When Physical Disaster Strikes: Planning to Protect Cyber Assets

Within the world of risk, there are two facts we inevitably find to be true: one of the greatest risks to a company’s reputation is a cyber breach, and one of the greatest risks to a company’s operations is a physical disaster. Unfortunately, the two incidents are often bedfellows after a disaster strikes as cyber attackers are likely to make their move when a company’s IT staff and resources are consumed in post-incident recovery.

Without question, both of these considerations pale in comparison to the importance of saving lives. Prioritizing life and safety issues in a disaster scenario is paramount; it is also important to consider that saving lives can often be dependent on IT services themselves.

To compound what is already a national tragedy, this is a real-world scenario for many companies in Texas and Louisiana who have seen so many of their physical assets destroyed and are doing all they can to keep their systems online and their networks operable. In this state of reactive recovery, they are also more vulnerable to attack.

How do companies assess and mitigate risk before and after disaster strikes, and what are the issues companies typically face? In our experience, few companies are adequately prepared for a skilled cyber attack on their environment, despite investments in policy, process, training, tools and solutions.

“in the wake of Harvey, the need for broad security measures that provide education, segmentation, monitoring, responsiveness and redundancies has never been greater.”

Lack of disaster preparedness has a marked potential for sweeping and even life-threatening ramifications. A federal analysis revealed that if only nine of the country’s 55,000 electrical substations were to go down—whether for mechanical reasons or malicious intent—the nation could experience a coast-to-coast blackout. As the risk of criminally motivated attacks on critical infrastructure rises in the wake of Harvey, the need for broad security measures that provide the proper education, segmentation, monitoring, responsiveness and redundancies has never been greater.

When physical assets have been compromised, cybersecurity staff are stressed and business continuity is a priority—its times like these that make cyber assets easy prey for an attacker.  This is a crucial time for companies to protect their cyber assets by fortifying their critical infrastructure. However, in an ideal world, companies will have already deployed some best practices controls around their cybersecurity posture, including conducting third-party assessments, risk assessments, and creating incident response plans (discussed in greater detail below) before disaster strikes, making the reactive posture less daunting.

Effective management of information risk is never more critical than after an incident—and then, there’s an immediate need for it to be translated and assessed in actionable terms. Corporate overseers must understand how security gaps and vulnerabilities can devastate a company’s reputation, their bottom line and general ability to do business.

The best time to prepare for a disaster is not after a disaster strikes, but before. Below are some best practices to better prepare organizations to manage risk, both pre- and post-incident.

• Test Your Disaster Recovery Plans. Exercises are critical to ensure your plan actually meets real-world scenarios, and continues to do so as threats evolve and technology changes. But exercises are hard to coordinate, can be very time-consuming, and could be quite costly depending on the testing methodology chosen.  Thus, most enterprises settle on table-top walkthroughs.
• Conduct a Risk Analysis. It is critical to conduct a third-party assessment of your security incident management program to ensure it will mitigate the risks appropriately, follow best practices and adequately anticipate threats. Planning for the likely loss of many physical and logical access controls during a natural disaster will increase the real-world effectiveness of the response plan. As the financial and reputational costs mount from a disaster recovery, organizations need speed and efficiency in risk management. Regardless of the security investment, attackers have the advanced skills, motivation, and time to get in. Threat vectors in the wake of physical disaster create the perfect storm for an attack.
• Have a Cyber Incident Response Plan, Prepare for Cyber Attacks. Key parts of the business (executive management, IT staff, human resources, legal, etc.) must know when to get involved, and what to do during a cyber security incident. Appropriate staff members need to assume the roles of incident manager and incident responder.

Managing affected systems properly, preserving as much digital evidence as possible. This doesn’t happen automatically, and especially not in the throes of a crisis; it must be planned ahead of time.