October is Cyber Smart Month, and hopefully your team has been reinforcing password hygiene, reviewing phishing awareness, and discussing the basics of cyber resilience. Security awareness training is essential, it's your first line of defence and reduces your risk of human error leading to a breach. But here's what awareness training can't do on its own: prepare your team to respond effectively when an incident occurs despite your best preventive efforts.
According to the National Cyber Security Centre's latest research, 53% of New Zealand's small to medium businesses experienced a cyber threat in the past six months, a significant 36% increase from the previous year's survey.
The gap isn't just in awareness, it's in incident response preparedness. When ransomware locks your systems at 2am on a Friday, your team needs more than theoretical knowledge and phishing awareness. They need muscle memory, clear protocols, and the confidence that comes from having been there before, even if only in simulation.
That's where tabletop exercises complement what Cyber Smart Month delivers: real-world readiness for your incident response plan, tested in a controlled environment before the stakes become catastrophic.
A tabletop exercise is a discussion-based simulation where your leadership and IT teams walk through a realistic cyber incident scenario, step by step. While awareness training focuses on prevention and reducing human error, tabletop exercises train your organisation to respond effectively when prevention measures are breached or circumvented.
Think of it as a fire drill for cyberattacks, you wouldn't wait for an actual fire to test your evacuation plan. Yet, did you know that many New Zealand businesses have detailed incident response policies sitting in a SharePoint folder, untested and unproven until a genuine crisis forces them into action.
Cyber-related incidents have been identified as the most significant business risk for 2025, according to the latest Allianz Risk Barometer report, with ransomware, data breaches, and IT system failures ranking as the leading global threat.
For New Zealand SMEs, the threats are particularly challenging:
Law firms hold sensitive client data and face strict confidentiality obligations
Real estate agencies process high-value financial transactions and personal information daily
Education providers manage student records and face complex privacy requirements
Startups often lack mature security infrastructure while handling investor and customer data
Among SMEs that experienced attacks, 57% implemented new cybersecurity measures, compared to only 27% of those who hadn't been attacked. In other words, most businesses only act after they've already been compromised. Tabletop exercises flip this reactive approach on its head, allowing you to identify and fix critical gaps before they're exploited.
Your incident response plan might look comprehensive on paper, but tabletop exercises reveal where theory meets reality, and where it breaks down.
Common discoveries include:
Communication breakdowns: Who actually has authority to approve paying a ransom? Who communicates with customers, insurers, and regulators, and in what order?
Decision-making bottlenecks: Can your IT manager authorise taking critical systems offline, or do they need board approval while ransomware spreads?
Unclear responsibilities: When your finance team discovers unusual wire transfers, do they know whether to call IT, management, or your cybersecurity provider first?
NSP's tabletop exercises are customised to your specific operational environment, including your existing prevention and detection controls. We don't run generic scenarios, we develop attack simulations that reflect the current threat environment and the specific risks to your high-value assets.
Learn more about NSP's comprehensive cybersecurity services.
Cyber incidents don't respect organisational charts. Effective response requires seamless coordination between IT, management, legal, finance, communications, and often external partners like insurers, forensic specialists, and law enforcement.
During our tabletop exercises, NSP facilitates realistic "injects", simulated inputs that mirror what your team would face during a real incident:
"Your backup systems are also encrypted, what now?"
"Media outlets are calling for comment on the breach"
"Your cyber insurance requires notification within 24 hours"
"A key system owner is unreachable, who makes the call?"
These pressure points expose how well your teams actually work together when minutes matter and the pressure is on.
Some decisions can't be rehearsed in the moment. Do you pay the ransom or refuse? Do you notify customers immediately or wait for forensic confirmation? Do you bring systems back online incrementally or wait for a full security review?
According to Deloitte New Zealand, 43% of businesses took out or renewed cybersecurity insurance policies in 2024, a 20% increase from the previous year. But having insurance doesn't mean you're prepared to navigate the complex decisions a cyber incident demands, decisions that can determine whether your business recovers quickly or suffers long-term reputational and financial damage.
Tabletop exercises create a safe space to work through these decisions, identify which stakeholders need to be involved, and establish clear frameworks for making high-stakes calls when the clock is ticking.
Every minute of downtime during a cyber incident costs money. For professional services firms, a single day of system outages can mean:
Lost billable hours
Missed deadlines with regulatory or contractual consequences
Client frustration and potential attrition
Emergency IT costs to restore operations
Tabletop exercises dramatically reduce response time by ensuring your team knows their roles, understands the escalation process, and has already thought through the key decision points. You're not figuring out the playbook while under attack, you're executing a plan you've already tested.
NSP is 100% New Zealand-based, and that matters more than you might think.
We understand:
New Zealand's regulatory environment: Privacy Act 2020 requirements, sector-specific compliance obligations, and how CERT NZ and the NCSC fit into incident response
Local threat environment: The specific attack vectors targeting New Zealand businesses, from BEC fraud to ransomware strains prevalent in APAC
Business context: The unique challenges facing Kiwi SMEs, from limited IT resources to the interconnected nature of our business community
Unlike offshore providers running cookie-cutter scenarios, NSP can facilitate on-site exercises, sit down with your leadership team face-to-face, and tailor scenarios that reflect your actual operating environment.
NSP designs tabletop exercises across multiple threat scenarios, including:
Ransomware attacks: Encrypted systems, ransom demands, backup failures, and recovery decisions
Data breaches: Compromised customer or client information, notification obligations, and regulatory reporting
Phishing compromises: CEO fraud, invoice scams, and business email compromise (BEC) attacks
Insider threats: Malicious or negligent employees, data exfiltration, and access control failures
System outages: DDoS attacks, critical infrastructure failures, and disaster recovery activation
Each scenario is customised to your business operations and IT environment, helping your team practice decision-making and coordination under realistic pressure.
