Last time we looked at why tabletop exercises matter and how they can reveal the cracks business leaders don’t notice until it’s too late. Now let’s talk about the part that really gets attention: the cost.
A tabletop exercise might cost you a few hours of time and some coffee. A real incident? That’s a different story. One breach can run into hundreds of thousands, even millions, once you factor in ransom demands, outside experts, legal fees, PR firms, lost revenue, and clients heading for the exits. I’ve seen attackers walk away with enough money to buy themselves a yacht-- and they bought it with your hard work.
And don’t think insurance will save you. Most policies are written with more fine print than a bad mortgage. Didn’t follow your own policies? Claim denied. Didn’t run regular exercises? Claim denied. Missed a detail in the exclusions? Claim denied. Insurance companies make their living finding reasons not to pay out, and you don’t want to discover that in the middle of a crisis.
Here’s the kicker: even if they do pay, it doesn’t mean the fight is over. If the insurer decides later that you were negligent or failed to meet some buried requirement, they can drag you into court to claw their money back. And more often than not, they decide it’s worth the fight-- because for them, it usually is.
Meanwhile, hackers are getting smarter. They’re not throwing out random ransom numbers anymore. They’re digging into financial records ahead of time, so when the demand hits your screen, it’s for exactly the amount they know you can pay. No mercy. No negotiation. Just simple math.
Sadly, that’s the price of not practicing. And there is one more pitfall to avoid: thinking “IT will handle it.”
They won’t. Or rather, they can’t. IT can restore backups and close vulnerabilities, but they don’t decide whether to pay a ransom, when to notify your customers, or how much downtime your business can survive. Those decisions belong to you.
The reality is simple. Tabletop exercises give you the chance to practice making those calls when the stakes are low. Perfection is the enemy of progress-- if you wait until you have the “perfect” plan, you’ll never run one. And when an attack hits, it won’t wait for you to be ready.
The good news is you don’t have to figure this out alone. Your MSP can run tabletop exercises for you, and if yours hasn’t offered, just ask. A typical session runs $10–15k and takes just a few hours, which is nothing compared to the cost of a breach.
When you make the ask, keep it simple: “Can we schedule a tabletop exercise to walk through what would happen if we had a major incident?” The key is making sure the right people are in the room-- not just IT, but leadership, finance, HR, and anyone who owns risk for the business.
It’s like checking the fire alarm in your office. You don’t wait until smoke fills the room to find out if it works. The same logic applies to cybersecurity risk: test before the crisis, not during.
Hackers don’t wait. You can either roleplay disaster on your terms, or live through it on theirs, and explain to your employees, customers, and board why a hacking group in Russia just named their new yacht after your company.
