When hurricane season rolls around, many people & companies enact hurricane preparedness plans -- making sure they have things like water, medical supplies, battery-powered radios, sandbags, and business continuity plans to address any physical damage or business disruption caused by potential storms.
Natural disasters like hurricanes don’t just cause physical damage, however; there can be cybersecurity impacts as well.
During and immediately after natural events, attention may be shifted away from cybersecurity to physical security. While physical security is certainly important, that distraction can allow hackers and bad actors to take advantage. Even more, many of our physical security systems have cyber components. It’s crucial that you include cybersecurity concerns in your overall disaster and business continuity plans. Here are just a few things to consider:
As you may know (and we’ve previously written about), email is the primary way bad actors make their way into networks. The social engineering tactics they use to get people to click bad links or download bad attachments are even easier in the wake of a physical disaster. Often, they’ll impersonate charities raising money for victims or disaster relief agencies giving instructions, but any links or attachments will really download malware to the victim’s computer. As you train your team to recognize phishing, be sure to remind them that they’ll see more phishing attempts after disasters and to stay vigilant. Always go directly to the website of a charity or agency (by typing in a URL you know to be legitimate) rather than clicking a link in an email.
A similar scam involves hackers standing up fake websites that purport to have data or updates about the event or disaster. They share the links to these websites via social media (and sometimes through email), preying on people who are desperate for information. This has notably been a problem during the coronavirus pandemic. To avoid this, stick to visiting websites of government agencies and reliable news media directly, and hover your mouse over links to view URLs before clicking to ensure the link is taking you where you expect to go. If a website prompts you to download an app or plug-in, run away.
Any contingency or business continuity plan you develop is going to depend on having backups of your data or systems. (You are creating backups, right?) However, it’s not enough to create backups and put them on a shelf and wait until you need them. You need to maintain your backups, and in particular, you need to maintain the security of your backups. For example, if a component of your live system has been patched or upgraded, ensure your backup of that system gets the same patch or upgrade. Hackers already expect it to be easy to carry out an attack in the wake of a disaster; don’t make it any easier by deploying backup systems riddled with security holes!
If your organization is the victim of a natural disaster, things can and will be chaotic. You want to get back to normal operations as fast as possible to keep your customers happy and maintain business continuity. Some organizations make restoring normal operations an all-hands chore, and pull cybersecurity people into rebuilding IT systems for business operations, rather than having them focus on security.
Unfortunately, hackers like to take advantage of chaos. They know that you’ll be distracted after a natural disaster, and that it may be easy for things to slip through the cracks. Sometimes, particularly in the case of cities and infrastructure, bad actors even use the mayhem after a disaster as a sandbox, testing attacks they intend to use at a future time.
While redirecting staff may be inevitable in such a situation, build your business continuity plan with cybersecurity in mind. Ensure that you’re empowering at least part of your cybersecurity team to focus on security and reinstating security protocols. Think twice before relaxing controls in the interest of speeding up business operations; turning off security controls may make recovery from the natural disaster easier, but it could also invite a cyberattack.