What Military Wargames Can Teach Us About Cybersecurity

Tabletop wargaming identifies weaknesses, refines strategies, and trains teams to make quick, informed decisions during the crucial first 24-48 hours of a crisis.

Stefan Voss, VP of Product, Cove Data Protection

October 31, 2024

4 Min Read
Serious People Negotiating in Conference Room
Aleksei Gorodenkov via Alamy Stock

Cyberattacks in the first half of 2024 have been relentless, with organizations facing a surge in ransomware and data breaches aimed at theft and extortion. Unlike previous years, 2024 has seen major disruptions across industries, with consumers feeling the burn.  

Unless you’ve been living under a rock, you already know that today’s ransomware operators are highly sophisticated and target businesses of all sizes across different industries. You’ve likely already deployed technology aimed at protecting against and recovering from a ransomware attack.  

However, even with these technologies in place, many organizations find themselves unprepared when an actual attack happens.  

Wargaming, a strategic military tool, has found its place in the world of cybersecurity through tabletop exercises designed to simulate these high stakes cyberattacks, such as ransomware. Cyber wargames equip corporate leaders with the skills needed to make swift, informed decisions in the critical first 24-48 hours of a crisis. Beyond backups, these exercises stress-test incident response plans, offering an essential, hands-on approach to disaster recovery. 

Here’s what you need to know and how to approach. 

What Is a Tabletop Exercise and Why Does It Matter? 

A ransomware tabletop exercise is a simulation of a ransomware attack aimed at identifying vulnerabilities in your ransomware protection and recovery plan. Conducting a tabletop exercise is one of the best ways to increase your organization’s cyber resilience and prepare for recovery scenarios you have not yet encountered in the wild.  

Ransomware tabletop exercises have other benefits, too. For example, a tabletop exercise could identify areas where you are out of compliance with security frameworks and/or demonstrate to regulators that you have taken steps to address these issues. Exercises can also help shape employee training efforts and technology investments.  

There’s no “right” way to conduct a tabletop exercise. However, many exercises include some or all of the following: 

  1. A realistic scenario. All tabletop exercises should start with a realistic scenario, designed to challenge both technical and non-technical aspects of the organization’s incident response plan. 

  2. Key stakeholders. Key personnel from IT, cybersecurity, legal, communications, and executive teams should be involved to ensure all critical functions are covered. 

  3. Well-defined responsibilities. Stakeholders should be assigned a specific role that mirrors their real-world responsibilities during an actual ransomware incident (e.g., IT, executives, public relations). 

  4. Ransomware response testing. Technical and non-technical response activities should be tested. This might include IT activities like detection, containment, eradication, and disaster recovery operations. Internal and external communications should be tested as well. We’ll look at testing in more detail below. 

  5. A post-incident report. A review of the gaps, successes, and areas for improvement in the organization’s response strategy is critical. This review should be properly documented, both for future reference and to satisfy any regulatory or compliance requirements. 

Ransomware Response Testing Food for Thought 

Obviously, all aspects of your security stack should be considered in your IT testing. Preventing an attack before it happens is the goal, so testing should be designed to identify gaps in access controls, vulnerability management, employee security awareness training, and more. 

Since attacks have the potential to cause prolonged IT downtime, a tabletop exercise should also reveal how long it could take to restore normal business operations following an attack. The exercise should account for the wide variety of restore scenarios IT might face (e.g., restoring a few desktops vs. a server hosting numerous virtual machines) and the recovery time associated with each. 

Legal, HR, PR, and executive teams may have important responsibilities during and immediately following a ransomware attack. For example, do customers and/or vendors need to be notified? What about law enforcement? Who is responsible for these communications? Who is responsible for filing a cyber insurance claim? What specifically is required to file a claim?  

Tabletop exercises require a good deal of coordination and can be time-consuming. However, they are highly effective and should be considered an essential piece for your security and disaster recovery efforts. 

Conclusion 

Ransomware tabletop exercises are invaluable for organizations looking to strengthen their defenses against one of the most serious cyber threats today. These exercises help businesses identify vulnerabilities, improve response strategies, and build long-term cyber resilience.  

By involving leadership, focusing on realistic scenarios, and emphasizing secure recovery methods, ransomware tabletop exercises offer a practical and insightful way to ensure that your organization is prepared to handle a real ransomware attack.  

About the Author

Stefan Voss

VP of Product, Cove Data Protection

Stefan Voss is VP of product at Cove Data Protection, by N-Able, where he helps internal IT customers and MSPs leverage cloud-first backup solutions for disaster recovery and business continuity. Connect with Stefan on LinkedIn. Reach Stefan at [email protected].  

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights