Tabletop Exercises: An Essential Drill for Managing Insider Threats

Insider threats have the potential to devastate your organisation no matter how strong your external security mechanisms are. Malicious insiders already know your business and have access permissions - a disastrous combination to cause widespread harm.

This is why businesses must have a strong insider risk management strategy to identify and stop insiders before they can cause more damage.
Conducting a tabletop exercise on insider threats is a great way to improve your cybersecurity preparedness.

In this article, we’ll explore what insider threats are, why they are dangerous, and how tabletop exercises can prepare you for these risks.

Insider threats are security risks that an organisation’s insiders pose to the organisation to harm it intentionally or unintentionally. Examples of internal threats:

• Data leaks and theft
• Unauthorised information disclosure
• Violence in the workspace
• Financial fraud
• Degrading capabilities or resources
• Terrorism
• Corporate espionage
• Sabotaging resources
  
  These threats can affect an organisation in terms of resources (like facilities, staff, critical information, devices, etc.), operations, data confidentiality, finances, compliance with regulations, customer trust, and reputation in the market.

An insider can be an employee, partner, vendor, contractor, or any other individual with legitimate authorisation credentials.

When intentional, they may misuse the permissions to access the organisation’s networks, systems, and data and execute a malpractice. It’s mainly done for financial gains, personal benefits, taking revenge, and so on.

In unintentional internal threats, cyberattacker(s) hijack an insider’s account or credentials to cause harm. It happens mainly because employees lack adequate cybersecurity awareness and don’t follow security best practices.

Dangers of Insider Threats

According to the 2024 Insider Threat Report by Gurucul, 83% of organisations accepted they faced at least 1 insider attack. What’s even more disturbing is that organisations that previously faced 11 to 20 insider attacks now face 5x more insider attacks.

What makes insider threats so dangerous?

Traditional cybersecurity systems, policies, and strategies focus more on mitigating external threats, ignoring the attacks originating from within a company. A malicious insider already knows the ins and outs of an organisation and its systems and policies. They are familiar with strengths and weaknesses and the capabilities available to handle risks. On top of that, they have authorised credentials to access the organisation’s resources and execute their harmful intentions.

This is where it becomes challenging for security systems and professionals to differentiate normal and malicious activities. At the same time, this is an advantage for the attacker to keep causing more harm while remaining hidden from view. By the time they are discovered, they’ve done enough damage to the organisation - financially, confidentiality, reputation, you name it.

The 2023 Cost of Insider Risks Global Report conducted by Ponemon Institute and sponsored by DTEX highlights that the cost of an insider threat on average has increased 40% in the last four years, reaching $16.2 million.

This is disturbing!

To secure your organisation from insider threats, adopt advanced security systems, insider threat detection techniques, policies, and processes. Also, invest in employee training and activities like insider threat tabletop exercises.

An insider threat tabletop exercise is an activity created to test an organisation’s readiness to tackle internal threats.

These activities are simulated and scenario-based enabling employees across departments and other stakeholders to rehearse for insider attacks. It evaluates how quickly participants in an insider threat tabletop exercise detect and respond to an insider attack.

This way, employees, stakeholders, and other insiders can be better prepared to differentiate malicious behaviour from normal. They can also analyse and discuss security vulnerabilities and find gaps in current systems, processes, and policies. This helps them improve their security incident management plans and overall cybersecurity posture.

How Tabletop Exercises Help Managing Insider Threats

Let’s understand the importance of tabletop exercises for insider threat management:

Faster Vulnerability Detection
Conducting insider threat tabletop exercises in your organisation allows your employees and stakeholders to quickly detect vulnerabilities and gaps in your systems. It makes it easier for the security team to remove threats before they can harm the organisation.

To achieve that, you can train them in different tabletop exercise scenarios of insider threats, such as espionage, data theft, fraud, or unintentional threats due to user errors. This will help them identify signs of compromise red flags, or anomalous behaviours, so they can keep an eye on a malicious insider and prevent attacks.

Improved Response Time
Imagine a scene: Your security team just detected an insider attack, which has begun compromising different systems. They’ve no clue how to approach this scene - how to contain the threat, who to inform, and where to start with remediation. They may panic and make poor decisions or delay the response. Result? More harm.

Although hypothetical, practising different insider threat scenarios will enable your team to give a tough fight to the attacker, contain the threat effectively, and eliminate it before it can cause deeper harm.

Better Collaboration
Cybersecurity risks, like insider threats, can originate from anywhere and harm any department, which ultimately harms the organisation. For example, a malicious employee may misuse their access permissions to tamper with financial records and commit financial fraud.

Thus, the entire organisation must work hand-in-hand to spot red flags and reduce the likelihood of security risks, not just your security incident response team.

With insider threat tabletop exercises, you can invite people from different departments holding different roles and responsibilities to participate, like HR, compliance, legal, etc. They can enter into meaningful discussions together over a given scenario and respond to it. These exercises foster communication and collaboration between members who might even haven’t interacted before. This creates a holistic approach to cybersecurity by involving everyone.

Stronger Security Measures
By practising different insider threat scenarios, you end up exposing gaps and vulnerabilities in your security measures, policies, and processes. This is an amazing benefit of conducting a cybersecurity tabletop exercise.

This means you will have time to get to the root cause of these issues and address them before they turn into a security disaster. In addition, you can update your policies and create new ones based on the current security demands and technology needs.

