Skip to content

The Exercise in a Box program designed by NCSC is widely acclaimed, but what’s actually involved?

What is it?

Firstly, it is completely free, and you don’t have to be technical to get involved.

Exercise in a Box can be best described as a tool that recreates real world business scenarios and tests your organisation’s cyber resilience in each scenario. It was developed by the National Cyber Security Centre and started as a self-use tool to help organisations test and practise their internal response to a plethora of cyber issues.

It is, in essence, a box full of text-based exercises based around real world scenarios with probing questions attached to each scenario. It allows your organisation to do them in your own time, in a safe environment, as many times as you want. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.

We at SBRC have been tasked with promoting Exercise in a Box to Scottish companies by conducting practical workshops where we facilitate one of the scenarios.

The Scenarios

There are multiple scenarios, and all can be accessed from the NCSC website to be conducted by your company. For the purpose of our sessions where we facilitate, we will be focusing on two scenarios we see as being pertinent to Scottish organisations at present.

Working From Home

It is important to understand both the benefits and the additional cyber security risks that home and remote working can bring to an organisation. Many of us have had to move to 100% remote working having never done it before due to COVID-19, which has created the potential that your organisation’s IT services will be accessible to people other than your remote workforce. Additional sudden requirements and demand on infrastructure could increase your organisation’s attack surface, providing attackers with more potential avenues to exploit.

Phishing Attack Leading to a Ransomware Infection

This scenario is based around how your organisation would respond to a phishing attack that leads to a ransomware infection. It tests the support that users are given to detect and respond to phishing attacks, as well as what security controls are implemented to limit the impact of infections when they do occur. It also covers how well you would be able to continue operating if you did get infected with a ransomware, and whether you would be able to rely on your current backup solution.

What does a session look like?

During the session you are paired with one of our ethical hackers, and they take you through the set of questions designed to re-create a certain scenario. This means you have someone on hand who will help you understand if what you are doing is enough, and what else you could potentially think about implementing.

Each scenario is broken into ‘inject’ points. These are used to re-create certain critical factors or moments in the scenario. From here, there are a series of questions you must consider and answer. These questions have been designed by NCSC to allow organisations to understand how prepared they really are for key vulnerable scenarios which could occur during day-to-day working.

On completion, you will leave comforted knowing you have done everything you can to protect your organisation, or with a to-do list to strengthen your organisation. We also offer a follow up session with some 1-to-1 time with one of our ethical hackers who will help you get set up on NCSC Exercise in a Box platform, so you can do some more scenarios internally, and they can answer any questions you may still have.

Join an Upcoming Session

Exercise in a Box has been piloted with small and medium enterprises, local government and the emergency services, but other private and public sector communities could benefit from using it depending on their needs. We have seen companies of all sizes and sectors complete a scenario and see great benefit, however, micro-companies, sole traders, or companies at a very early stage of tech development may not get the full value in joining. Please reach out to us if in doubt over this.

We are conducting sessions over Zoom and Microsoft Teams. The session type will be in the Eventbrite registration page name.

The session is discussion led, and with this it is paramount that you bring some team members! Along with yourself, we recommend at least two to five others, with employees from all different departments represented. As it is non-technical those from non-technical departments will be able to feed just as much into the conversation as a technical team.

We are welcoming organisations from all over Scotland to take part in one of our Exercise in a Box sessions taking place over the next few months.

If you are interested in finding out more, please email your interest to [email protected].