What if it Happens? Planning is Key!

Posted on May 17, 2022

Frustrated Computer User

Brent Olson, Emergency Management Director

Today’s Morning Buzz is brought to you by Brent Olson, Emergency Management Director at the City of Phoenix. Follow Brent on LinkedIn

What I’m Reading: “Start with Why” by Simon Sinek

What I’m Watching: The Offer on Paramount+


In preparing for my first Morning Buzz since joining the team, I read several previous Morning Buzz posts. I wanted to fit in and see how the experts were doing it.

I found a Buzz by Kirsten Wyatt posted on April 4, 2022. The title was “Routing & Switching is not ‘Sexy’” and discussed the seriousness of cybersecurity in our cities, as well as how scary the cyber landscape can be. This is one of my favorite topics when it comes to continuity of operations in local government, and Kirsten hit the bullseye with her insights and the resources she provided. After reading it, I felt compelled to address the next logical topic. What if, despite our best efforts, it happens?

I’m an Emergency Manager, which means I think in terms of preparedness, prevention, response, mitigation, and recovery. In the case of cyber security, prevention is significantly more cost effective than response and recovery. But what if your city becomes the next victim of a cyber-attack that leaves you without your most critical computer resources? We still have work to do for our citizens, but how can we continue without these important tools?

The focus of a continuity of operations plan is to make sure, under all circumstances, our most essential functions are continued or resumed as quickly as possible and may mean less important functions are temporarily suspended.

Many people don’t think about their computer resources while developing their continuity plans. We all have great people maintaining and protecting our systems. These systems are often so robust, stable, and reliable we don’t think they will be any other way. Unfortunately, cyber criminals, including state-sponsored cyber terrorists are working hard to find new ways to exploit any vulnerabilities that may exist, and government at all levels are attractive targets.

My office works with each city department to help them develop their continuity of operations plans. When we talk about their operations, we ask if they rely on computers, the network, and email to accomplish the essential functions of their department. We usually get an “Are you serious?” look, followed by “What do you think?” We all know the answer.

Don't Panic

My next question is, “what if you lose your computers during a ransomware attack?” Some would quickly express serious concerns that such an event will make things quite difficult or impossible. I remind them they must continue to perform their essential functions, and we get down to talking about how to plan for it, and just as importantly, train for it.

We have them focus on those essential functions reliant on computer resources, instructing them to have internal discussions with those responsible for performing them, and about how they can perform them without the use of computers, applications, printers, email, etc. This discussion may start with a pronouncement that it can’t be done, followed by brainstorming and ultimately a potential solution. I say “potential” since we don’t know if it will work until it’s tested.

There are two ways to find out if the potential solution will be an actual solution. The first is, wait until an issue happens and see how things go. Not a good way to test a hypothesis. The second, and more preferred way is to train staff on the proposed solution, then see how it works during a simulated event (exercise). It’s difficult to simulate all the nuances of a real-world event during an exercise, but if planned well, it should give a good indication of the viability of the plan. More importantly, it should result in ideas for improvement.

We absolutely need to prevent a cyber-attack from happening, as Kirsten discussed in her Buzz. We also must acknowledge there is still a risk, no matter what we do. If there is a risk, we must address the risk through planning, training, exercises, and maintaining a robust cybersecurity posture. We merely need to look around at those public and private organizations that have suffered a cyber-attack to realize it can happen to any of us. I don’t know about you, but I want us to be ready if it does!

Close window