How ‘Exercise in a Box’ Helps Your Organisation

Introduction

Imagine being in your office, working on a project, when suddenly … your computer screen changes, and a ransom note appears instead of the document that you had spent hours working on. You look around and see the other computers in your office all look the same. The ransomware is working it’s way around the whole office, spreading rapidly. What do you do? 

In this article, we explore a free service from the National Cyber Security Centre (NCSC), called ‘Exercise in A Box’ – aimed at helping organisations with cyber security, including preparing for ransomware attacks. We look at the benefits of this service, explain how it works, and provide insight on how to use it.

Resource

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security, dedicated to making the UK the safest place to live and work online. The NCSC provides a range of services to help organisations protect themselves and react to cyber threats. One of their key offerings is called ‘Exercise In A Box’ and is aimed at providing organisations with training on cyber security threats, such as ransomware.

Benefits

• Free and Easy to Use: Exercise in a Box is a free online resource, making it accessible to all organisations
• Realistic Scenarios: The service provides a range of exercises based on real-world cyber threats, including ransomware, phishing, and supply chain attacks
• Improved Preparedness: By regularly practicing a response to cyber incidents, organisations can identify weaknesses and improve overall cyber resilience
• Enhanced Collaboration: Exercises encourage teamwork and communication, building a stronger cyber security culture
• Adds to Existing Security Controls: The Exercise in a Box service can enhance and supplement the effectiveness of cyber security, by raising awareness and supplementing training 
• Compliance Support: By helping organisations raise awareness and provide training, the service can support compliance with UK data protection regulations and other legal requirements

How It Works

• Micro Exercises: Short exercises, designed to be a mix of fun and learning, focusing on a single subject, such as identifying and reporting phishing emails, password managers and securing video conferencing 
• Tabletop Exercises: Group discussion exercises that help identify potential responses to unfolding cyber incidents, such as a ransomware attack, being attacked from an unknown wifi network and mobile phone theft 
• Comprehensive Guidance: Detailed instructions and resources to help organisations conduct the exercises and take appropriate actions based on the results.

Who’s Eligible to Use It

The NCSC has a mission to make the UK the safest place to work online, and as such, they have made Exercise in a Box available to any-sized organisation. This includes public sector bodies, private companies of all sizes, charities and not-for-profits, educational institutes, healthcare providers, and local authorities. Many organisations have already used the service, and many more can benefit too.

How to Get Started

1. Visit the NCSC Website: Go to the NCSC’s Exercise in a Box webpage to access the service
2. Choose an Exercise: Select from a range of exercises that best suit your organisation’s needs
3. Follow the Instructions: Use the guidance provided to set up and conduct the exercise
4. Reflect and Act: After completing the exercise, review the results and take appropriate actions to address any identified weaknesses
5. Repeat: When ready, choose another exercise and continue to learn, adapt and develop

What’s in There

• Identifying and reporting a suspected phishing email 
• Password managers 
• Responding to a ransomware attack
• Securing cloud productivity suites
• Securing video conference services
• Third-party software compromise
• Threatened leak of sensitive data 
• Bring Your Own Device 
• And much more

How We Help

• At RB Consultancy Ltd – we support organisations in strengthening their cyber security posture
• NCSC Cyber Advisor certified – we’re proven to help organisations understand and implement technical controls
• NCSC Assured Service Provider – we meet the standards set by the National Cyber Security Centre (NCSC)
• IASME Assessor and Certification Body – we assess organisations and issue certificates for Cyber Essentials, Cyber Essentials Plus, and IASME Cyber Assurance 
• Consultancy – with ISO 27001 Lead Implementer certification, we help organisations implement Information Security Management System (ISMS) and associated controls

Conclusion – How ‘exercise in a box’ can help your organisation

Exercise in a Box is a valuable (and free to use) tool for organisations looking to enhance their cyber resilience. By providing realistic and practical exercises, the service enables organisations to test their defences, identify weaknesses, and improve their response to cyber incidents. This service supports the controls set out for Cyber Essentials, Cyber Essentials Plus, and IASME Cyber Assurance, and supports compliance with UK Data Protection regulations.

When cyber threats are ever-evolving, Exercise in a Box offers a free and accessible solution for organisations of all sizes. By leveraging this service, organisations can try to stay ahead of cyber threats and support security and resilience of their digital assets. 

RB Consultancy Ltd empower organisations through cyber security. We can provide insight on how we use this service and the associated benefits. Contact Us for further information, advice and guidance.

Information Sources 

• NCSC Exercise In A Box webpage: https://www.ncsc.gov.uk/section/exercise-in-a-box/overview

Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only and should not be taken as legal advice.