This said, backup sites can also be knocked out by natural disasters that are more widespread, which is why Turner recommends having backup sites (whether on-premises, in the cloud, or both) in multiple locations. “I highly recommend geodiversity for all plans and that goes beyond just systems: we need redundant people capabilities as well,” he says.
“I have experienced weather events in the southeastern USA that made data centers and satellite teleports go offline, requiring affected companies to transfer services to ‘hot backup’ sites elsewhere,” says Turner. “In one of those cases, an organization’s security operations center (SOC) was closed as a precaution to allow employees time to shelter with their families. Operations transferred to a redundant location outside of the area and there was little to no measurable impact on customers.”
Lockdowns during the COVID-19 pandemic showed the usefulness of granting staff members full capabilities to work remotely from home. But it also illustrated the security risks that flow from reliance on their typically under-protected home computers once they are granted access to company databases.
These same factors apply when natural disasters put corporate offices out of service. To ensure the smoothest, safest transition to at-home working, IT departments need to keep their staff contact databases and remote access cybersecurity procedures up to date.
If possible, they should consider helping employees to keep their home computers more secure on an ongoing basis, to reduce cybersecurity threats emanating from them. They should also decide how to support any key employees should they be cut off from the internet.
In other words, “businesses should think about how they will communicate with their employees, how they will support them if they were personally impacted, and how they can still conduct business without some or all their employees online,” says Turner.
Rehearse, update, and rehearse again
Even the best natural disaster cybersecurity plans won’t be of any use if employees don’t know how to execute them under pressure or if these plans are out-of-date.
Failure to update and rehearse such plans can cause a seemingly well-prepared company to come up short during an actual natural disaster. “They think, ‘yeah, I’ve got my data backed up somewhere’, but they never test their recovery plans,” Tulumba says. “They never really validate that the backups work, and then when crunch time comes and there’s a natural disaster of some sort, things fall apart.”
This is why “all of these capabilities should be tested regularly with controlled experiments and game-day simulations,” says Sheth. “This way, you and your team know what to expect in the event of an actual emergency.”
Some words of wisdom from someone who knows: “The first time trying a response plan is usually the hardest and that’s been the case everywhere I’ve been,” Turner says. “The good news is you know quickly what works and what doesn’t and adjust. In every case, I learned where we hadn’t accounted for impacts to areas of the organization less visible.”
“I’ve also learned it’s important to conduct both ‘open’ and ‘closed’ book testing. Open book will let people learn and practice executing, while a closed book will give you insight into how they might act during the real thing. Human behavior is different for each and you have to understand both.”