because they hold the purse strings. We need them to have their eyes open when we start to talk about business impacts and revenue impacts. Depending on how involved the owner or CEO is, I would suggest including them. On our bigger clients, we didn’t need to go quite that high because we had the COOs and CFOs. The people who can make decisions financially and operationally need to be involved. The last thing you want is to bring in a manager who doesn’t have that level of control, convince them, but now they have to try to verbalize the experience they just had inside your tabletop exercise. Nothing speaks volumes like being in the room during a tabletop exercise. If there’s somebody in that organization you need to convince to implement MDR or a new solution, make sure they’re in the room. 

Muna: There’s another question here: as an MSP, do you structure exercises that can be adjusted for different clients with different industries, different security, and compliance needs, or do you need to tailor it for specific client regulatory requirements? 

Eddie: You’re going to figure out really fast that tabletop exercises are a vehicle that can be adjustable to any type of client. What I mean by that is not saying one size fits all, but our manufacturing clients had different challenges than our accounting firms or law firms. We would certainly adjust based on the specific industry. It doesn’t impact the same level if a server goes down that controls a manufacturer’s project tracking system versus a clinic’s EMR system. Adjusting those to speak to that particular industry is crucial. For compliance, it’s a phenomenal tool. Compliance doesn’t mean security. If you’re doing a tabletop exercise in the education sector here in the US, some require you to have EDR. EDR is great, but if it throws an alert at 3:00 a.m. on Christmas Day and no one is there to act on it, you probably need MDR. Use a tabletop exercise to show why you need to invest more than what your compliance expects. 

Muna: That makes a lot of sense. Al’s question is: what can an MSP do to get better prepared to offer XDR, EDR, MDR? 

Eddie: If you start to get the decision-makers in the room, have them converse about an incident. There’s a statistic that 42% of organizations suffer from cyber fatigue. I think that’s low. How many times do we open up LinkedIn or our newsfeed and see another company has been ransomwared or had their data leaked? We get a little numb to it, but people who don’t understand the mechanics behind it get numb to it too. They see it happening to big organizations and don’t really understand the impact or maybe don’t want to understand. As cybersecurity professionals, we know it’s not if it happens, it’s when it happens, and we want them to be prepared. 

Muna: Wonderful. There are two questions here about tailoring tabletop exercises to specific industries, and any recommendations for military and medical facilities? 

Eddie: Medical facilities, especially going back to compliance, most medical industries nowadays have to have a certain level of compliance and tools in place. Modify those to say, “Great, you’ve put in X amount of security around your compliance. What happens if something gets past the EDR or no one was there to act on it? They steal that medical data—now what?” What are the reporting requirements? What does insurance say? What are the impacts? What kind of public relations are involved? Modify the scenarios to speak to the industry. If a company is compliant, what happens if the threat goes beyond what their compliance requirements can protect against? You know your clients better than anybody. There are areas that keep you up at night. As a previous MSP owner, I knew there were clients that were a challenge before we started doing these tabletop exercises to magnify the areas I wanted them to excel in. It would keep me up at night, worrying about something happening in the middle of the night or not having a proper disaster recovery system. Use the tabletop exercise as a vehicle to communicate those. 

Muna: If we are to summarize, we’re looking at being prepared both as an MSP and as a client, highlighting areas where there are gaps. Gaps are opportunities to upsell certain services to give the client or business confidence to meet an incident. It’s also an opportunity to keep the organization in a state of readiness, always on top of what’s happening. What we assume we know is only validated when we test it. Normally, nobody wants to test those areas where you have that confidence of “somebody will know how to fix it,” but that somebody was counting on you to do it. Let’s test and validate. This has been a really informative session. Eddie, do you want to provide any final words to our audience? 

Eddie: Take those practical steps I had on the last slide and do them today. If you’re looking at not being average anymore, if you’ve been stuck in a rut and backed away from pushing your clients or your organization towards new security solutions, new ways of doing things, new ways of thinking about the realities of today, tabletop exercises are the vehicle you need to implement. Start today. Call your client, call your CEO if you’re an IT department, and get things rolling. The sooner the better. I cannot stress what a game-changer it was for my organization. 

Muna: Wonderful. Eddie, thank you so much for sharing the insights and giving us those amazing tips. I shared the link URL in the chat, and we will also add it in the email. Thank you so much, and thank you to our amazing audience for the questions. We hope to see you on a future Spotlight on Partners webinar. Thanks. 

Eddie: Thanks a lot, everybody. Thank you.