Nonprofits face ever-evolving cyber threats—from phishing to ransomware to business email compromise. Yet many organizations still believe an incident response (IR) plan saved somewhere on the server is enough. But let’s get real:  A plan no one has practiced is a plan that won’t work under pressure.

That’s where a tabletop exercise comes in.

It is – by far – one of the simplest, lowest-cost, highest-impact steps your organization can take to build cybersecurity readiness. In just 90 minutes, your staff and board can walk through a realistic cyber incident and stress-test how your organization would respond.

In this post I will provide you with:

1. A Nonprofit Incident Response Ready Checklist
2. A step-by-step 90-minute tabletop exercise you can run with staff or board
3. Tips on how to turn insights into stronger protections

Why Tabletop Exercises Matter for Nonprofits

We are all aware that nonprofits typically operate with lean teams, limited budgets, and high-impact missions. And when an incident hits, every minute counts. Tabletop exercises help you:

• Reveal gaps in policies, decision-making, and communication
• Clarify roles across leadership, IT, and programs
• Practice coordination without technical pressure
• Build muscle memory before an actual attack
• Boost confidence across your board and staff

Most importantly: You don’t need technical expertise to run one! You just need the right structure.

Nonprofit Incident Response Ready Checklist

You can use this checklist as your baseline readiness guide; be sure that you can successfully check off each of these bullet points before conducting your exercise:

1. People & Roles

• You have an incident response (IR) team defined (leadership, IT, communications, HR, legal, and external vendors).
• Roles and responsibilities are documented and shared.
• An executive decision-maker is clearly assigned for urgent approvals.

2. Policies & Documentation

• A current IR plan is accessible to the team.
• Critical workflows are documented: backups, MFA, offboarding, vendor escalation.
• Data classification and retention policies exist and are understood.

3. Communications

• You have pre-drafted internal and external templates.
• Non-email communication channels (text, phone tree, Teams/Slack) are defined in case email is compromised.
• Board communication responsibilities are clear.

4. Technology & Tools

• MFA is required across email, cloud apps, and remote access.
• Backup systems are tested regularly.
• Endpoint protection, logging, and alerting are in place.
• Your MSP or IT partner has a documented escalation process.

5. Vendors & Legal

• Key vendors (IT provider, cyber insurer, digital forensics) are identified and reachable.
• Contracts and cyber insurance policy details are stored in a central, accessible location.

6. Training & Testing

• Staff receive regular cybersecurity awareness training (phishing, passwords, social engineering).
• A tabletop exercise is conducted at least once a year—ideally every 6 months.

Your 90-Minute Tabletop Exercise

This scenario-based exercise simulates how your organization would respond to a cyberattack. It is conversation-based—no laptops, no technical steps, no pressure.

Agenda Overview

• Welcome & Objectives: 10 minutes
• Scenario Setup: 10 minutes
• Guided Discussion (Core Tabletop): 45 minutes
• Debrief & Action Planning: 20 minutes
• Close & Next Steps: 5 minutes

Step-by-Step Instructions

Step 1: Gather the Right Group

Invite:

• Executive Director / CEO
• IT staff or MSP representative
• Communications lead
• HR lead
• Finance lead
• Program leadership
• Board representative (optional but recommended)

Assign a Facilitator—someone neutral who keeps the discussion moving.

Step 2: Introduce the Objectives (10 minutes)

Explain that the goal is not to “pass or fail” but to:

• Practice communication and decision-making
• Identify gaps in policies, systems, and roles
• Build confidence before an actual crisis

Reassure participants: There are no technical right answers—only learning.

Step 3: Present the Scenario (10 minutes)

Use this ready-made scenario (or adjust to your organization):

Scenario: It’s Monday morning. Several staff report they can’t log into email. When they try, they get an MFA notification they didn’t request. Your IT team sees unusual login attempts from overseas. A program manager’s mailbox begins auto-forwarding to an unknown address. An alert appears from your Microsoft 365 security center flagging possible ransomware activity on the shared drive.

Provide printed or projected bullet points.

Let the tension build – this is where the learning happens!

Step 4: Guided Discussion (45 minutes)

Walk through these questions as a group. Encourage everyone to participate.

Detection & Identification

• How would staff report the problem?
• Who confirms this is a real incident?
• What indicators do we rely on?
• Do we know what systems are affected?

Containment

• Who has authority to shut down systems, disable accounts, or revoke access?
• How do we prevent the attack from spreading?
• What communication channels do we use if email is compromised?

Communication

• When and how do we notify staff?
• What do we escalate to the Executive Director?
• How and when do we inform the board?
• What do we tell funders or the public if needed?
• Who communicates with vendors and cyber insurance?

Business Continuity

• Which operations must continue immediately?
• How do we run payroll, grants, or programs if systems are offline?
• Who has authority to approve emergency expenses?

Recovery & Post-Incident

• How do we restore systems and validate they’re clean?
• How do we confirm data integrity?
• What reporting or documentation is required?

Step 5: Debrief & Action Planning (20 minutes)

Ask the group:

• What worked well?
• What was confusing or missing?
• What policies or documents need updates?
• What tools or training would make this easier?

Record all gaps and assign next steps with owners and deadlines.

Step 6: Close the Session (5 minutes)

End by emphasizing:

• Your organization just practiced a real cyber emergency
• You found areas for improvement before an actual attack
• You are now more resilient than most nonprofits

Turn Insights Into Action

A tabletop exercise is only valuable if it leads to improvements. After your session:

• Update your incident response plan
• Confirm vendor contacts and escalation paths
• Tighten MFA, backups, permissions, logging, and alerts
• Schedule your next tabletop exercise
• Train staff on phishing and emerging threats
• Present a summary to your board (they will LOVE that you did this proactively!)

Final Thoughts

A 90-minute tabletop exercise is one of the most impactful, low-cost cybersecurity investments a nonprofit can make. When a real incident occurs – and we should all know by now it’s a matter of when, not if – your staff and board will be grateful you practiced before the crisis.

If you want help designing or facilitating a tailored tabletop for your organization, CGNET can guide you through it from start to finish.  Just reach out!

For forty-two years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!