For example, if you’ve recently introduced remote workforce and BYOD policies in your organisation, you must frame new security policies to mitigate the risks associated with these setups. Similarly, you can update older, outdated access permission policies and enable stronger policies such as zero-trust security and least privileged access.

As a result, your organisation's security will become stronger to combat sophisticated attacks and improve your information security management.

Cybersecurity Awareness
One error or negligence can cost your business a fortune. This is why everyone in your organisation, from entry-level staff to C-suite executives must be aware of cybersecurity trends and best practices. All should know they are accountable for their actions no matter the role.

Insider threat tabletop exercises are a great way to spread security awareness throughout the organisation in an interactive way. Conducting regular tabletop exercises instils a proactive, security-first culture in your company, so everyone feels responsible toward security.

As a result, they can detect and respond to insider threats more effectively and adopt security best practices in everyday life.

Consider the below steps to successfully conduct an insider threat tabletop exercise:

Plan
Conducting tabletop risk management exercises requires you to plan the complete process strategically. Start by identifying your “why” behind the exercise. It’s the objective or goal that you wish to achieve with your insider threat tabletop exercises.

In this phase, you need to have clear goals. To define the goal, ask yourself these questions:

What do you want to evaluate? Is it your capability to tackle insider threats?

How effective is your insider threat mitigation plan?

Is decision-making effective by your leaders or decision-makers?

Do you want to improve communication and collaboration between departments during an insider attack?

The opportunities are endless but you must set a goal that aligns with your organisation’s current security requirements.

Example: You may evaluate the coordination between IT and compliance teams with the help of a tabletop exercise. Here, the goal is to find gaps in detecting and handling warning signs by the compliance teams, such as unusual behaviour, higher-than-usual errors in reporting, etc.

The exercise also investigates how the team escalates the incident to the IT team for further investigation.

Prepare
After you’ve set up the goal for your insider threat tabletop exercise, start preparing for the exercise. It includes:

• Assembling the teams
• Creating a presentation and handouts
• Designing the scenario
  
  A tabletop exercise comprises facilitators, participants, and observers. Facilitators, as the name suggests, organise the exercise. They invite people from different departments (participants), create necessary materials like handouts, and ensure the participants have the required information on the exercise. Involve observers to observe the exercise and if needed may take part in the discussion.

Design the Scenario

Design a realistic scenario for insider threats so the participants will be genuinely engaged in the security tabletop exercise scenarios and handle them more effectively.

• An exercise may focus on the insider threat type relevant to your company, such as errors due to negligence leading to an attack, a compromised insider, a malicious employee selling valuable data to competitors, etc.
• You can build scenarios to reflect insider risks prevalent in your industry. For example, if you are a healthcare institution, you may simulate a situation where an employee leaks patient data.
• Stay updated with recent insider risks, attack methods, vulnerabilities, technologies in use, etc. to base the exercise on.
• Take inspiration from past internal threats that you might have faced.

Lastly, ensure the exercise aligns with your security goals, business systems, and processes.

Execute
Once you’ve designed your exercise and prepared everything, it’s time to run the drill.

All the participants, facilitators, and observers must assemble in an environment that promotes active participation from everyone.

Facilitators must provide all essential materials and context to participants, so they can understand the situation and act on it. They must also encourage participants to communicate openly and collaborate as a team. Let participants analyse and discuss the scene, identify the threat, and form the best threat modelling strategy.

Analyse
Now that the drill is complete, your work is not done yet. Post-exercise debriefing is important to analyse how the drill went, the positives and negatives, and how to create better exercises. It will also help you point out real vulnerabilities and gaps in your current incident response plan and optimise it.

• Review participants’ performance - response times, decision-making, significant delays, etc.
• How was the communication and coordination between them? What were the bottlenecks?
• Did you spot any ineffective/outdated policies? Update them to create a stronger security posture.

Report
An insider threat tabletop exercise is not complete without creating a detailed report about the exercise. It should highlight the scenario, goal, participant performance, significant findings, action plans, decision-making, and recommendations.

This report is valuable for the entire organisation to refer to, tackle insider threats, and improve threat modelling strategies.

To make the most of your insider threat tabletop exercises, consider the following best practices:

Regular exercises: You must conduct tabletop exercises regularly in your organisation to keep up with evolving insider threats. You can organise it once every quarter or twice a year.

Stakeholder participation: Include all key stakeholders from IT, legal, PR, HR, etc. in the exercise to create a unified approach to cyber threat management while promoting collaboration between different departments.

Relevant exercises: Choose relevant drills specific to your industry and business. Introduce variety in your exercise to target various insider risks like data leaks, compromised insiders, access violations, etc.

Incorporate lesson learned: Each drill will teach you something. Analyse, document, and utilise the lessons learned from the exercise to improve your organisation’s security posture and educate your employees to follow cybersecurity best practices.

Talk to our experts today

Insider threats harm an organisation from every side - finances, reputation, customer trust, and legal. This is why finding these threats as quickly as you can is important to preventing insider threats or reducing their impacts.

Let Microminder conduct insider threat tabletop exercises to strengthen your organisation’s cyber defence. We facilitate real-world insider threat scenarios aligned with your company’s current needs and security goals. We prepare you for the latest insider risks, improve cross-departmental coordination, and optimise your response strategies.

Get started with insider threat tabletop exercises today with Microminder CS!