Next-Level Cybersecurity: Preparing for Internet Shutdown
Companies around the world need a comprehensive plan in place to ensure that critical business can still get done in the case of a prolonged Web outage.
Bottom Line: Companies around the world need a comprehensive plan in place to ensure that critical business can still get done in the case of a prolonged Web outage.
What would it mean for your business if the Internet went down? Not just a network or two, for a few hours, but a large-scale, long-term shutdown of the Web itself. The idea that hackers or governments (or hackers hired by governments) could disable or disrupt the communications infrastructure that the world relies on sounds like fodder for a big-budget summertime thriller. But on a more prosaic level, the reality is that natural disasters such as Hurricane Sandy or technological errors could also cut off large sections of the world from the Internet.
And although the Department of Homeland Security take fears of a widespread crash seriously (it has funded research to build a replica of the Internet, testing what would happen if it went down in various doomsday scenarios), a new study from G. Stevenson Smith at Southeastern Oklahoma State University points out that this concern isn’t necessarily shared by businesses. To be sure, plenty of firms are on alert for cyberattacks that could target their internal systems, but companies are still mostly unprepared for a large-scale Internet disaster.
Just think of how many business functions assume Internet connectivity is a given. Consider being unable to use smartphones, email, electronic banking, online medical records sharing, supply chain and delivery technology, and the tech involved in operating mass transit. It is difficult to overstate the impact of a serious Internet outage across the U.S. — or even global — business landscape. But, the author of the study writes, someone’s got to imagine it.
Building on his experience analyzing cybersecurity and financial risk issues, along with performing an analysis of the latest media reports and research on the still-fledgling topic, Smith suggests that the job of anticipating and reacting to an Internet disaster should fall to a predetermined emergency response (ER) team. Not unlike the ER teams trained to help colleagues evacuate a building in the event of a fire or natural disaster or terror threat, this specialized squad would be ready to deal with catastrophic Internet outages at a moment’s notice.
Just think of how many business functions assume Internet connectivity is a given.
Who should be a part of this team? Although it might be tempting to build such a specialized unit around your existing IT department, Smith argues that the modern IT staff is mostly involved in the upkeep of a firm’s internal network. It should not be assumed that their know-how extends to external crises. Therefore, the IT team should assume an ancillary role. It’s also important not to bog down the ER team with too many members of senior management. What’s needed in a time of technological crisis is quick thinking, not deliberation, he argues.
Smith suggests the ER team should exist outside the regular organizational chart, be fairly streamlined, and be led by the company’s chief communications officer (CCO). Under the CCO, a few key internal managers and Internet forensic specialists — who are typically outside consultants — should be ready to assemble, plan in hand, as soon as there is a hint of trouble, and they should be given the authority to oversee the event. Smith suggests having a basic plan to cover 48 to 72 hours without Internet access.
The ER squad should also include a corporate attorney who can review whether connectivity losses violate any legal agreements with partners and suppliers; a liaison manager to keep upper management briefed as events unfold; an HR representative who can help the team safeguard employees’ confidential information; and a public relations supervisor who can explain the evolving situation to employees and the public if there’s limited Internet access, and be ready with a statement once full connectivity is restored.
Most important, according to Smith, is for the response team’s key cadre of external technicians (who have both familiarity with the company’s communications platform and expertise in Internet infrastructure) to be given the freedom to respond to rapidly shifting attacks. “Before any problems begin, higher-level management needs to provide the technicians with a priority blueprint as to which processes in the company are most important to keep open,” Smith writes; examples include those relating to billing, customer records, vendor contracts, employee interfaces, inventory control, and bookkeeping.
For shorter-term outages, companies should, at a minimum, have contracted with a backup ISP in case their primary carrier fails. They should also make sure their business and accounting records are backed up and, if possible, have the capacity to store the data that would be accumulated during a blackout period.
For longer-term interruptions, the ER team should ensure that firms have the necessary hard-line connectivity to operate critical business functions. It’s also helpful to have a few mobile data centers on hand — large SUVs, equipped with servers and satellite dishes, that facilitate the flow of communication even while certain segments of the Internet are down.
It might sound far-fetched, but you never know what Hollywood screenwriters — or real-life hackers — will think of next.
Source: “Emergency Business Management and Internet Connectivity,” by G. Stevenson Smith (Southeastern Oklahoma State University), Business Horizons, May-June 2017, vol. 60., no. 3