On August 24th, 2017 Hurricane Harvey tore through the Texas Gulf Coast. Its effects were felt as far as 200 miles away in the Austin metropolitan area. Depending on the sources at any given time, it appears to have taken the lives of upwards of 65 Americans.
The Governor of the State of Texas, Greg Abbott, stated that recovery efforts may cost taxpayers upwards of $180 billion. To make matters worse, as of this week, Hurricane Irma is making its way through the eastern Caribbean and is expected to make landfall somewhere in south Florida.
Now, consider the 1,000s of businesses, of all sizes, that will be disrupted by these events. Think about the lost revenue, man-hours, and of course, the recovery costs in order to return to normal business operations. In the worst-case scenario, some of these businesses won’t be able to return. Here lies the basis for why employee training, cyber resilience, and disaster preparedness are all important for small-to-medium businesses (SMBs) cybersecurity strategy.
For those businesses that are able to recover from a natural disaster such as a major hurricane, this is actually a phenomenal opportunity to rethink and strengthen their operational policies, processes, and procedures. According to a 2015 Time-Warner study, only 24% of SMBs had a cybersecurity plan in place. Furthermore, according to a Nationwide Insurance survey, 66% of SMBs do not have a disaster preparedness plan in place either! Hence, if there’s ever a time to put these basic yet critical items in place is definitely during the rebuilding process. Why? Because hackers and less sophisticated scammers will be waiting to take advantage of you and your business during this vulnerable time. Surprisingly, there have even been situations where a data breach has occurred without any criminal activity by outside parties.
Think about it. Everyone on your staff is going to be busy, at work and at home, trying to get things back to a sense of normalcy. It’s simply human nature to allow oneself to lower performance standards. They might start to cut corners to make things “go easier”. They will be emotionally, physically, and mentally fatigued. Thus, their judgment and decision making within the context of corporate policies and procedures may become severely eroded. What about the employees that might have to fill in for those that haven’t yet returned to work, if ever? They may not know what sensitive information that should be carefully shared from the information that should never be shared. What about contractors and vendors that are helping with clean up efforts? All of these variables are critical to keeping your data and other sensitive information secured.
A great example of how these variables can work against an organization occurred in October 2012 when Hurricane Sandy struck the northeastern US seaboard causing a whopping $42 billion in damages to the New York City area. During the aftermath in 2013 facility managers for Brooklyn’s Ida G. Israel Community Health Center allowed clean-up crews to remove computers, records, and files from their hospital. These materials contained sensitive information to include: names, addresses, patient health records, credit card information, and other pieces of data that are strictly governed by HIPAA Privacy laws. To date, none of these materials have been recovered. This tragedy illustrates that no bad actors were needed to result in a significant data breach and major liability incident. It also shows why all key players in an organization must know what their roles and responsibilities are before the inevitable disaster occurs.
Although grim, the silver lining in the process of recovering from a natural disaster is that SMBs can learn from previous mistakes and start anew. The pause in normal business operations can give business leaders the clarity and focus to institute best practices that may have been put off for later. Some businesses just may not have the time and resources to execute these growing security necessities. Hence, we suggest they hire a specialized contractor to build a strong cyber resilience foundation. These experts can take the time to learn your business and develop policies and procedures that govern your day-to-day operations regarding cyber resilience. Business owners and leaders that do this will be empowered to invest in actionable and affordable ways to minimize their overall risk while being more prepared for the inevitable disaster. One fact we like to leave with our customers is that 60% of SMBs that suffer a data breach close down within six months. Now, estimate how high that number might be if those same businesses were hit by a natural disaster and suffered a data breach all at the same time
Photo licensed from iStockphoto.com