Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face.

While we can’t equate the potential impact of a cyberattack to that of a hurricane, there is much that security leaders and teams can learn from existing physical disaster preparedness and recovery plans and can apply in a cyber crisis.

So how can organizations use the fundamentals taught by natural disasters to respond to a paralyzing ransomware attack?

Early in my career, I had an opportunity to work on the security team at the Florida Department of Health responding to cybersecurity incidents, as well as served as a member of the Emergency State Function (ESF) 8 (Health and Medical) team through Florida’s Department of Emergency Management. As you can imagine, Florida is quite experienced in dealing with highly disruptive natural crises.

Managing Chaos with Command Structures

Working with the State of Florida, I was required to take multiple courses in FEMA’s National Incident Management System (NIMS) principles, structures, and processes. These courses taught responders the basics of NIMS including the concept of Incident Command Systems (ICS), and the National Response Framework (NRF) to ensure everyone understood how their role and responsibilities supported the overall effort.

The concept of an ICS is an approach to command, control, and coordinate incident management by providing a common hierarchy within various disciplines. The five major functional areas according to FEMA’s NIMS Doctrine include Command, Operations, Planning, Logistics, and Finance/Administration. A single incident commander is assigned the responsibility of overall incident management.

A similar hierarchy can be applied to an organization responding to a crisis-level cyber event (i.e., ransomware), which is defined as a cyberattack that escalates beyond traditional incident response and threatens the entirety of an organization. Each functional business unit (communications, legal, risk and compliance, etc.) must work in unison to effectively respond. An incident commander must be assigned (traditionally the CISO) who manages the overall response effort. By applying this battle-tested methodology, companies can use the existing wisdom gained from very complex disruptive events to plan for potential disruption for the many ways cyberattacks can very suddenly impact their operations.

Be Prepared

One of the aspects I got to work on, and which was meaningful to me, was to ensure the Department of Health was prepared for a hurricane by ensuring business continuity processes and tooling was available and properly displaced throughout the state. Each year, we would refresh our “hurricane” laptops to ensure each one was up-to-date, secure, and ready at a moment’s notice to be deployed into the field. We would ensure that all regional sites within the state had the required equipment available to support all county health departments, children’s medical services, and rapid response strike teams throughout the State of Florida.

Likewise, today’s organizations must also be prepared for cyberattacks using their business continuity processes and tooling. Having proper system backups is essential when dealing with a cyberattack. These backups must be maintained and tested regularly to ensure their ability to restore operations. Organizations should also test any alternative communication mediums if the primary network is compromised or unavailable. IBM Security X-Force Incident Response recommends organizations establish secondary communications using the P.A.C.E. model (Primary, Alternative, Contingency, and Emergency). The same can easily apply to having extra staff on call, and any other aspect of the business that requires a fallback.

Where Do I Start? Have a Plan

Step one in preparing for a natural disaster is to have a plan, this is where business continuity and disaster recovery plans come in handy. These plans help businesses prepare for the worst and help develop processes and procedures to effectively respond to any event including natural, man-made, and cyber crises. During cyber events, it is also important to have plans. Organizations should have incident response plans for technical response and cyber crisis management plans for a whole-of-business response along with accompanying playbooks. These plans can help organizations like yours respond and minimize its impact.

Test Your Plans

Hurricane season may only last 6 months out of a year, but preparation goes on year-round. As a member of the ESF-8, we were constantly participating in training exercises both statewide, as well as agency specific, to test our equipment, processes, and procedures.

Similarly, organizations should be constantly preparing for when that cyber crisis event will happen. Reviewing and testing all plans (incident response, cyber crisis management, business continuity and disaster recovery) and playbooks, both technical (ransomware, data exfiltration, etc.) and functional (crisis communications, legal, etc.) at least annually is recommended.

Effective Communication

Communication is key when dealing with a hurricane. Emergency management teams have dedicated functional sections that focus on communications. They monitor social media, coordinate public statements, and provide various approved communications to ensure all affected parties have the information needed. Sometimes, they even set up call centers to provide victims an opportunity to answer potential life-threatening questions.

In a successful ransomware attack, the make-or-break moment for an organization is its ability to communicate. Waiting too long to address customers, impacted individuals, and the public can destroy an organization’s reputation and customer loyalty. Getting ahead of the story, helps an organization get a chance to explain what is happening and what they are doing about it to help their customers as much as they can.

To cut down on the time it takes them to break the news before the attacker does, organizations should have a crisis communications plan, which includes a defined communication process, dedicated roles and responsibilities, and pre-approved response templates that can be quickly modified (and approved) to be released.

Organizations that train incident responders instill generalized concepts and frameworks to help effectively respond to natural disasters and other crises. These same concepts and frameworks can also be used to help organizations think about crisis response in a structured manner. But whether you are getting ready to deal with a cyber crisis or a hurricane, don’t wait until it’s too late to prepare.

To learn more about IBM’s Incident Response team and services, check out www.ibm.com/security/incident-response

More from Incident Response

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read