Hurricanes and Cybersecurity
So I have been ‘retired’ for about 3 ½ years now but I keep my hand in security by doing security awareness training for Ashton. Since this encompasses some clients who understand the value of training and others who don’t, I am always on the lookout for new training material and situations that can be used as examples to illustrate security issues. Our recent trip to Hawaii and the brush with hurricanes is a perfect example.
This trip was interesting from a security/disaster standpoint because during the three plus weeks we were on the way/there/leaving we had to deal with three hurricanes.
Hector was heading for the islands about two days before our trip west. We had no idea what impact it would have on our trip- would we even make it to our destination? Fortunately, it had none. In fact, it turned north before getting to Hawai’i and did no damage. Even better, it cleared the air around the island of Hawaii which had been very voggy (fog and gases from the recent volcanic eruption).
Once we got to our destination, we were there only a few days before Hurricane Lane started to bear down on the island. There was a broad range of responses to this threat, much like businesses respond to cyber-threats that are known to be active.
Very few businesses boarded up, even though Lane was at one point a category 5 hurricane. Walmart and one or two smaller businesses put plywood over their windows. In our business, we see some large businesses who have the money (or understand the value) invest in security measures that include awareness training and testing to keep their people as well equipped as possible to deal with cyber-threats.
Other businesses put some tape over the windows in big X patterns. Certainly no protection for the glass and interior, but probably meant to minimize the danger of flying glass. I saw one store where they put some cardboard on the glass doors. Certainly just a gesture because that cardboard wasn’t going to protect anything.
Those stores are like business that say they have security in place when what they mean is they have anti-virus and a firewall in place (oftentimes, just a consumer grade router), and maybe they do regular backups. Some have even told their employees to be careful (usually via a policy that is never read after the initial hiring process). It looks like they are doing something, when in fact they are using 25 year old tactics against today’s criminal element. They have no protection.
The county of Hawaii opened shelters for anyone who might need them and some moved into them right away. Announcements over TV and radio suggested having 14 day supplies of food and water on hand. As tourists, we were at somewhat of a loss as to what to do. Our friends bought some water, Spam (the canned meat, not junk mail) and some other necessities. We didn’t. They actually drove out to see where the shelters were. We didn’t, but my wife did print out directions and a map since cell/intranet might not be available.
Some businesses take all the precautions they can afford and they afford more than some others because they understand that their people are the weakest link. You have to connect to the internet to do business. That means that you will be allowing email in and access to the internet for your employees. That means that the bad guys have a way in. They just have to get past your employees. Just like the hurricane warnings, the security community will issue warnings about things to watch out for. When a major disaster occurs, the warnings go out to watch for scammers trying to exploit the situation. World cup soccer, baseball playoffs, NBA playoffs, and other similar events are all triggers for waves of emails from scammers. Do you ‘broadcast’ those to your staff?
As it turned out we didn’t need to go to a shelter and it seemed like our friends’ efforts were wasted since we only got a light 10 minute rain from Hurricane Lane. However we were in Kona. On the other side of the island, there was between 50 and 60 inches of rain, landslides, and road closures. The folks that prepared over there were glad they did. The internet is like that. You may read of a number of people getting hit by ransomware or data breaches, but it didn’t get to you. It didn’t get to you this time. As bad guys get more creative and automated attacks become the norm, the odds of you getting hurt badly increase.
The third hurricane, by the way (Olivia), threatened our departure but fortunately we were able to depart before it shut down the airport. Olivia dropped a lot of rain on the islands but we didn’t see it.
Take a lesson from those areas that get hurricanes.
- Have a plan in case of disaster.
- Do you have a backup?
- How often do you backup? Have you TESTED your backup so that you know for certain that is good?
- How long will it take to get back to ‘normal’ after an event?
- Have you tested your recovery plan? (You do have a recovery plan don’t you?)
- Broadcast warnings when a surge in attacks can be expected.
- This requires someone to be paying attention so the broadcast can be made.
- Awareness is your best defense
- Make sure your employees are aware of threats.
- Give them the training to identify threats when they come in.
- Test them regularly to make sure they are getting the message
- Don’t assume you are too small a target
- Hurricanes don’t aim for anything particular, They just run over whatever is in their path
- Bad guys don’t care how big or small you are. If you don’t have what they want, they may use what you have (internet, computers, email) to get what they really want.