The Elephant in the Security Room: Climate Change
What does climate change have to do with cybersecurity? According to Chloé Messdaghi, CEO of Global Secure Partners, more than you may think. In April, KirkpatrickPrice had several members attend the 2023 RSA conference to stay up to date on some of the hottest topics in cybersecurity, and we learned that changing climate conditions could have a major effect on the security of organizations around the world.
The Problem
When you turn on the news, you’re almost guaranteed to hear about one of two things, if not both: a recent natural disaster or the latest major data breach. Both are cause for concern. Scientists project that in 50 years, 1/3 of our species could be gone, sea levels could rise by 9 meters, and natural catastrophes will become more and more common if things continue to progress at their current rate. Not only are natural disasters getting more serious but so are data breaches. The threat landscape is constantly growing, and organizations are preparing for when they have to deal with a security event, not if.
As if we didn’t have enough to think about with these two trends on their own, Messdaghi suggested in her presentation, “The Elephant in the Security Room: Climate Change,” that the most dangerous form of these trends is when they are linked.
Extreme weather events impact data centers and disrupt supply chains which invite added security risk. Bigger data centers produce more risk, especially when something goes wrong. We’ve seen this occur in several recent events:
In 2012 when Hurricane Sandy hit, data centers were knocked out in New York City and forced to use generator power. However, because the power was out for such a long period of time and generator power was limited, data center companies had to advise their customers to move their workloads elsewhere.
In 2018, a Tsunami damaged undersea network cables creating vulnerabilities to all kinds of sensitive information.
On top of an increase in extreme weather events creating new security risk, new technology attempting to combat some effects of climate change is also furthering the attack landscape.
For example, in an attempt to have less of an environmental impact, new technologies like electric cars are becoming more popular. Green technology is often on interconnected networks and systems, like the charging stations for electric cars. The greatest risk here is a compromised charging grid that could cripple infrastructure as more and more people move to electric vehicles. Think of it like all the gas stations running out of fuel and the mayhem that would cause.
In addition to vulnerabilities caused by natural disasters, there’s also been an increase in threat actors targeting essential services such as the cyber attack on the water treatment plant in Ukraine in 2016 and the more recent Colonial Pipeline ransomware attack in 2021.
The Solution
What can you do to keep your organization secure when facing unpredictable circumstances like climate change? Even if you can’t predict the next natural disaster that could put your data at risk, there are a few steps you can take to make sure you’re prepared for whatever comes your way:
- Conduct a risk assessment.
Risk assessments are a great tool to help protect your organization’s data. By identifying any risk that your organization may face, you’ll be able to remediate any vulnerabilities and protect your and your customers’ data. An extra step you can take in your risk assessment process is having your risk assessment regularly reviewed. A risk assessment review makes sure that your risk assessment covers everything it needs to so your organization can be as secure as possible.
- Develop a BCP and IRP.
Having a business continuity plan (BCP) with a disaster recovery plan (DRP) and an incident response plan (IRP) are essential to the success of your organization. You need to plan for the worst so your business can keep functioning no matter what. Practice and review your BCP and IRP regularly and spend time learning how to create and implement these plans effectively throughout your organization.
If you aren’t sure what to consider when creating your own BCP and IRP, spend some time reviewing standards, requirements, and best practices surrounding these topics.
- Educate your employees.
Threat and vulnerability management can only do so much if your employees aren’t trained and informed. Your employees need to know the risk your organization faces and how they can help keep your valuable information secure. Risk management can’t be a one or two person job. You need your employees to help you identify and mitigate issues as soon as they are noticed. Teach your employees how to identify when something isn’t working as it should and ask for their input when creating your BCP and IRP. Security should be a company-wide initiative, so make sure you’re treating it as such.
- Implement strong encryption.
Encryption is the best way to protect data when implemented correctly. Even if a disaster occurs, strong encryption can help keep your data safe.
- Stay up to date on threats.
Threats are constantly changing and evolving, so staying up to date on any new threats or vulnerabilities is essential. For example, the green technology’s connection to networks is a newer threat; however, if those green technology companies are aware that their customers’ data is at risk, they can implement controls that will add a layer of protection to any sensitive data they possess. Half of the battle in today’s threat landscape is staying informed, so make sure you’re seeking out resources that will help you stay educated.
KirkpatrickPrice wants to help you get ready for anything.
Here at KirkpatrickPrice, we want to help you feel confident that, no matter what happens, your organization can keep going. We know that you value being able to carry out your mission and serve your customers rain or shine. With the uptick in natural disasters and data breaches, staying secure can feel overwhelming. Partner with KirkpatrickPrice to become unstoppable.
Get help with your BCP and IRP, perform and risk assessment review, or just connect with an expert to determine next steps.