Security magazine’s recent focus on proactive mitigation measures for black swan events — incidents that come without warning and have large consequences — highlights the importance of being prepared for difficult situations in order to avoid them becoming catastrophic. In other words, the better prepared organizations are for situations like the 2021 Texas February snowstorm blackout, the less of a danger they pose to the general public and users of those critical infrastructure companies.
As Jackie Chan once said, “The best fights are the ones we avoid.”
Perhaps one of the biggest challenges of working inside of a company is the familiarity with daily work. This often causes small blind spots that turn into major issues when black swan events occur. A small challenge that is easily overcome during regular work hours can turn into a huge problem that creates a bottleneck in production during an emergency and can drastically damage brand image in the public eye.
This particular aspect of black swan events is where consultants can be especially helpful — especially security consultants.
The job of a consultant is to provide an outside perspective that assesses the important potential outcomes for a company and identifies both the major and minor aspects of operations that might be hindering productivity or causing breakdowns in a black swan event. In this respect, consultants are invaluable for black swan-proofing companies: especially companies involved in critical infrastructure, such as the energy sector. Consultants thrive when positioned to insulate a company against events that cripple cities because their neutral third-party perspective can more easily identify problems that would otherwise be overlooked.
Security professionals in particular provide an additional level of value as consultants because they are trained to think of the whole operation — not just the inner workings — from supply lines to facility security to power generators for critical systems, even to the potential for employees being unable to arrive on-site for shifts.
After a company has completed every step possible in-house to emergency proof their company, the next logical step is to bring in a consultant to look through the organization with a fine-toothed comb and provide a list of potential challenges and proactive measures to mitigate risk.
Before hiring a consultant
There are a few things that can be completed in-house to prepare a company for emergency situations before bringing in a consultant. These are items that can save both time and money and free the consultant up to focus on the potential issues that would be overlooked otherwise.
Backup generators for specific systems
The last few black swan events that the world has seen have lasted several days, leaving everyone affected differently. A good rule of thumb for critical infrastructure organizations is to ensure a backup generator is in place for each system. When selecting a backup generator however, ensure it is the kind of backup generator that can handle several days without regular power.
Having multiple systems in place helps mitigate the chance that a city or state-wide emergency will throw an organization unprepared into the deep end.
Emergency internet
Let’s face it, the internet has become a critical piece of our lives and businesses. It is estimated that over 2,000 petabytes of data is stored in cloud form on the internet, and that’s just counting major service and storage companies. It’s safe to say that internet access is a critical part of every business, not just critical infrastructure companies.
This means that having emergency wireless internet access will help mitigate the impact a black swan event will have on your company and the infrastructure you support. It will also help on the physical facility security side of critical infrastructure organizations and enable remote monitoring to continue regardless of what happens with an outage.
Backup systems. Period.
Although it’s not practical to have an entire additional set of systems available for places like power plants and internet providers, having additional systems that can run the whole grid/organization for a number of hours and a rotating team of on-call technicians to provide quick repairs will enable a quicker response-time in the event of an emergency.
If possible, having two separate systems that can handle the regular load is ideal since these kinds of systems can provide “off time” for the others in order to enable routine maintenance without interrupting production. Although this is a more expensive option, it does provide an extra level of security against emergencies and enables a smoother run of the whole organization.
Satellite phones
Although satellite phones are often used by smaller companies to keep working when provider networks break down, they are highly useful for critical infrastructure companies as well.
Communication is the backbone of an efficient company and is often one of the greatest challenges found during a black swan event when the world is thrown into chaos. Having a number of satellite phones available ensures that teams are able to continue communicating and helping each other even when disaster strikes.
Book in advance
If providing servers or systems that contain sensitive information, it’s important to have security booked well in advance to emergency situations.
Like most companies, security firms often prioritize long-standing clients over new clients since the long-standing clients have a higher likelihood of remaining clients and are already built into the firm’s infrastructure & planning. This means that the clients who have been working with them prior to the emergency situation are likely going to receive quicker and more effective service. But when functioning in the realm of valuable information or infrastructure to a city, security cannot go down for even a few hours.
The best way to avoid the issues of having to get security on-site within an hour or less is to simply have it there in the first place.
If an organization’s security leadership completes all of these steps and are still unsure of how emergency-proof your business is, it might be time to bring in a consultant to provide an outside perspective.