By: Linda Perkins
The U.S. Department of Homeland Security (DHS) recently made “strengthening risk management and prioritization of cyber and physical threats and hazards” a national priority. Similarly, this week’s theme for National Cyber Security Awareness Month is “Safeguarding the Nation’s Critical Infrastructure” and, looking ahead, the DHS has designated November as Critical Infrastructure Security and Resilience Month. By doing so, the DHS hopes to engage and educate public and private sector partners and raise awareness about the pressing need to secure the range of systems and resources that underpin everyday life in the U.S. Businesses can address many of these recommendations on their own, but others may be better informed after consultation with counsel to make sure certain risks are properly assessed and responsibly mitigated based upon the individual business environment.
Without even thinking about it, we all rely “on critical infrastructure for how we travel; communicate with our friends, family, coworkers and customers; conduct business; handle money, obtain clean, safe food and water; and conduct other important daily functions.” The DHS’s Connect, Plan, Train, Report recommendation states that “managing risks to critical infrastructure involves preparing for all hazards, reinforcing the resilience of our assets and networks and staying ever-vigilant and informed.”
Large and small, businesses are being encouraged to “Connect, Plan, Train and Report.” To that end, they should work to develop relationships in their community, including local law enforcement, so that in the event an incident occurs in their community they know how to best notify law enforcement as well as any other key stakeholders or partners for their individual business. This may help to improve critical response to an incident and even limit the impact of an unfolding crisis.
Businesses and other entities should take time now to plan on how they will handle a security event should one occur and moreover learn from other events (even those outside their system or enterprise) to improve their own plans. Simple active security measures may include:
- requiring ID badges or other forms of security at entry doors;
- use and maintenance of antivirus software within the company network;
- exterior fencing and secure doors or gates to control entry onto business premises; and
- automatic or timed locking of idle computers screens.
Businesses may build resilience into their security plans by establishing a business continuity plan, installation of generators for back-up power or servers for internet access, and using durable building materials depending on location and other possible external threats. Businesses should also consider ways to build security and resilience into infrastructure design, planning and decision-making through investment and innovation. The U.S. Small Business Administration also offers useful guidance, in addition to an online toolkit, for developing a business plan that addresses a range of cybersecurity related concerns.
Employees should be trained on how to handle different scenarios impacting critical business or local operations and on how to access and follow any plan put into place to increase security and build resilience.
And finally, whether you are at work or just running errands, remember “If You See Something, Say SomethingTM.” It is very important to understand, however, what constitutes “suspicious activity” in the context of DHS’s campaign to protect against terrorism, terrorism-related crimes and cyber-attacks including how and what to report. Additional critical infrastructure resources for government and private sector partners may be accessed on DHS’s website.