An effective cybersecurity tabletop exercise for a small or midsize law firm should be short (60-90 minutes), role-specific, and built around a realistic worst-day scenario rather than abstract controls. For ransomware and business email compromise, we run exercises that involve partners, office management, IT, and outside counsel—not just technical staff—because decision-making breakdowns, not malware, usually cause the most damage. The exercise should force real choices under pressure: whether to shut down systems, who communicates with clients, how billing continues, and when law enforcement or cyber insurance is engaged. One scenario inject that consistently improves incident response is introducing a fake but credible "partner-approved" wire request during a ransomware event. Mid-exercise, we inform the group that email is partially restored and a senior partner appears to authorize an urgent payment to a known vendor. This exposes gaps in verification procedures and authority controls. After running this inject, most firms add a mandatory out-of-band verification rule for all financial transactions during incidents, which materially reduces BEC risk and clarifies who has decision authority when systems are compromised.