The Exercise in a Box toolkit is an online, self-help tool from the National Cyber Security Centre (NCSC) which is designed to help organisations test and practise their response to a cyberattack. Essentially, it is a free, 90-minute non technical workshop which helps organisations find out how resilient they are to cyber attacks and practice their response in a safe environment. Scenario themes are realistic and based around the main cyber threats faced. It includes everything needed for setting up, planning, delivery, and post-exercise activity.   

The purpose of this case study is to share the milestones achieved during the delivery of Exercise in a Box. This case study relates to the time period from August 2020 to May 2021. 

The Challenge

Exercise in a Box was primarily designed for organisations to hold and facilitate their own internal exercises, physically bringing key people together to take part in what is traditionally referred to as a ‘table-top’ discussion exercise. However, due to Covid-19 pandemic restrictions, it became challenging to bring people together into one room to participate in a ‘physical’ exercise. However out of adversity comes opportunity and SBRC took an alternative and innovative approach by delivering a series of ‘virtual’ Exercise in a Box events held across Scotland, utilising video conferencing platforms, delivered and supported by a cadre of SBRC’s experienced ethical hacking students. 

We strategically chose to deliver the ‘Working From Home’ scenario first, knowing how many organisations were still getting to grips with the security issues the ‘new normal’ caused by the pandemic. At the beginning of 2021, when ransomware took over the headlines, we launched our second scenario, ‘Phishing Attack Leading to a Ransomware Infection’.  

Always maintaining a user-centric approach, we looked to understand what our attendees expected and what they needed. For example, during our ransomware sessions we learned attendees wanted more information on how to deal with media during a ransomware incident and we created it based on needs assessment. The feedback for such efforts was overwhelmingly positive.  

We consciously worked with organisations and charities based all over Scotland supporting them in bettering their cyber resilience. The challenges presented to us allowed us to discover a recipe that would see us successfully delivering this project, hitting our target, with 266 companies completing a session.  

The Solution and Outcome

Despite all the challenges presented, SBRC managed to successfully deliver Exercise in a Box pilot project over 10 months. In total, 266 organisations across Scotland, and 772 attendees participated in the interactive workshops. The organisations consisted of the Public, Private, and Third Sector, including Academic institutions. The virtual approach to delivery increased inclusivity, recognising the diverse nature of business in Scotland and its vast geographical locations.  

As a result, organisations the length and breadth of the country, from Dumfries in the south, the Western Isles, Aberdeen in the north-east and Orkney in the Islands, were able to participate in addition to the more populated central belt. Due to the massive success and popularity of the project delivery, SBRC additionally offered each attending organisation a follow-up session where they could be introduced to the Exercise in a Box platform and enquire about cybersecurity-related issues.  

To promote cyber-awareness and continue with the theme of Exercise in a Box, SBRC commissioned 10 cyber-awareness videos that are short, informative but most importantly easy to understand.  

The following topics were covered in the videos:  

• Password  
• Updates  
• Antivirus  
• Parental controls  
• Public Wi-fi  
• Phishing  
• Home IoT  
• Backups  
• Social Media