Open menu
Resources & insights

How do we know if our cyber incident response plan actually works?

 

The short answer: Run tabletop exercises led by a third party. It’s the most effective way to find out whether your plan works in practice – not just on paper.

Why cyber incident response plans often fail

Cyber incident response plans are essential – but they’re only as good as the scenarios they cover. Many firms invest time and money into creating detailed plans, yet when a real incident occurs, those plans often fall short. Why? Because they haven’t been properly tested, and they don’t account for the full range of business impacts.

What Is a tabletop exercise?

A tabletop exercise is a structured simulation of a cyber incident. It brings together key stakeholders – typically IT, compliance, communications, and senior leadership – to walk through a hypothetical breach or attack.

The goal isn’t to test technical systems, but to evaluate decision-making, communication, and coordination. When led by a third party, these exercises offer an objective view and often uncover blind spots that internal teams may overlook.

Common gaps in incident response plans

One frequent issue is that incident response plans focus too heavily on the technical side. They outline how to isolate affected systems, restore backups, and investigate breaches. But what happens if your IT systems are completely down?

  • Could your firm operate using pen and paper?
  • How would you communicate with clients, regulators, and the media?
  • Who would speak on behalf of the company – and what would they say?

These are critical questions, especially in sectors like private equity, finance, and legal services, where trust and reputation are everything.

What a well-rounded incident response plan must

An incident response plan must go beyond IT recovery. It should include:

  • Communication protocols – Internal and external messaging, including media statements and client updates.
  • Business continuity – Alternative ways to operate if core systems are unavailable.
  • Public relations strategy – How to manage reputational risk and maintain stakeholder confidence.
  • Decision-making hierarchy – Who makes the call when time is short and pressure is high.

Why tabletop exercises are so valuable

Tabletop exercises help you test all of this. They simulate the stress and urgency of a real incident, allowing your team to practise their roles and refine the plan. They also help identify gaps – like missing contact details, unclear responsibilities, or unrealistic assumptions about system availability.

For CFOs and COOs, the value is clear. These exercises provide assurance that your firm can respond effectively, protect its reputation, and maintain operations during a crisis. They also demonstrate to regulators and clients that you take cyber resilience seriously.

Don’t wait for a real incident

In summary, don’t wait for a real incident to find out whether your plan works. Test it now – thoroughly, realistically, and with expert guidance. A well-run tabletop exercise could be the difference between a controlled response and a costly disaster. If your firm relies on Managed IT Support or Managed Cyber Security services, make sure your providers are involved in these exercises. Their input can be crucial in shaping a response that’s both technically sound and operationally viable.

Topics: Cyber security

Written by: Caleb Mills

Posted: 09 October 2025

Related content

Doherty Associates IT Solutions

Blogs

Cyber security – diet or lifestyle?

Read more
Doherty Associates IT Solutions

Blogs

Why would my firm be a cybercrime target?

Read more

Blogs

Having good tools in place to block attacks is all I need, right? Wrong!

Read more
Back to resources & insights

We’re here to help

If you want to achieve better outcomes for your business through a more intelligent use of technology, talk to us.

Contact us