How to Prepare your Business for the Next Colonial Pipeline
The 4 actions you can take now
Epidemiologists all predicted a major pandemic. They were right. We had early warnings with SARS and MERS.
Cybersecurity experts predict a major hack, one with national or global impact. The Colonial Pipeline hack is one more early warning.
Such an attack could hit our electrical grid, water supply or food supply. And there’s little we can do to stop it.
The cavalry is not coming. You, and your business, need to prepare.
Here are four ways to do just that.
1. Don’t Be Colonial Pipeline
Obviously, no one wants to be Colonial Pipeline, but many businesses are just as unprepared. Though the company isn’t talking, experts say the attack all but certainly occurred due to an unpatched system vulnerability, a phishing email that fooled an employee, or from leaked credentials. All sloppy preparation.
Here’s how not to be Colonial Pipeline:
As a company, you need to have a cybersecurity program. Expensive, you say? Yes. Maybe so, but it would clearly have cost Colonial Pipeline less than the $5MM they paid to the ransomware hackers plus the millions in incident recovery fees and the coming lawsuits.
Here are the basics components of a cybersecurity plan:
— It’s the people, stupid! Have mandatory cybersecurity awareness training.
— Build Resilience. No matter what controls you put in place, make sure you can recover when, not if, they fail.
— Insurance? Get it while you can, because soon it will be a lovely memory. Like typewriters.
There are lots of resources to help you plan. A link to my book on cybersecurity planning for business is at the end of this post.
2. Have a plan if you are Colonial Pipeline
Let’s be honest, someone is going to be the next Colonial Pipeline. If it is you, here’s what you are going to need:
— Cybersecurity Plan: Strategy, controls, incident response, recovery.
— Bitcoins: Because sometimes you got to pay the piper.
— Disaster Recovery and Business Continuity planning. Build resiliency.
3. Do disaster scenario preparation
Those who take cybersecurity seriously, engage in “tabletop” and “real life” simulations. Often, they are run by a cybersecurity expert. The leadership team of a company gathers in a room and is hit with a simulation — such as a ransomware attack. The facilitator asks for decisions, ratchets up the stakes, asks for more decisions. If you’ve done one of these, you know they make you sweat.
At the end, the facilitator reviews your actions and decisions with you. Often you will discover how wrong you were in the heat of the moment.
The kicker — simulations are usually based on some real-world cyber hack of which the expert has knowledge.
Participating in such a simulation will unfold for you and your leadership team the kind of roadmap you need when hit with an attack.
4. Consider profitability scenarios
Many businesses thrived during the pandemic. Zoom and others who enabled remote work were some of the beneficiaries. Also — producers of PPE and medical equipment. And, Clorox.
Certainly, many enterprises who were in a position to help during the pandemic were caught off guard. They themselves had no real plan in place. If you are in a sector with the potential to assist business and society during a cyber attack, include this in your plans as well.
Some business in this category — Food delivery, water, power, transportation, healthcare, logistics…
My book, Cybersecurity Program Development for Business, can help you prepare.