Cyber resilience in action: Why cyber exercising is the key to surviving digital threats

Cyber threats are escalating at an alarming rate. In 2023 alone, global cybercrime costs reached €7 trillion, with forecasts predicting a rise to over €9 trillion in 2025. Ransomware, phishing, insider threats, and supply chain attacks have become daily occurrences, targeting businesses, governments, and critical infrastructure alike.

Organisations must recognise that cyber threats are not just an IT problem – they are an existential risk that can disable operations, damage reputations, and result in severe financial losses. As a result of a ransomware attack in April 2025, the British retailer Marks & Spencer lost about £60M (€71M) in revenue due to having to suspend online sales, its stock price fell more than 15%, wiping billions off its market capitalisation, and customer loyalty dwindled after learning that some customer data was also stolen during the attack. Healthcare institutions have seen ransomware attacks delay life-saving procedures; manufacturing plants have suffered production halts due to operational technology (OT) breaches, and financial institutions have faced crippling fraud incidents. The infamous 2021 Colonial Pipeline attack, which led to widespread fuel shortages across the U.S., is a stark reminder of how cyber incidents can disrupt entire economies. 

In this high-stakes landscape, cyber resilience is no longer optional – it’s a necessity. Resilience means being able to anticipate, withstand, respond to, and recover from cyber incidents with minimal disruption. It ensures that businesses can continue to operate despite attacks, mitigating damage and maintaining stakeholder trust. 

To achieve cyber resilience, organisations must create an ecosystem that integrates continuous employee training and realistic cyber exercises, along with clear governance, proactive risk management, and robust cybersecurity tools. This approach builds preparedness, ensures swift incident response, and maintains operational stability even in the face of sophisticated threats.

Studies show that 82% of cyber breaches involve human error. Whether it’s an employee falling for a phishing email, using weak passwords, or misconfiguring cloud storage, the human element remains a top security vulnerability. Organisations invest billions in cybersecurity yet often overlook the simplest defence mechanism: education and preparedness.  There is a reason why a British Army adage dating back to World War II is still used and relevant, highlighting the importance of training before action. The 7Ps – Prior Planning and Preparation Prevent Piss Poor Performance.

Beyond unintentional mistakes, social engineering attacks exploit human psychology, making even the most security-aware individuals susceptible to manipulation. Recently, Microsoft’s Regional Director, security researcher, and consultant, Troy Hunt, shared how he fell for a phishing attack.  Attackers exploit trust, urgency, and authority to deceive employees into handing over credentials, transferring funds, or granting access to sensitive systems.  One of the most common forms of social engineering, phishing messages have skyrocketed by 4,151% since the advent of ChatGPT in 2022.

But here’s the paradox – while human error is the cause of most cyber incidents, humans are also the solution. A well-trained workforce can act as a human firewall, detecting anomalies, responding to threats efficiently, and preventing incidents before they escalate. Employees may be the weakest link, but they are also the first line of defence and, potentially, when educated, our greatest cyber defence asset.

Cybersecurity is not just a technical issue – it’s a cultural one. A strong security culture ensures that cyber awareness becomes second nature,  integral to everyday operations. A strong security culture also relies on another cultural choice, one that values and champions continuous education. When coupled with leadership buy-in and reinforced through realistic cyber exercises, these aspects of a mature, agile organisation set the foundation for resilience that can ensure operational success regardless of the threat or environment. 

Cyber exercising goes beyond routine cybersecurity awareness training. While annual training sessions and e-learning modules provide foundational knowledge, they often fail to prepare employees for high-pressure, real-world attacks. Research from Cornell University highlights that experiential learning – engaging multiple senses through real-world challenges – significantly enhances knowledge retention and engagement. The study notes that while people generally remember 10% of what they read and 20% of what they hear, retention rates can reach as high as 75% when all senses are engaged in hands-on experiences.

Cyber exercises create an immersive, hands-on experience where participants actively respond to evolving threats. This dynamic approach fosters muscle memory, ensuring that teams react swiftly and effectively when faced with a real cyber crisis, as they become intimately familiar with processes that they would otherwise only use in an actual incident.

The more tailored the scenarios, the greater the impact. Generic, one-size-fits-all exercises may offer surface-level value. Still, they often fail to expose the real vulnerabilities or test the actual decision-making dynamics unique to a specific organisation. Truly effective cyber exercises must be context-driven, designed around the systems, processes, people, and risks that define your operational reality.

This approach ensures that participants don’t just go through the motions – they experience realistic dilemmas, respond to plausible threats, and see the direct implications of their actions on critical assets. It builds credible muscle memory and reveals how your actual infrastructure and teams perform under duress.

• Reveals critical gaps in technical controls, escalation paths, and decision-making workflows.
• Fosters organisation-wide collaboration, improving coordination and communication across all roles, functions, and levels. Builds confidence under pressure, giving participants, groups, and organisations muscle memory they can rely on.
• Exposes participants to real-world attack techniques, improving detection, containment, and familiarity.
• Strengthens regulatory and stakeholder alignment by stress-testing notification and reporting procedures in a simulated environment.
• Fosters a culture of continuous improvement by turning lessons from exercises into actionable changes across people, processes, and technologies. 
  
