- No organization is immune from cybersecurity threats or weather-related crises, but proactive planning could help avoid costly disruptions.
- Identify the data, assets, and infrastructure at your company that could be at risk.
- The importance of organizational resilience can be forgotten between big crises. Protect employees, property, and operations with proactive training.
- Business continuity, disaster recovery, and incident response plans are critical in remaining vigilant against threats, so be sure to regularly review yours.
- When a crisis emerges, revisit the plans you created—and practiced—to respond strategically.
- Once you’ve created and exercised your plan, consider an outside audit.
If the technology at your organization should fail—whether as the result of a natural disaster, cyberattack, or fraudulent activity—do you have a plan to help you recover quickly and sustain business operations?
Nearly every business today depends on technology in some form. Any disruption could potentially have devastating consequences for operations and data recovery. A 2022 survey found the average hourly cost of server downtime exceeds $300,000 for 91% of surveyed enterprises†. The increased sophistication of cyberattacks and the growing frequency of severe weather events are highlighting a need for businesses to better prepare for the unknown.
“Understanding your organization’s cybersecurity, IT, and physical security needs and response capabilities allows your organization to transition from risk and crisis management to resilience,” says Amber Buening, Cybersecurity Outreach Director at Huntington.
Business continuity, disaster recovery, and incident response plans are designed to prepare businesses for events that could disrupt operations. These plans are key elements of your organization’s resiliency strategy. Developing, maintaining, and exercising these plans for your organization can help your business recover and maintain operations when these situations arise.
Understanding the top cybersecurity and weather-related threats to your business
Examples of cybersecurity threats that can compromise your data and systems include ransomware attacks, business email compromise (BEC), and malware. Threat actors can manipulate employees into infecting your business’ network or even providing physical access to secure systems. Successful cyberattacks could entirely shut down your operations. A strong business continuity plan sets priorities in these situations, outlining which data to keep, which systems to focus on first, and which areas need the most protection.
Extreme weather events, defined as a trend of severe weather events in frequency and intensity, remain a significant threat to businesses. Examples include wildfires, flooding, extreme temperatures, and storms, which can cause property damage and prolonged outages or disruptions. According to the Cybersecurity & Infrastructure Security Agency (CISA), severe storms alone have caused more than $383 billion in total damages since 1980‡. Protecting your employees, understanding what to do if employees cannot go into an office or plant, and knowing how to handle infrastructure damage are all part of a business continuity plan.
No organization is completely immune from cybersecurity breaches or weather-related crises. Make sure you’re preparing for any possibility to help avoid costly and time-consuming disruptions.
Preparing for a technology failure after a disaster or cybersecurity attack
Companies should take a risk management approach in preparing for a technology and facility failure. An organization’s resiliency strategy should address cybersecurity and business continuity needs, incident response plans, and disaster recovery procedures. The National Institute of Standards and Technology (NIST) developed a framework for protecting critical infrastructure against weather-related threats and cybersecurity risks, which includes the following pillars§:
Consider the data, infrastructure, and assets at your company that could be at risk.
- What sensitive data do you have, and what data do you need to protect?
- If you outsource any aspect of your business, who do you share data with, and how is that protected?
- What data have you collected from employees that you’re obligated to protect, such as healthcare information and bank account information for direct deposit of paychecks?
- What physical assets, such as manufacturing plants or office buildings, could be impacted in the event of a tornado, hurricane, or other natural disaster?
- What is the most critical infrastructure at your organization? What would you do if it was severely damaged? (Consider secure computer rooms, hardware, service connectivity, or data.) Take an inventory of the systems your organization relies upon. Knowing the computers, devices, and software you have is necessary for insurance purposes in the case of disaster. You can also use this information to build contingency plans for shifting work to another area when needed.
“Employee education is one of the simplest ways to build a culture that prioritizes cybersecurity and physical safety,” says Buening.
Your security awareness program should go beyond fraud and cybersecurity to include emergency preparedness. These plans should also be exercised and continuously improved. Practicing data recovery exercises, fire drills, and simulated phishing attempts can all help keep employees prepared for the unexpected.
Be proactive with regular training, informational webinars, and education resources so every employee knows what to do in the event of an emergency or when encountering suspicious behavior. One example is participating in national awareness campaigns, such as Cybersecurity Awareness Month in October.
Protecting against vulnerabilities is also important. Be sure to update operating systems and applications with the most recent versions and patch when new versions become available.
An incident response plan is critical in remaining vigilant. This plan defines what an organization should do in the event of a data breach or other form of security incident. Periodically review these plans and make sure the right people within your organization know the answers to questions such as:
- What happens if malware gets on computers?
- What if there is a ransomware demand?
- What if there is a situation where remote or in-person operations are interrupted?
- What do you do if a known weather event is approaching?
- How will you communicate about outages to employees, customers, vendors, and manufacturers?
Set up systems to detect an intrusion into your system and integrate checks and balances into all processes. Also, ensure antivirus, endpoint encryption, and data loss prevention software are up to date.
Conducting a risk assessment of offices, warehouses, manufacturing plants, and other physical locations can help identify potential emergency situations your employees might face.
When a crisis emerges, revisit the plans you created—and practiced—to respond strategically.