I have spent the most notable years of my career helping organizations improve their cyber security incident response plans. To do this effectively, we dive in, ask questions, consider scenarios, look at contingencies, and identify gaps. It has personally been very rewarding for me because planning is in my core – I rarely fly by the seat of my pants, and usually have multiple back up plans. But on August 25, 2017, I was blindsided by Hurricane Harvey. This category four storm devastated my home, my neighbors’ homes and businesses, and our island town along the Texas coast. In the days that followed, we had to take swift action to get our lives and property back in order. So much of what we experienced led me to reflect many months later, as we are still recovering, on how could I have been better prepared, and how our city could have been better prepared.
If you have read some of my previous blogs or joined some of my webinars, you know that I believe there are fundamentals that exist in cyber security incident response actions that are similar to or the same as those in physical disaster emergency plans. We have to consider the impacts to operations, people and systems. How long can we do without something? Who needs to be communicated with and when? What pre-decisions can be made in advance? Can we establish, in advance, agreements and contracts with resources that can help?
The city government officials in my community are certainly still identifying lessons learned and crafting improvements to plans in the aftermath of Hurricane Harvey. As a citizen, I see the need to add a citizen emergency action plan to help. In hindsight, pre-planning workshops would have helped the city consider some basic scenarios that played out. For example, our water system was impacted severely, so we were without water or sewer services for several weeks. The city could have considered establishing emergency contracts in advance to bring in portable toilets and water trucks within the first 24-48 hours.
In short, whether it is a cyber security incident or a natural disaster, what we do before the event happens directly impacts the aftermath. Yes, we are resilient. Yes, we will recover. But anything we can do to make it faster, easier, or less impactful should be a priority for future iterations of our plans. As a cyber security professional and a citizen, I urge cities to revisit their emergency response plans regularly and consider how they would respond to a cyber security attack, walk thru scenarios, and build confidence in their ability to response and recover.