A tabletop exercise helps SMEs respond faster to cyber incidents. Here’s how to run one, what to test, and how to improve your first-hour response.
Cyber Incident Tabletop Exercises for SMEs: How to Rehearse the First 60 Minutes
Most SMEs don’t fail during a cyber incident because they lack intelligence or effort — they fail because the first hour is chaotic. People aren’t sure who decides what. Someone is trying to “fix” things while someone else is trying to preserve evidence. Staff are unsure what to tell customers. And leadership is making high-stakes decisions with partial information. That’s exactly why tabletop exercises exist: they turn a stressful unknown into a rehearsed, coordinated response.
A tabletop exercise is simply a structured rehearsal. No one is hacking you. Nothing is being “tested” live. You walk through a realistic scenario (phishing-led compromise, ransomware, lost device, supplier breach) and practise the decisions and communications you’d need to make — especially in the first 60 minutes, when mistakes are easiest to make and hardest to undo.
Amazing Support is a multi-award-winning, Microsoft Partner, Cyber Essentials and Cyber Essentials Plus certified provider supporting UK SMEs across London, Greater London and Manchester. We’ve found that even a single 60–90 minute tabletop session can expose practical gaps that would otherwise only appear during a real incident — when the cost is far higher.
The short answer is: tabletops help SMEs respond faster and more calmly by clarifying roles, decisions, communications, and technical steps before a real incident happens.
What you should aim to achieve in the first 60 minutes
A good tabletop focuses on outcomes, not theatre. In the first hour, you want to be able to:
- confirm what’s happening (and what isn’t)
- contain the issue without making it worse
- protect critical systems and data
- preserve evidence and logs where possible
- communicate internally with clarity
- decide who needs to be informed externally (and when)
A simple tabletop format that works for SMEs
1) Pick one scenario and keep it realistic
Examples:
- a user reports they entered credentials into a fake Microsoft 365 login page
- finance receives an “urgent bank details change” email
- multiple PCs show ransom notes on Monday morning
- a laptop with sensitive data is lost on a train
2) Define roles before you start
You don’t need a big team, but you do need clarity:
- incident lead (decision maker)
- IT lead (technical containment)
- comms lead (internal/external messaging)
- business owner (priorities, risk decisions)
3) Walk through a timeline
Start with the first alert. Then add “injects” every 10–15 minutes:
- “two more users report the same email”
- “a director can’t access email”
- “a customer says they received a strange message from you”
- “your cyber insurer asks for details”
4) Capture gaps and convert them into actions
The real value is the action list:
- tighten MFA / Conditional Access
- improve user reporting
- define who contacts bank/insurer/legal
- confirm backup and recovery steps
- document the decision tree for shutting down systems
Common gaps tabletops uncover
- no clear decision maker for “shut it down vs keep trading”
- uncertainty about what to tell staff (and what not to)
- lack of access to key admin accounts when needed
- missing supplier contacts and escalation routes
- unclear recovery priorities (what gets restored first)
FAQ
Do tabletop exercises replace technical security?
No — they complement it. Controls reduce incidents; tabletops reduce damage when something slips through.
How often should we run one?
At least annually, and after major changes (new systems, new office, rapid growth).
Who should attend?
IT plus at least one senior decision maker and someone responsible for comms/ops.
If you want, we can run a practical tabletop
cyber security session with you and leave you with a clear, prioritised action plan afterwards.