  

Cybersecurity exercises are vital for preparing organisations against cyber threats, primarily split into tabletop and operations-based types. Tabletop exercises are discussion-based, where teams role-play hypothetical scenarios, such as ransomware, to refine response plans and improve coordination without impacting real systems. Operations-based exercises are hands-on simulations of real incidents, testing practical response skills and operational readiness under pressure. Individually, tabletop exercises enhance strategic planning and communication, while operations-based ones build technical proficiency. Together in a Test, Training, and Exercise (TT&E) program, they form a comprehensive preparedness framework that combines planning with practical testing to bolster overall cyber defence.

Tabletop exercises are critical for refining crisis response in a controlled, low-risk environment.

In our recent tabletop exercise with a large organisation’s communications team, we facilitated a scenario-driven exercise that simulated a cyber incident unfolding in real-time. The goal: to evaluate communication flows, stress-test decision-making, and prepare the team for the pressures of a live cyber crisis.

The exercise revealed key insights:

• Crisis coordination mechanisms require refinement to ensure seamless collaboration among internal stakeholders and external partners during rapidly evolving incidents.
• Decision-making under pressure remains a challenge, underscoring the need for more regular, scenario-based training to build confidence in high-stakes situations.
• Strong internal relationships are a resilience multiplier, enabling faster alignment and more cohesive communication in moments of uncertainty.
• Third-party coordination protocols need to be formalised, particularly in managing external investigative teams and vendors during an incident lifecycle.
• Single points of failure can manifest as a result of churn, rapid growth, untested assumptions, and any number of other causes; regardless, they significantly negatively impact resilience when triggered.

These findings drove targeted improvements across communication workflows, escalation protocols, and stakeholder engagement strategies, sharpening the team’s ability to communicate effectively and own the narrative during future cyber events.

These outcomes are exactly what tabletop exercises are designed to produce: clear, actionable improvements in team performance and process maturity.

For cybersecurity and IT teams, technical hands-on exercises provide an immersive, real-time experience in responding to cyberattacks. These simulations replicate real-world threats, allowing defenders to detect, mitigate, and recover from incidents.

During one of our recent national cyber exercises, participants engaged in a highly realistic, live-fire environment that closely mirrored the intensity and complexity of a real-world cyberattack on critical national infrastructure. Leveraging federated cyber ranges and connected industrial control system environments, the exercise enabled cross-functional teams – including Rapid Response Teams (RRTs) and Central Security Operations Centre (CSOC) staff – to practice identifying, containing, and recovering from sustained and multi-layered attacks. Participants were challenged to manage incidents in real-time, make high-stakes decisions with incomplete information, and maintain situational awareness under pressure – all while sustaining operational continuity.

Key outcomes included:

• Strengthening the ability to detect and respond to hybrid IT/OT threats in high-stakes environments.
• Enhancing coordination between field teams, CSOC analysts, and external regulatory and security entities.
• Providing invaluable exposure to realistic threat actor behaviours, improving defenders’ situational awareness and agility.
• Identifying process and tooling gaps that would be difficult to uncover outside a simulated crisis.
• Providing a mechanism to practice communication processes between incident responders and the senior leadership, translating events into business impact.

By embedding hands-on technical simulations into their resilience strategy, participating organisations gained tactical readiness and deepened institutional understanding of how cyber events unfold – and how to lead effectively when they do.

We conducted a comprehensive cyber resilience exercise within the civil nuclear sector, to enhance the sector’s preparedness against increasingly sophisticated cyber and hybrid threats. The exercise brought together experts from nuclear plants, transport solutions, and cybersecurity agencies to improve incident management, collaboration, and crisis communication.

The exercise aimed to address the challenges posed by sophisticated threat actors, complex supply and stakeholder chains, as well as complex converged IT, OT, and IIoT technical environments, all while simulating large-scale cyberattacks on critical infrastructure. With the global energy sector experiencing a 74% increase in cyberattacks over the past year alone, and the nuclear industry being a high-value target for geopolitical adversaries, the threat is no longer theoretical – it is urgent, persistent, and evolving.

• Train Incident Response Teams (RRTs) and Central Security Operations Centres (CSOCs) in cyber incident management. 
• Enhance communication skills and collaboration during crises. 
• Evaluate the integration of IT and OT systems in responding to cyber threats. 
• Ensure compliance with regulatory requirements. 

The exercise simulated cyberattacks from a fictional geopolitical entity involving key nuclear and cybersecurity stakeholders. Pre-event training prepared participants with the necessary skills and knowledge on cyber threats and incident response. An essential component of the exercise was the After Action Report (AAR), which rigorously evaluated team and organisational performance. The AAR captured detailed insights into what worked, what didn’t, and how to improve. Following the recommendations, participating organisations were able to close identified vulnerabilities, reduce incident response time by up to 30%, and update response plans to reflect real-world threat dynamics. Moreover, the structured debriefing process improved internal coordination scores across teams by 40% compared to baseline assessments conducted prior to the exercise. These measurable improvements have since informed investment decisions, governance updates, and the design of future training initiatives.

The exercise highlighted key areas for improvement, such as leadership under pressure and IT/OT coordination. It demonstrated that only through regular, organisation-specific exercises – combined with thorough AAR analysis – can organisations in critical infrastructure stay ahead of rapidly advancing threats and build the operational muscle memory required to respond with confidence and speed.