Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face.

While we can’t equate the potential impact of a cyberattack to that of a hurricane, there is much that security leaders and teams can learn from existing physical disaster preparedness and recovery plans and can apply in a cyber crisis.

So how can organizations use the fundamentals taught by natural disasters to respond to a paralyzing ransomware attack?

Early in my career, I had an opportunity to work on the security team at the Florida Department of Health responding to cybersecurity incidents, as well as served as a member of the Emergency State Function (ESF) 8 (Health and Medical) team through Florida’s Department of Emergency Management. As you can imagine, Florida is quite experienced in dealing with highly disruptive natural crises.

Managing Chaos with Command Structures

Working with the State of Florida, I was required to take multiple courses in FEMA’s National Incident Management System (NIMS) principles, structures, and processes. These courses taught responders the basics of NIMS including the concept of Incident Command Systems (ICS), and the National Response Framework (NRF) to ensure everyone understood how their role and responsibilities supported the overall effort.

The concept of an ICS is an approach to command, control, and coordinate incident management by providing a common hierarchy within various disciplines. The five major functional areas according to FEMA’s NIMS Doctrine include Command, Operations, Planning, Logistics, and Finance/Administration. A single incident commander is assigned the responsibility of overall incident management.

A similar hierarchy can be applied to an organization responding to a crisis-level cyber event (i.e., ransomware), which is defined as a cyberattack that escalates beyond traditional incident response and threatens the entirety of an organization. Each functional business unit (communications, legal, risk and compliance, etc.) must work in unison to effectively respond. An incident commander must be assigned (traditionally the CISO) who manages the overall response effort. By applying this battle-tested methodology, companies can use the existing wisdom gained from very complex disruptive events to plan for potential disruption for the many ways cyberattacks can very suddenly impact their operations.

Be Prepared

One of the aspects I got to work on, and which was meaningful to me, was to ensure the Department of Health was prepared for a hurricane by ensuring business continuity processes and tooling was available and properly displaced throughout the state. Each year, we would refresh our “hurricane” laptops to ensure each one was up-to-date, secure, and ready at a moment’s notice to be deployed into the field. We would ensure that all regional sites within the state had the required equipment available to support all county health departments, children’s medical services, and rapid response strike teams throughout the State of Florida.

Likewise, today’s organizations must also be prepared for cyberattacks using their business continuity processes and tooling. Having proper system backups is essential when dealing with a cyberattack. These backups must be maintained and tested regularly to ensure their ability to restore operations. Organizations should also test any alternative communication mediums if the primary network is compromised or unavailable. IBM Security X-Force Incident Response recommends organizations establish secondary communications using the P.A.C.E. model (Primary, Alternative, Contingency, and Emergency). The same can easily apply to having extra staff on call, and any other aspect of the business that requires a fallback.

Where Do I Start? Have a Plan

Step one in preparing for a natural disaster is to have a plan, this is where business continuity and disaster recovery plans come in handy. These plans help businesses prepare for the worst and help develop processes and procedures to effectively respond to any event including natural, man-made, and cyber crises. During cyber events, it is also important to have plans. Organizations should have incident response plans for technical response and cyber crisis management plans for a whole-of-business response along with accompanying playbooks. These plans can help organizations like yours respond and minimize its impact.

Test Your Plans

Hurricane season may only last 6 months out of a year, but preparation goes on year-round. As a member of the ESF-8, we were constantly participating in training exercises both statewide, as well as agency specific, to test our equipment, processes, and procedures.

Similarly, organizations should be constantly preparing for when that cyber crisis event will happen. Reviewing and testing all plans (incident response, cyber crisis management, business continuity and disaster recovery) and playbooks, both technical (ransomware, data exfiltration, etc.) and functional (crisis communications, legal, etc.) at least annually is recommended.

Effective Communication

Communication is key when dealing with a hurricane. Emergency management teams have dedicated functional sections that focus on communications. They monitor social media, coordinate public statements, and provide various approved communications to ensure all affected parties have the information needed. Sometimes, they even set up call centers to provide victims an opportunity to answer potential life-threatening questions.

In a successful ransomware attack, the make-or-break moment for an organization is its ability to communicate. Waiting too long to address customers, impacted individuals, and the public can destroy an organization’s reputation and customer loyalty. Getting ahead of the story, helps an organization get a chance to explain what is happening and what they are doing about it to help their customers as much as they can.

To cut down on the time it takes them to break the news before the attacker does, organizations should have a crisis communications plan, which includes a defined communication process, dedicated roles and responsibilities, and pre-approved response templates that can be quickly modified (and approved) to be released.

Organizations that train incident responders instill generalized concepts and frameworks to help effectively respond to natural disasters and other crises. These same concepts and frameworks can also be used to help organizations think about crisis response in a structured manner. But whether you are getting ready to deal with a cyber crisis or a hurricane, don’t wait until it’s too late to prepare.

To learn more about IBM’s Incident Response team and services, check out www.ibm.com/security/incident-response

More from Incident Response

How to Start a Career in Cyber Incident Response

Cyber incident response is one of cybersecurity's most interesting and rewarding careers. It’s an in-demand role, and it pays well. But how do you get started? First, let’s start with the basics. What is Cyber Incident Response? Cyber incident response is the preparation for and practice of identifying, containing and ending cyber attacks. A computer security incident response team (CSIRT) within an organization — ideally including the chief information security officer, security operations center staff, executives and representatives from the…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…