Spooky Lessons: Common Mistakes Nonprofits Make in Tabletop Exercises

Tabletop exercises are one of the most effective and affordable ways nonprofits can prepare for cyber threats. These scenario-based discussions walk your team through real-life “what if” situations, revealing how prepared you truly are and where you can strengthen your response. They help teams practice their response to incidents like phishing attacks, data breaches, and ransomware, without the chaos of a real emergency.

But here’s the catch: tabletop exercises only work if they’re done right. Too often, small missteps can turn a powerful learning opportunity into a box-checking exercise that leaves your organization no better prepared.

Let’s look at the most common mistakes nonprofits make, and how you can avoid them on a budget.

1. Mistake: Treating It Like a Quiz Instead of a Conversation

Many teams think tabletop exercises are about testing who knows the “right answer.” That’s not the point. The goal is to build communication, clarity, and confidence, not perfection.

Better Approach:
Focus on collaboration. Encourage participants to discuss their reasoning, identify any areas of confusion, and ask questions. The best outcomes happen when everyone, from leadership to volunteers, feels comfortable speaking up.

2. Mistake: Leaving Out Key Players

It’s common to only invite the IT team or department heads, but real incidents don’t work that way. When a cyber threat hits, everyone plays a role in getting things back on track. From communications and HR to leadership and front-line staff, every part of your organization contributes to a swift, coordinated response.

Better Approach:
Invite representatives from every department that would be involved in a real response. If you can’t include everyone, rotate participants each time. This keeps exercises fresh and ensures your whole team develops muscle memory over time.

3. Mistake: Using Unrealistic Scenarios

If your exercise is based on a movie-style hacking plot, your staff won’t relate or learn what to do when real-life issues occur.

Better Approach:
Keep scenarios simple and relevant. Focus on likely threats like a phishing email that compromises donor data, a stolen laptop, or accidental sharing of sensitive information. These are the situations most nonprofits face and where preparation matters most.

Learn from the Pros This Spooky Season

What would your team do in the first 15 minutes of a breach?

If you’re not sure, a tabletop exercise might be just what your team needs. This spooky season, join cybersecurity experts Destiny Bowers of RoundTable Technology and Joshua Peskay, co-founder of Meet the Moment, along with panelists from both the nonprofit and cybersecurity communities, for Scary Stories: How Tabletops Can Keep the CyberMonsters Away. This webinar will be filled with stories, strategies, and a few (friendly) frights to keep your organization safe!

When: October 29th at 1 p.m. Eastern Time

👉 Register for Scary Stories: How Tabletops Can Keep the CyberMonsters Away

If you can’t attend live, register anyway, and you’ll receive a recording and all the shared resources.

4. Mistake: Skipping the Debrief

After the exercise, many teams move on without reflecting on what went well or what needs improvement. That’s where the real learning happens.

Better Approach:
Schedule at least 20–30 minutes to review what worked, where confusion arose, and what policies or tools might need updating.

5. Mistake: Thinking It Has to Be Complicated (or Expensive)

Some nonprofits assume tabletop exercises require consultants, software, or fancy tools. The truth? You can run a great exercise with a single facilitator and a simple agenda.

Better Approach:
Start small. Create a basic outline with:

• A realistic scenario (like a staff member clicking a phishing link)

• A timeline of events to simulate escalation

• Clear goals (e.g., improving response communication)

You can even use free templates or adapt scenarios from trusted cybersecurity partners or government resources.

Your Next Step Toward Real Readiness

Tabletop exercises are about empowerment. They help your team stay calm, make smart decisions, and protect your mission without breaking the bank.

By avoiding these common mistakes, your nonprofit can get real value out of every session, strengthening not just your cybersecurity readiness, but your overall teamwork and resilience.

Have Questions?

Hop on a quick call with one of RoundTable's experts. We’re here to help you find the right digital solutions for your nonprofit!