NSP brings enterprise-level incident response capabilities to New Zealand SMEs. As a Microsoft-certified partner with 24/7 support, we combine deep technical expertise with practical business understanding.
We don't just run the exercise and hand you a report. Our team provides:
Pre-exercise consultation to understand your environment, risks, and incident response maturity
Facilitated simulation with realistic injects and dynamic scenarios that test your team's capabilities
Post-exercise analysis identifying gaps, strengths, and prioritised recommendations
Actionable roadmap for improving your incident response plan, security controls, and team readiness
For many organisations, tabletop exercises reveal the need for more structured support, whether that's managed security services, modern workplace capabilities, cloud infrastructure improvements, or vCISO services to provide ongoing strategic security leadership.
Cyber Smart Week (or month if-you-will) is valuable for raising baseline awareness, but cyber resilience isn't built in a week, it's built through consistent preparation, testing, and improvement.
Tabletop exercises should be part of your ongoing cybersecurity rhythm, and not a one-off compliance checkbox. Leading organisations run exercises:
Annually at minimum, to keep plans current and train new team members
After major changes like system migrations, mergers, or new regulatory requirements
Following industry incidents to learn from others' experiences and test how your organisation would respond to similar attacks
Think of tabletop exercises as the bridge between awareness training (which strengthens your human firewall and reduces breach likelihood) and real incident response (which happens under crisis conditions). They create the muscle memory and confidence your team needs to respond effectively when it matters most.
The return on investment from tabletop exercises is measurable:
Reduced Downtime
Organisations that regularly test their incident response plans recover faster from cyber incidents, minimising business disruption and financial impact.
Lower Incident Costs
Effective response reduces the overall cost of incidents, from forensic investigation to legal fees, regulatory fines, and customer remediation.
Improved Insurance Outcomes
Many cyber insurers now expect, or require, evidence of incident response testing. Documented tabletop exercises can improve your insurability and potentially reduce premiums.
Enhanced Team Confidence
When your team has practiced responding to incidents in a controlled environment, they're calmer, more decisive, and more effective when real incidents occur.
Compliance Demonstration
For organisations with regulatory requirements (privacy, financial services, healthcare), tabletop exercises provide documented evidence of due diligence in incident preparedness. This is increasingly important as regulators and insurers expect organisations to demonstrate proactive cyber risk management.
Cyber Smart Month reminds us all to strengthen our digital defences. Now it's time to go deeper, to test whether those defences actually work under pressure, and whether your team knows what to do when they're breached.
Here's how to get started:
Assess your current state: Do you have a documented incident response plan? When was it last tested? Does your team know their roles?
Identify your highest-risk scenarios: What would cause the most damage to your business, ransomware, data breach, system failure, insider threat?
Schedule a tabletop exercise: Work with NSP to design a scenario that reflects your real operating environment and tests your actual response capabilities.
Act on the findings: Use the exercise results to strengthen your incident response plan, improve security controls, and build team capability.
Make it ongoing: Build regular tabletop exercises into your security program, keeping your team sharp and your plans current.
Cyber Smart Month strengthens your preventive defences through awareness, Tabletop exercises build your response capability. When your business faces a real cyber incident, not if, but when, having both layers of defence is what determines whether you recover quickly or struggle to survive.
With 53% of New Zealand SMEs experiencing cyber threats in the last six months, the question isn't whether you need an incident response plan. It's whether your plan will actually work when you need it most.
NSP's tabletop exercises give you the answer, before the consequences become real.
Don't wait for a real cyber incident to discover the gaps in your response capabilities. Book a consultation with NSP to discuss how a customised tabletop exercise can strengthen your organisation's cyber resilience, reduce response time, and protect what matters most.
Contact NSP today to schedule your tabletop exercise and discover where your incident response plan stands, and where it needs to improve.
What is a tabletop exercise and how does it work?
A tabletop exercise is a discussion-based simulation where your team walks through a realistic cyber incident scenario in a controlled environment. NSP facilitates the exercise, presenting your team with a simulated attack (such as ransomware or a data breach) and guiding them through the response process, including decision-making, communication, coordination, and technical actions. The exercise identifies gaps in your incident response plan without the risks or costs of a real incident.
How long does a tabletop exercise take?
Most NSP tabletop exercises run between half to full day, depending on the complexity of the scenario and the size of your team. This includes the simulation itself, real-time discussion and decision-making, and an initial debrief. NSP then provides a detailed post-exercise report with findings and recommendations. This investment of a few hours can save weeks of confusion and costly mistakes during a real incident.
Who should participate in a tabletop exercise?
Effective tabletop exercises include cross-functional teams, not just IT. Typical participants include IT managers, senior leadership (CEO, CFO), legal or compliance personnel, communications or marketing leads, and operational managers. The goal is to test how your entire organisation responds to a cyber incident, since effective response requires coordination across departments.
How often should we run tabletop exercises?
Best practice is to conduct tabletop exercises annually at minimum. You should also run exercises after significant changes like system migrations, leadership transitions, major vendor changes, or regulatory updates. Following high-profile industry incidents, it's valuable to test how your organisation would respond to similar attack scenarios. Regular exercises keep your plan current and ensure new team members understand their roles.
What's the difference between a tabletop exercise and a penetration test?
A penetration test (pen test) is a technical security assessment where ethical hackers attempt to exploit vulnerabilities in your systems. It tests your prevention and detection capabilities. A tabletop exercise tests your response capabilities, how your people and processes work when an incident occurs. Both are valuable, but they serve different purposes. Many organisations need both: pen testing to find technical vulnerabilities, and tabletop exercises to ensure they can respond effectively if those defences are breached. Learn more about NSP's penetration testing services.