Cyber Security Exercise in a Box

Written by: Institute of Certified Bookkeepers

Be Business Ready for a Cyber Incident

In its annual cyber threat report, ACSC assessed that medium size businesses had the highest average loss per cybercrime where a financial loss occurred. The rise in the average cost per cyber incident is more than $39,000 for small businesses, $88,000 for medium businesses and $62,000 for large business.

Source:ACSC Annual Cyber Threat Report, July 2021 to June 2022

Australian Cyber Security Centre (ACSC) has launched a free online tool to help prepare small and medium enterprises (SMEs) in the event of a cyber incident.

Exercise in a Box guides users through cyber security exercises and includes everything you need to plan, set up and deliver the exercises to your organisation. It also includes a post activity report function that allows you to capture any findings you make during the exercise and use these findings to make meaningful changes to your cyber security posture.

Exercises start by introducing an event, which could be for example an organisation’s IT being attacked, these events are referred to as ‘injects’. Subsequently, the exercise continues by asking a set of questions relating to the ‘inject’.

Exercise in a Box does not require users to enter a simple answer to these questions; they are intentionally worded in order to solicit discussion. One will often find there is no simple answer.

The online tool will keep evolving to ensure it stays current, relevant, and engaging.

Discussion Based Exercises

Think about what aspects of cyber threat management you would like to explore. These exercises help identify cyber security practices that can be employed at a low cost and provide a solid foundation for cyber security management.

  1. A ransomware attack delivered by phishing email.
  2. Mobile phone theft and response.
  3. Being attacked from an unknown Wi-Fi network.
  4. Insider threat leading to a data breach.
  5. Third-party software compromise.
  6. Bring Your Own Device (BYOD).
  7. Threatened leak of sensitive data.
  8. Supply chain risks.
  9. Home and remote working.
  10. Managing a vulnerability disclosure.
  11. Supply chain software.
  12. Supply chain ransomware attack.


  • Responding to ransomware attacks.
  • Identifying and reporting a suspected phishing email
  • Using passwords.
  • Connecting securely.
  • Securing cloud productivity suites.
  • Securing video conferencing services.

Simulation Exercises

A simulation exercise mimicking a cyber threat present on an organisation’s network.

Previous Newsletter Articles

Bookkeeping Tips

Business Tips

HR Information

Contact Us

1300 022 270

Book An Appointment