Counting the Cost of Preparedness
“An ounce of prevention is worth a pound of cure.” Benjamin Franklin wrote these famous words to residents of Philadelphia in 1736, exhorting them to take the necessary measures to stop preventable fires. While this timeless quote was originally based on fire safety, it’s truth still rings true today about the importance of preparedness across all phases of emergency management.
Why do many organizations still struggle with prevention? It undoubtedly takes time, money and commitment, all of which can be costly. However, the cost of prevention and mitigation pales in comparison to the cost of response and recovery. In light of the recent cyber-attack on the Colonial Pipeline Company which resulted in the disruption to day-to-day life for millions of Americans along the East Coast, we want to offer three lessons learned that can help organizations take effective steps to integrate cybersecurity risks into their all-hazards preparedness plans.
Lesson 1: Cybersecurity and the Whole Community Approach
Many incorrectly assume that local, state, and federal agencies such as FEMA are responsible for emergency preparedness efforts, including cybersecurity. However, the private sector plays a major role in how the U.S. economy functions. It is estimated that 85% of America’s critical infrastructure is owned and controlled by private businesses. Disasters within private sector businesses can have significant impact on their surrounding communities and those they serve. Government agencies also rely on the private sector to include critical infrastructure. One of FEMA’s strategic plan goals is to “Build a culture of preparedness” because FEMA recognizes the need to cultivate preparedness among citizens and private businesses. The Colonial Pipeline incident illustrates the significant consequences of cyberattacks on private businesses and the economy. Disruption to operations doesn’t just affect the company’s bottom line; it creates a ripple effect that negatively impacts communities who have come to rely on the company’s services and products.
In February 2021, a hacker gained remote access to a computer controlling the water treatment system for Oldsmar, Florida, with the goal of pumping dangerous amounts of sodium hydroxide into the city’s drinking water. Had the hacker succeeded, the entire community would have been subject to extremely negative health effects. This near-miss shows the potential whole-community impact from one organization’s lack of cybersecurity preparedness.
Private businesses controlling major infrastructure must be included in city, county, state, regional and/or national emergency preparedness efforts. Public-Private partnerships are a critical component of “Whole Community Engagement” for building regional emergency preparedness.
Whole Community Engagement promotes trust which results in collaboration, information sharing, and coordination between the private and public sectors. Emergency coordinators and economic development liaisons should build relationships with private business partners before disasters strike so that government understands how best to interface with businesses during disasters and facilitate business continuity and economic recovery.
Lesson 2: Account for Cybersecurity Risks in Business Continuity Plans
The Colonial Pipeline is around 5,500 miles long and provides roughly 45% of the East Coast’s supply of fuel, diesel and jet fuel. No doubt, they had emergency response plans in place for power outages, physical damage to pipes, leaks, natural disasters and the like.
What about cybersecurity risks due to an increase in remote working during the pandemic? Like many businesses adjusting to the “new norm” of remote work, the Colonial Pipeline Company had engineers accessing the control systems for the pipeline and the company’s network remotely. It is reported that the cyber-criminal gang responsible for the attack infiltrated Colonial’s network and held almost 100 gigabytes of data hostage.
No matter the size of your business, your organization needs to account for cybersecurity risks in your business continuity plan. In a recent survey conducted for the “Hiscox Cyber Readiness Report 2021,” respondents reported that 23% of small businesses in the U.S. had suffered at least one cyberattack in the past twelve months. As businesses continue to transition to remote operations and cloud-based networks, the risk for cyberattacks also increases. If your organization hasn’t updated its Emergency Operations and Continuity Plans to include cybersecurity risks, now is the time to make those updates. These plans need to adequately address prevention and mitigation strategies, not just response and recovery.
Lesson 3: Assess Cybersecurity Risks; Plan for everything the Worst
Planning begins with conducting an all-hazards risk assessment. This should be specific to your organization and include realistic threats and hazards. The plan should identify prevention and mitigation strategies. While many IT companies will offer standard software solutions, a comprehensive approach includes plans, policies, procedures, software, hardware infrastructure, training, insurance, and exercises. The aforementioned Hiscox report found that the average financial cost of a cyberattack to a small business in the U.S. during a period of 12 months is over $25,600. If 23% of businesses surveyed had suffered a cyberattack in the previous 12 months, organizations should be investing in cybersecurity to prevent and mitigate these threats.
Businesses should identify potential impacts and consider methods for mitigating adverse impacts and continuing operations. While no company can mitigate all cybersecurity risks, attention should be given to the risks with the greatest likelihood and negative impact on business operations.
Next Steps for Cybersecurity Resilience
If your organization hasn’t taken the steps to identify, plan for, and test its capabilities against cybersecurity risks, we are here to help. ASG has a unique blend of all-hazards, emergency preparedness expertise paired with innovative cybersecurity solutions through our partnership with Regent University.
Regent University’s Cyber Range Training allows organizations to build cybersecurity capabilities and test systems within a closed network to validate effectiveness. With this partnership, ASG can work with your organization to identify the risks, develop emergency and business continuity plans, and validate the effectiveness of capabilities and preparedness plans through live and simulated exercises.
Ready for you “ounce of prevention”? Contact us today.
Alliance Solutions Group (ASG) has extensive experience assessing internal and external risks and developing Emergency and Business Continuity Plans for organizations. In 16 years of business, we have developed over 85 All-hazard, Risk-based Emergency Plans and conducted over 2,000 exercises.
ASG is readily accessible to our public sector partners through the Virginia Department of Emergency Management HSEEP Optional Use contract (VDEM: 127:19-006) and the VDEM Emergency Management Consulting contract (VDEM 127-09252015-001-DBS).