Cyber Risk Lessons We Can Learn From Hurricane Preparedness
Risk is real. To better understand cybersecurity risk, let’s compare cyber risks to risks in the natural world from hurricanes. We can learn lessons from hurricanes and unnamed storms in Florida and apply them to cybersecurity.
Cybersecurity risk management can be daunting. Sometimes, it can sound academic. Did you learn the standard formula?
Cyber risk = Threat x Vulnerability x Consequence
Cyber risk can be a dry subject, involving many ‘what ifs.’ It’s a topic often left to governance and compliance specialists in quiet offices, but cyber risk management should be obvious, active, and involve the whole organization.
Why Risk Management Matters
It’s not dusty formulas; it’s dynamic, like the weather.
We did not expect three major storms in less than one month in Sarasota, County, Florida. The county of Sarasota, the city of Venice, and Florida Power and Light are proficient at categorizing and preparing for natural disasters. Good risk management saved lives and homes.
We still check the weather every day in the Sunshine State. Do you evaluate your organization’s cybersecurity risks regularly?
Below, I will discuss how to handle cyber risk and provide some tools to better manage cybersecurity risks.
Living with Risk
We live with cybersecurity risks every day. No system is ever one hundred percent secure. Risk is always present. We can’t escape it. A breach, an incident, a misconfiguration is inevitable. We are human, after all.
What Can We Do with Risk?
Transfer
Most organizations have some form of cyber insurance, but an organization may not really know what will be covered until there is an incident of profound significance. Or, when the ***t hits the fan. While your organization is transferring the risk to the insurance company, you as a risk professional will still need to take some action steps:
- Read your cyber insurance policy at least yearly. Understand which of your organization’s business units are responsible for actions defined in the cyber insurance policy.
- Know how to contact your insurance carrier (email, phone, chat) and which team member is responsible to contact the carrier.
- Have an offline copy of your policy and the phone numbers.
Mitigate
Your organization can reduce risk through cyber hygiene practices including patch management and vulnerability management. You can reduce risk, but you really can’t completely mitigate it. As cybersecurity professionals, if we can get this one concept across to our senior leadership and boards of directors, we have served them greatly.
Cybersecurity is complex, and the message of cybersecurity risk sometimes gets lost in technical details. Let’s not lose the message to our senior leadership. We can’t completely prevent cyber-attacks, but we can greatly reduce our attack surface through cyber hygiene. To learn more about cybersecurity hygiene, see the CIS Controls for a deeper conversation (www.cissecurity.org).
Accept and Prepare to the Best of Your Ability and Budget
10 days after the storm struck, there were complete houses buried in sand, without water and power. Vehicles were trapped inside of garages; neighbors couldn’t even get open the garage doors without digging and removing inches of sand. The city and county didn’t expect that.
Does your organization’s business continuity and disaster recovery plans address cybersecurity incidents such as ransomware or distributed denial of service attacks (DDoS)? What happens when your data center is so badly damaged, you can’t get your domain controller up? How long can your company function without directory services?
Prioritize Systems and Data Beforehand
You can’t have it all. Your organization must prioritize systems and data before the storm—the ransomware attack. Has your organization prioritized backup power or alternative data center if your data center is down? What data is the most crucial to your organization’s core business?
Expect the Unexpected
Hurricane Milton made landfall as a Category 3 storm at about 8:30 p.m. on Wednesday October 9th, 2024, near Siesta Key in Sarasota County, Florida. That evening, the roof at Sarasota airport blew off. I was at Wild West Hackin’ Fest and my updated boarding pass indicated that I was still landing at a closed airport. I had to convince the airline that the roof had indeed blown off and I needed to fly into another airport. Have you tried to convince an airline that the airport doesn’t have a roof?
Risk Toolkit
- Build a realistic risk register. It doesn’t have to be fancy. A spreadsheet can work just fine. Can you access your risk register if your data center is down? If Microsoft is down?
- Be direct and accurate about cyber risks. Don’t sugar coat the truth to senior leadership. Be truthful and provide them with the whole picture.
- Conduct tabletop exercises, even for extreme situations. We learned after Hurricane Irma in 2017 that we could be without power for weeks. Your ransomware event could take weeks to resolve. Document lessons learned.
- Prioritize. There can only be one Number One Priority. What is the ONE most important thing to your organization? Manufacturing? Email? Electronic healthcare records? I can’t tell you. Your organization’s leadership must make that decision and communicate it.
- Document lessons learned.
- Don’t deny cyber risks, even nation state actors.
- Be prepared to make hard decisions when you already have decision fatigue. Acknowledge you may have decision fatigue. Seek trusted advisors.
- Listen to trusted news sources.
- Pick areas of interest and specialization for your team. One person knows ransomware well, another person knows DDOS scenarios well.
- Use a simple risk gauge to communicate with businesses leaders. Everyone understands the stoplight analogy.
Final Thoughts
People during Hurricane Milton were shuttered in their homes without internet or power. They were sitting in darkness wondering if their roof was still attached and if their neighbors were uninjured. Frightening.
Cyber risks and incidents can be frightening too. But cyber incidences do end.
I’m preparing now for the next cyber storm. Are you?
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
