Best Practices for Practicing Cybersecurity Incidents in the Workplace

Lea K. · 2025-07-01 08:52:45.276413+00

Hi Community, I hope everyone is doing fine and the temperatures are still bearable at your workplace. I have another best-practice question regarding . On last year's Human Firewall Conference I attended a presentation where the speaker said that it would be good to practise cyber security incidents in the same way as other security incidents (e.g. test fire alarms etc.). My question is: Do some of you have experiences with this? How exactly can praticing a cyber security incident look like? Would you need a test system or is there a way to practice this in the live-environment - and if so, how? Is there anyone how has a playbook or templates for something that could help when we would like to try this for the first time? Any advice is much appreciated. Many thanks :slightly_smiling_face:

Best Practices for Practicing Cybersecurity Incidents in the Workplace | Human Firewall Leaders Community

4 comments

· Sorted by Oldest

Gordon S.
·
·
Hi Lea absolutely – there are several ways to simulate a cyberattack or test incident response. You can start relatively simple by just going through a playbook with your core team in a tabletop exercise – kind of like a “what would we do if…” session. That’s a great first step to identify gaps, clarify roles and responsibilities, and test your communication flows. If you want to take it up a notch, you can bring in an external provider to run a more realistic simulation. They’ll often simulate pressure too – by calling stakeholders, sending phishing emails, or creating artificial chaos, just like in a real incident. That stress factor can be really valuable to see how well your processes hold up under fire. Practicing in a live environment doesn’t always mean touching production systems. Many things like decision-making, communication, and escalation can be tested without touching real tech. Just be clear about the scope and set expectations. Happy to share more if needed – feel free to reach out directly. Greetings from Spain, Gordon
💡2
Melissa G.
·
·
Hi Lea K., Thanks for your post – it’s always unsettling when incidents happen, but it’s also a moment that often sparks deeper reflection and creativity. Your reference to test fire alarms is a great analogy. 🔥🛡️ If I understand you correctly, you’re asking how organizations can simulate cyber attacks in a structured way – similar to practicing a fire evacuation – and whether this can be done safely in a live environment without needing a separate test system? Thanks also to Gordon S. – I really liked how you brought in the internal reflection to begin with as well! The stress element you mentioned is spot on – often it’s not the tech that fails, but the human response under pressure. Lea K. – do you already have a specific aspect in mind you’d like to test? (perhaps any of the examples that Gordon mentioned) - narrowing the focus might help. 🙏 Markus P. Julia K. Sabrina H. Roald R. curious to hear your thoughts too. Feel free to join the discussion 🤩
Lea K.
·
·
Thank you Melissa G. for clarifying what I wrote, because, yes, this is eaxctly what I was looking for. But no, I did not yet have any specific aspect in mind, I guess we're really still right at the very beginning wit this.
💡1
Roald R.
·
·
Hi, I think it's not a question if you should test but how. Business Continuity (and Disaster Recovery) is a big part of the ISO27001 and NIS2. You have to get it in place otherwise you will not receive the ISO27001 certification. And it's not about having it in place. Testing them is a essential part. Step 1 is to do a risk assessment to find out you crown jewels. They need the best protection. Than do a workshop with stakeholders to identify what could happen if......... And create the playbooks yourselves. And than just plan some annual table tops where you run to the material again. And only for the important ones you should do a real time exercise on the production environment as you wouldn't be the first one discovering that the description on paper is not successful in a real-time situation. Roald

Gordon S.
·
·
Hi Lea absolutely – there are several ways to simulate a cyberattack or test incident response. You can start relatively simple by just going through a playbook with your core team in a tabletop exercise – kind of like a “what would we do if…” session. That’s a great first step to identify gaps, clarify roles and responsibilities, and test your communication flows. If you want to take it up a notch, you can bring in an external provider to run a more realistic simulation. They’ll often simulate pressure too – by calling stakeholders, sending phishing emails, or creating artificial chaos, just like in a real incident. That stress factor can be really valuable to see how well your processes hold up under fire. Practicing in a live environment doesn’t always mean touching production systems. Many things like decision-making, communication, and escalation can be tested without touching real tech. Just be clear about the scope and set expectations. Happy to share more if needed – feel free to reach out directly. Greetings from Spain, Gordon
💡2
Melissa G.
·
·
Hi Lea K., Thanks for your post – it’s always unsettling when incidents happen, but it’s also a moment that often sparks deeper reflection and creativity. Your reference to test fire alarms is a great analogy. 🔥🛡️ If I understand you correctly, you’re asking how organizations can simulate cyber attacks in a structured way – similar to practicing a fire evacuation – and whether this can be done safely in a live environment without needing a separate test system? Thanks also to Gordon S. – I really liked how you brought in the internal reflection to begin with as well! The stress element you mentioned is spot on – often it’s not the tech that fails, but the human response under pressure. Lea K. – do you already have a specific aspect in mind you’d like to test? (perhaps any of the examples that Gordon mentioned) - narrowing the focus might help. 🙏 Markus P. Julia K. Sabrina H. Roald R. curious to hear your thoughts too. Feel free to join the discussion 🤩
Lea K.
·
·
Thank you Melissa G. for clarifying what I wrote, because, yes, this is eaxctly what I was looking for. But no, I did not yet have any specific aspect in mind, I guess we're really still right at the very beginning wit this.
💡1
Roald R.
·
·
Hi, I think it's not a question if you should test but how. Business Continuity (and Disaster Recovery) is a big part of the ISO27001 and NIS2. You have to get it in place otherwise you will not receive the ISO27001 certification. And it's not about having it in place. Testing them is a essential part. Step 1 is to do a risk assessment to find out you crown jewels. They need the best protection. Than do a workshop with stakeholders to identify what could happen if......... And create the playbooks yourselves. And than just plan some annual table tops where you run to the material again. And only for the important ones you should do a real time exercise on the production environment as you wouldn't be the first one discovering that the description on paper is not successful in a real-time situation. Roald