Skip to content

Why NCSC’s free tool opens doors to bring your tech and non-tech teams together.  

Whenever we at SBRC speak about Exercise in a Box our introduction is always “it is completely free, and you don’t have to be technical to get involved.” 

Exercise in a Box can be best described as a tool that recreates real world business scenarios and tests your organisation’s cyber resilience in each scenario.

It was developed by the National Cyber Security Centre and started its life as a self-use tool to help organisations test and practise their internal response to a plethora of cyber issues.  

This may give the impression that it is a technical tool. How else would one test cyber defences? Well, an organisation’s ability to defend against a cyber attack goes above and beyond just the technical aspects. 

Ensuring employees are aware of procedures to report an issue, ensuring they are aware they will not get in trouble for doing so, and ensuring they are aware that by doing this they could prevent a much bigger issue, are all just as important.  

Exercise in a Box is, in essence, a box full of text-based exercises based around real world scenarios with probing questions attached to each scenario. It allows your organisation to do them in your own time, in a safe environment, as many times as you want. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.  

We at SBRC have been tasked with promoting Exercise in a Box to Scottish companies by conducting practical workshops where we facilitate one of the scenarios. These sessions encourage a collection of individuals from your organisation to join. We don’t want to see only the tech team, or only the senior management team. It is important to have a mix. Why? We don’t know which point in an organisation an attack will hit. It may be an attack on servers, or it may be a phishing attack on a busy sales team. Due to that, it is important everyone in your organisation is on the same page.  

We recommend having someone along from your technical team, a senior manager, a member of sales, marketing, and finance. Every organisation is different and not all will even have a technical team. Maybe it’s all outsourced. In that case by coming along you will learn the right questions to ask the team that looks after the technical side of things. The ideal scenario is where the person from sales, marketing, finance, answers all the questions and the technical person nods along. If the technical person answers the questions but everyone else has blank faces, there is an immediate issue you will need to get resolved.  

If the team is already on the same page, then perfect! Of course, you will still get benefit out of joining the session by double checking you have done absolutely everything in your power to defend yourself digitally. Threats change daily, and so do defences. However, if your team are not fully on the same page this is a massive opportunity for the technical person to show and explain why they have certain procedures in place. Our ethical hacking team can detail issues that are likely to arise without following the procedures.  

Strength comes in communication and understating. The defence on a sports team will only hold up so long if everyone works in isolation. Exercise in a Box is not just about showing the need for technical cyber resilience but also non-technical cyber resilience.