Today, many BCDR programs rely on response plans for a handful of most likely potential incidents. They are built and tested on the assumption that, if disruptions occur, they will happen one at a time.
While this may have been a best practice just a few years ago, it is no longer the case.
As we have written in the past, it is becoming increasingly likely that businesses will face simultaneous, compounding incidents, a phenomenon known as polycrisis. With this in mind, we advise our clients to build a flexible infrastructure that will allow them to respond to any event–or combination of events.
This is especially important during hurricane season when many organizations confront cyber-attacks–a challenging, and increasingly common, confluence of events. In fact, according to an article published by IEEE, the threat of cyber attacks increases exponentially during natural disasters.
There are many reasons for this. During disasters, distracted, weakened, and vulnerable businesses and individuals are easy targets for cyber criminals. Victims, volunteers, and donors are more likely to interact with unfamiliar people and organizations and threat actors exploit this chaos by launching phishing scams disguised as donation drives and community relief efforts–among other attacks.
At the same time, organizations in disaster zones may be forced to prioritize physical recovery over cybersecurity, leaving doors open for attackers to penetrate networks or systems.
Additionally, the vulnerability of critical infrastructure like power grids, communication networks, and transportation systems during times of crisis makes them prime targets for state-sponsored cyberattacks.
Those who forget history….
Today, the cyber-attack- severe weather disaster one-two punch is increasingly common, partly because climate change charged hurricanes and fires are occurring more frequently. But this phenomenon is not new. When Hurricane Katrina hit the Gulf Coast nearly 20 years ago, cybercriminals launched phishing attacks, fraudulent donation scams, and fake websites that baited people into donating money or providing personal information and threatened corporate networks.
In 2017, during Hurricane Harvey, which caused catastrophic flooding in Houston and surrounding areas, again, multiple cyberattacks emerged, including phishing campaigns, fraudulent donation websites, and fake charities. This activity was so widespread that the FBI issued warnings regarding these scams targeting individuals and businesses involved in the recovery efforts.
Recently, during the severe wildfires in California between 2018 and 2020, phishing attacks and scams pretending to be wildfire relief efforts were widespread. Cybercriminals impersonated federal and local government agencies and relief organizations. Hackers also attacked utilities already weakened by the disaster, creating more chaos in local communities dealing with fires.
The government response
Given these trends and the bleak outlook for both cybercrime and climate events, the Federal government has undertaken several initiatives in this area. In recent years, FEMA has awarded $165 million in grant funding to bolster state and local cyber preparedness and trained more than 87,000 federal, state, local, tribal, and territorial officials on cybersecurity. The Department of Energy also just announced $23 million to secure energy systems against climate, cyber, and physical threats.
But government action alone is not enough. Businesses must ensure that they have the infrastructure, plans, and operational capacity to manage polycrisis events. Although an extreme case, the 2011 Tohoku Earthquake and Tsunami in Japan should be a lesson to corporate risk and security leaders everywhere. While local leaders, residents, and businesses were dealing with the earthquake, tsunami, and Fukushima nuclear disaster, cyber criminals launched phishing campaigns and malware attacks designed to steal money and personal information and infect systems.
Preparing for the worst case scenario
Beyond the BIA, risk assessment, and response plan, there are several steps an organization can take to prepare itself for a simultaneous disaster and cyber attack.
Build awareness. Employees across the enterprise must continuously be reminded that cyber threats are everywhere and are most likely when other potential incidents occur. During the most challenging times, they must be the most vigilant of phishing, malware, and scams.
Think beyond single scenario planning. Too many organizations view business continuity planning as a compliance exercise: “If we have a cyber breach plan on the shelf, we’re covered.” This is hazardous thinking. BCDR programs must be flexible, organization wide, and designed to be useful and adaptable when an unexpected event or combination of events occur.
Communication and coordination are essential. Effective early warning systems, alerts, and ongoing incident management communications are indispensable in a polycrisis scenario. Thankfully, there are highly effective technologies and tools on the market for this.
Understand the link between cyber and physical security. The most resilient organizations view cyber and physical security as inextricably linked. Information technology and operational technology have converged and are deeply dependent upon each other to remain secure. Cyber attacks can threaten physical infrastructure and damage to an organization’s physical plant can impact its technology stack.
The Cybersecurity and Infrastructure Security Agency (whose name says it all) puts it this way: “As rapidly evolving technology increasingly links physical and cyber assets…the benefits of converged security functions outweigh the challenges of organizational change efforts and enable a flexible, sustainable strategy anchored by shared security practices and goals.”
It comes down to this: At any moment, risk and security professionals may need to defend their companies concurrently from climate risk events and cyber criminals. In this operating environment, organizations need to rethink resilience and prioritize agility, flexibility, communications, and coordination over rigid and static plans.