When Physical Disaster Strikes: Planning to Protect Cyber Assets

Physical disaster and cyber risk are often bedfellows after a disaster strikes, as cyber attackers are likely to make their move when a company’s IT staff and resources are consumed in post-incident recovery.

Within the world of risk, there are two facts we inevitably find to be true: one of the greatest risks to a company’s reputation is a cyber breach, and one of the greatest risks to a company’s operations is a physical disaster. Unfortunately, the two incidents are often bedfellows after a disaster strikes as cyber attackers are likely to make their move when a company’s IT staff and resources are consumed in post-incident recovery.

Without question, both of these considerations pale in comparison to the importance of saving lives. Prioritizing life and safety issues in a disaster scenario is paramount; it is also important to consider that saving lives can often be dependent on IT services themselves.

To compound what is already a national tragedy, this is a real-world scenario for many companies in Texas and Louisiana who have seen so many of their physical assets destroyed and are doing all they can to keep their systems online and their networks operable. In this state of reactive recovery, they are also more vulnerable to attack.

How do companies assess and mitigate risk before and after disaster strikes, and what are the issues companies typically face? In our experience, few companies are adequately prepared for a skilled cyber attack on their environment, despite investments in policy, process, training, tools and solutions.

“in the wake of Harvey, the need for broad security measures that provide education, segmentation, monitoring, responsiveness and redundancies has never been greater.”

Lack of disaster preparedness has a marked potential for sweeping and even life-threatening ramifications. A federal analysis revealed that if only nine of the country’s 55,000 electrical substations were to go down—whether for mechanical reasons or malicious intent—the nation could experience a coast-to-coast blackout. As the risk of criminally motivated attacks on critical infrastructure rises in the wake of Harvey, the need for broad security measures that provide the proper education, segmentation, monitoring, responsiveness and redundancies has never been greater.

When physical assets have been compromised, cybersecurity staff are stressed and business continuity is a priority—its times like these that make cyber assets easy prey for an attacker.  This is a crucial time for companies to protect their cyber assets by fortifying their critical infrastructure. However, in an ideal world, companies will have already deployed some best practices controls around their cybersecurity posture, including conducting third-party assessments, risk assessments, and creating incident response plans (discussed in greater detail below) before disaster strikes, making the reactive posture less daunting.

Effective management of information risk is never more critical than after an incident—and then, there’s an immediate need for it to be translated and assessed in actionable terms. Corporate overseers must understand how security gaps and vulnerabilities can devastate a company’s reputation, their bottom line and general ability to do business.

The best time to prepare for a disaster is not after a disaster strikes, but before. Below are some best practices to better prepare organizations to manage risk, both pre- and post-incident.

  • Test Your Disaster Recovery Plans. Exercises are critical to ensure your plan actually meets real-world scenarios, and continues to do so as threats evolve and technology changes. But exercises are hard to coordinate, can be very time-consuming, and could be quite costly depending on the testing methodology chosen.  Thus, most enterprises settle on table-top walkthroughs.
  • Conduct a Risk Analysis. It is critical to conduct a third-party assessment of your security incident management program to ensure it will mitigate the risks appropriately, follow best practices and adequately anticipate threats. Planning for the likely loss of many physical and logical access controls during a natural disaster will increase the real-world effectiveness of the response plan. As the financial and reputational costs mount from a disaster recovery, organizations need speed and efficiency in risk management. Regardless of the security investment, attackers have the advanced skills, motivation, and time to get in. Threat vectors in the wake of physical disaster create the perfect storm for an attack.
  • Have a Cyber Incident Response Plan, Prepare for Cyber Attacks. Key parts of the business (executive management, IT staff, human resources, legal, etc.) must know when to get involved, and what to do during a cyber security incident. Appropriate staff members need to assume the roles of incident manager and incident responder.

Managing affected systems properly, preserving as much digital evidence as possible. This doesn’t happen automatically, and especially not in the throes of a crisis; it must be planned ahead of time.


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.