Cyber incidents rarely arrive with clear answers. They often bring uncertainty, pressure and real-world consequences.
That is why, at Cosmic, we do not just talk about cyber resilience. We test it, improve it and keep learning. We do this through regular exercises, policy reviews and weekly staff updates.
In April, our Senior Management Team and managers took part in a Cyber Resilience Tabletop Exercise. Our Technical and Security Lead, Jonathan Allard, facilitated the session.
The exercise simulated a realistic cyber incident. It challenged us to think about how we would respond as an organisation. Importantly, we used the same models and processes that we deliver for our clients.
Rather than testing technology, the exercise focused on people, decisions, and communication, the areas that matter most when an incident unfolds.
We already know that up to 95% of cybersecurity breaches involve human error¹. Therefore, people, behaviour and decision-making sit at the heart of cyber resilience. This links closely to skills gaps, pressure, cognitive overload and workplace culture.
A Safe Way to Stress-Test Business Continuity
First, the tabletop format allowed us to walk through a cyber incident safely. We did not need to affect live systems or disrupt day-to-day work.
Next, participants responded as if events were happening in real time. They had to work with incomplete information and changing consequences.
This approach created space for honest discussion and reflection. It helped us to:
- Collaborate openly and honestly on the response we would need, and develop trust
- Test our business continuity and incident response plans
- Clarify roles and decision-making ownership
- Explore how we would communicate effectively (internally and externally)
- Identify the improvements and gaps we might not understand or recognise
As with all our resilience exercises, we used a no-blame, no-hindsight approach. This helped people speak openly, rather than feel defensive.
As a result, people could contribute with confidence, motivation and a real sense of ownership.
An Eye-Opening Experience for Managers
For some of our recently appointed managers, this was their first cyber resilience exercise. The impact was immediate.
“I knew cyber incidents were complex, but going through a live scenario really brought home how many decisions need to be made quickly, and how interconnected everything is. It was eye-opening to see how operational, reputational and people considerations all come into play at once.”
Chloe Penfold, Restart Delivery Manager
This reflects what we often hear from clients. These exercises do not only reveal technical risks. They also highlight gaps in preparedness, staff engagement and communication.
“From a contracts and risk perspective, the exercise really highlighted how quickly a cyber incident can escalate beyond IT and into legal, contractual and reputational territory. Working through the scenario helped me see where timely decisions and clear communication are critical to protecting both the organisation and the people we work with.”
Vanessa Larcombe, Contracts Manager
Leadership, Communication and Culture Matter
From a leadership perspective, the session reinforced a key point. Cyber resilience is not only a technical issue. It is a whole-organisation challenge.
Therefore, organisations need confident leadership, clear coordination and practical preparation.
“What stood out for me was how much cyber resilience depends on leadership behaviours as well as systems, clarity, confidence and communication under pressure really matter. This exercise gave us a valuable opportunity to challenge assumptions, test how we work together, and strengthen our organisational readiness in a constructive and supportive way. The leaders of the future all need to hone their skills in resilience and continuity planning.”
Julie Hawker, CEO
The exercise also highlighted the importance of having clear, confident communications during an incident.
“Working through the scenario reminded me that effective communications during a cyber incident are as much about leadership and coordination as they are about messaging. Getting the right information to the right people, at the right time, is critical, and practising this in advance helps ensure confidence, credibility and trust are maintained when pressure is high.”
Emma Moore, Head of Business Development
Learning, Improving and Sharing Best Practice
The purpose of the exercise was not to prove that everything worked perfectly. Instead, it helped us find areas to improve.
“There are always gaps, that’s the point of an exercise like this. By creating a realistic, pressured environment, we can surface issues early and improve plans, confidence and coordination before a real incident ever happens.”
Jonathan Allard, Technical & Security Lead
We are already using the learning from the session to:
- Refine our business continuity planning
- Strengthen decision-making pathways
- Improve incident communications readiness
- Update all on key cybersecurity measures and share skills development recommendations
- Review and improve policies related to data governance (including GDPR), staff responsibilities, communications and partnership relationships
How We Support Other Organisations
We now offer this same Cyber Resilience Tabletop Exercise to clients. We tailor each session to the organisation’s sector, size, risk profile and maturity.
Our exercises help organisations to:
- Build leadership and management confidence
- Clarify governance and responsibilities – to support policy improvements
- Test GDPR and reporting readiness
- Move from theory to practical preparedness
Finally, by running these exercises ourselves each year, we keep improving our own approach. We also make sure the guidance we share with others is realistic, tested and grounded in lived experience.
If your organisation wants to test its cyber resilience safely and practically, Cosmic can help you take the next step.