What hurricane preparedness teaches us about resilience

Applying five FEMA best practices to your incident response planning

candle laptop blackout
Thinkstock

We all know hurricanes are a significant threat to life and property in communities stretching from the coast to hundreds of miles inland. Every year we see these storms strike, and we get smarter about preparing for their impact. Best practices evolve, and our communities get more resilient. What if we applied the same best practices to preparing for cyber events?

The 2018 hurricane season is already underway, and a massive public information campaign has been ongoing for weeks to ensure that those most likely to be impacted are prepared. From FEMA and the Weather Channel, to the Red Cross and Facebook, everyone is sharing best practices and practical planning advice.

According to the FEMA hurricane survival guide, there are three phases to navigate: preparation beforehand, survival during the storm, and safety afterwards while things get back to normal. The preparation phase focuses on increasing resilience for you, your family and your property.

These basic steps are considered the gold standard in preparing for one of mother nature’s most powerful forces, but what if we applied the same principles to preparing for a manmade cyber event? If we were as diligent about preparing for threats against our data as we are about preparing for threats in nature, imagine how much more resilient we could be.

Here are five lessons we can take from FEMA and apply our own incident response planning:

Stay informed

When a storm shows up on the radar, experts work around the clock to gather as much information as possible about its current condition and the current environment where it’s forming. All of this information is fed into complex scientific models that predict where, when and how the storm will make landfall. While this process can’t predict an event down to the exact detail, it does provide sufficient information to allow individuals and communities in harm’s way to start taking necessary precautions to minimize any potential damage. FEMA encourages everyone to take advantage of this available information and pay particular attention to notifications directly impacting your area.

In cybersecurity, there are experts tracking threats as they evolve, and while they similarly can’t predict the exact nature of the next attack, they are able to provide information that allows us to be more aware of the threats targeting our specific industries and sectors. Information sharing is also an effective way to stay plugged into the latest threat intelligence. Even the slightest warning about what may be coming can give you enough time to proactively strengthen your defenses.

Make a plan

Before a storm threatens, FEMA recommends having a plan in place for keeping your family safe. The goal is to determine the who, how, what and when of your response before you actually need to take any action. The FEMA guidelines emphasize thinking through the needs of each family member (including pets!) and how you’ll meet those needs if you are cut off from outside resources. They also recommend mapping out the logistics of a potential evacuation, both route and destination, and creating a checklist that covers your collective needs and supplies, so nothing gets left behind if you have to move quickly. Reviewing the plan with your family will ensure that everyone knows their role and responsibility.

The parallels to cyber incident response planning are obvious. You need a plan that accounts for the needs of your entire organization. The whole company will be impacted by an event, so you have to think through the requirements for each functional area – not just the IT team. You also need to have a well-thought out strategy for how you’re going to keep the business running if you have to evacuate – i.e., stop using your networks, emails, phones, etc. Does your business continuity plan account for a cyber incident? Bonus points here, too, if your team practices the plan. Everyone should understand not only their own role, but also the roles and priorities of the rest of the organization.

Establish a communications plan

The FEMA guidelines suggest that you establish an emergency communications plan, in the event that your family is separated when a storm hits. How will you connect with each other to confirm safety and location? Critical contact information, such as phone numbers for your immediate family and any other emergency contacts, should be written down and kept with your preparedness checklist. Think through back-up communications options, in the event that you lose access to your usual means of contact. How will you charge your phone if the power is out? Again, bonus points if your family has practiced and is familiar with the communications plan.

Communications planning is one of the most overlooked aspects of traditional incident response planning. The fact is, information about an event has to be shared with a network of stakeholders, and the process of developing that list and the criteria for communicating with each group, should be part of your planning process.

Additionally, teams often assume they’ll be able to call and email each other, but when you don’t know the extent of an event, you can’t always be certain that your communications systems haven’t been compromised. What is your plan to connect with the CEO if you can’t just call her cell?

Not only do you have to think through the full network of people who will need to be contacted, but you have to also think through the specific channels that you will use – and what you’ll do if they’re out of service.

Gather your supplies

When a disaster hits, having a comprehensive stockpile of the critical things you’ll need to weather a lengthy aftermath, can give you peace of mind as things get back to normal. FEMA recommends you keep on hand a 3-to-5-day supply of food and water for your family (and pets!), any required medication, copies of critical documents, a first aid kit, hygienic items, tools and cleaning supplies.

Stocking a similar toolkit is also a critical part of your cyber incident response planning process. In the aftermath of an incident, you don’t want to waste time trying to find the reference materials, templates or procedural materials that you need to make a smooth recovery. Doing the work ahead of time to build tools like a stakeholder map, impact scale, contact lists and breakdown of roles and responsibilities can save you valuable time and enable more informed decision making after an incident occurs.

Protect your property

A key FEMA recommendation is to improve the resiliency of your physical property by taking steps to protect it against the different types of threats associated with large storms. A hurricane brings both wind and rain, which can lead to anything from flooding to flying debris. Precautions such as boarding up windows, anchoring items in your yard, cleaning your gutters and waterproofing your basement can all help reduce the physical damage to your property.

Similarly, you should be taking steps to protect your physical network and infrastructure from multiple types of threats. Proactively taking actions like network monitoring, establishing access controls, and just generally layering your lines of defense, won’t keep a storm from hitting you, but it can go a long way towards mitigating the damage when one does.

Over the years, our ability to withstand the increasing power and destruction of mother nature has grown exponentially through a widespread embrace of best practices for hurricane preparedness. Our communities are now more resilient than ever. While every storm is different, and you still have to make smart decisions about how to respond, Adapting preparedness lessons from FEMA show us that when you have reliable threat intelligence, a good response plan, backup communications, a well-stocked toolkit, and proactively strengthen your defenses, it’s possible to weather any storm.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.