It’s common knowledge that natural disasters are increasingly threatening more and more of the world and in places that were once thought of as safe from the ravages of nature. According to the US National Oceanic and Atmospheric Administration, there were 25 billion-dollar-plus climate-related disasters in the US alone in the first 10 months of 2023, a record for the first 10 months of any year.
While that’s concerning for everyone, the specter of catastrophic events is not typically a big concern for cybersecurity personnel — after all, there’s enough to worry about with recent spikes in ransomware, nation-state attacks, and increasingly complex compliance and reporting rules.
But natural disasters can and will threaten security. Earthquakes, hurricanes, floods, and wildfires can damage or destroy facilities such as data security operations centers and cut power lines. These, not to mention heatwaves and unexpected inundations of rain, snow, or ice, can also displace workers and sever critical links between the problem and those who have the skills and tools to fix them.
All of these scenarios are a threat to security. Not only do they create havoc for physical operations and access management, but they also offer opportunities for bad actors to exploit the chaos.
For CSOs and CISOs, this trend raises a very serious question: how do I keep my data and operations cybersecure yet accessible during and after a natural disaster? Here are some useful answers to this question from IT professionals whose business is data security.
Prepare emergency cybersecurity plans before disaster hits
The best way to ensure data cybersecurity during and after natural disasters is to plan and prepare for them beforehand. “When it comes to disaster planning, CSOs/CISOs need to think proactively and ensure they have a comprehensive backup strategy that prioritizes compliance and security,” says Raj Sheth, vice president and general manager of Amazon Elastic Block Storage and AWS Data Protection.
Most disaster recovery plans will include maintaining geographic redundancy — spreading operations over more than one physical site — but incorporating advanced data resiliency technologies can provide more protection and data recovery options, Sheth says. “Backups can be that last line of defense when there is a need to recover application data. The best data backup plans will minimize downtime and data loss with fast, reliable application recovery, through affordable storage, minimal compute, and point-in-time recovery.”
When it comes to how IT departments actually prepare for natural disasters, “I have seen the full gamut of plans ranging from a one-page document to a multi-part documented and practiced plan that includes phases of the disaster,” says Justin Turner, principal general manager with Microsoft Defender Experts. “In my experience, the best plans start with the most likely scenarios and build out the most extreme.”
Even a one-page plan is better than no plan at all. “The one commonality that I see is that a lot of organizations aren’t prepared to begin with: it’s kind of an afterthought,” says Christos Tulumba, CISO of Veritas Technologies. “It is one of those things where if you’re not prepared in advance and you’re not following the proper best practices, you’re going to get caught and it’s going to be an issue.”
Simply planning to protect data during natural disasters is not enough. You need to decide the ways in which it is secured from unauthorized access, and who will manage that access when normal operations have been disrupted, says IBM CTO for Cloud Security Nataraj Nagaratnam.
“The ability to protect data effectively is a key part of data safety,” he says. “For instance, is it encrypted? If so, who has control of the keys that are used to encrypt the data? These are issues that you need to resolve upfront.”
The best natural disaster cybersecurity plans are collaborative
To ensure a natural disaster data cybersecurity plan works when it is needed, it should be developed through consultations with company end users, vendors, and IT security experts and informed by industry best practices and lessons learned during previous natural disasters.
“There are pillars to building out a proper cybersecurity program,” Tulumba says. “Think beyond backup for a second: there are things like endpoint protection, mail gateways, and other core fundamental pieces. But the one that I see the most often overlooked is data backup and resiliency. A lot of companies assume that, ‘Yeah, we’re doing it and we have our backups’ — even though they don’t know how accurate and resilient those backup copies are.”
Feeling overwhelmed? Then take a deep breath and relax. The reason: “There are many great resources out there to guide an organization in creating a plan,” says Turner. “NIST (National Institute of Standards and Technology), ISO 22301: Business Continuity Management System (BCMS), and others offer frameworks and guidelines to consider.”
“My advice is to keep it simple,” Sheth says. “Start with identifying business-critical data that requires backing up. Then, secure access to the protected data and ensure that the backed-up data is immutable. Finally, enable monitoring, auditing, and reporting on your data protection posture.”
Create multiple locations for backup storage and expertise
Off-site cloud-based storage is an excellent option for ensuring data cybersecurity and access in natural disaster situations. If your primary data repository has been knocked out of service but its data has been backed up in an unaffected region, it is relatively easy to restore data services to users without compromising cybersecurity.
This said, backup sites can also be knocked out by natural disasters that are more widespread, which is why Turner recommends having backup sites (whether on-premises, in the cloud, or both) in multiple locations. “I highly recommend geodiversity for all plans and that goes beyond just systems: we need redundant people capabilities as well,” he says.
“I have experienced weather events in the southeastern USA that made data centers and satellite teleports go offline, requiring affected companies to transfer services to ‘hot backup’ sites elsewhere,” says Turner. “In one of those cases, an organization’s security operations center (SOC) was closed as a precaution to allow employees time to shelter with their families. Operations transferred to a redundant location outside of the area and there was little to no measurable impact on customers.”
Keep staff contact info and at-home resources up to date
Lockdowns during the COVID-19 pandemic showed the usefulness of granting staff members full capabilities to work remotely from home. But it also illustrated the security risks that flow from reliance on their typically under-protected home computers once they are granted access to company databases.
These same factors apply when natural disasters put corporate offices out of service. To ensure the smoothest, safest transition to at-home working, IT departments need to keep their staff contact databases and remote access cybersecurity procedures up to date.
If possible, they should consider helping employees to keep their home computers more secure on an ongoing basis, to reduce cybersecurity threats emanating from them. They should also decide how to support any key employees should they be cut off from the internet.
In other words, “businesses should think about how they will communicate with their employees, how they will support them if they were personally impacted, and how they can still conduct business without some or all their employees online,” says Turner.
Rehearse, update, and rehearse again
Even the best natural disaster cybersecurity plans won’t be of any use if employees don’t know how to execute them under pressure or if these plans are out-of-date.
Failure to update and rehearse such plans can cause a seemingly well-prepared company to come up short during an actual natural disaster. “They think, ‘yeah, I’ve got my data backed up somewhere’, but they never test their recovery plans,” Tulumba says. “They never really validate that the backups work, and then when crunch time comes and there’s a natural disaster of some sort, things fall apart.”
This is why “all of these capabilities should be tested regularly with controlled experiments and game-day simulations,” says Sheth. “This way, you and your team know what to expect in the event of an actual emergency.”
Some words of wisdom from someone who knows: “The first time trying a response plan is usually the hardest and that’s been the case everywhere I’ve been,” Turner says. “The good news is you know quickly what works and what doesn’t and adjust. In every case, I learned where we hadn’t accounted for impacts to areas of the organization less visible.”
“I’ve also learned it’s important to conduct both ‘open’ and ‘closed’ book testing. Open book will let people learn and practice executing, while a closed book will give you insight into how they might act during the real thing. Human behavior is different for each and you have to understand both.”