How Hurricanes Stress the Security Lessons of Vulnerability and Risk

Even when all hell breaks loose in the world of information security, it has never rivaled the fallout of a natural disaster. This is a perspective worth considering, after two major hurricanes, Harvey and Irma, left paths of destruction over a three-week span, striking at our hearts and permeating the public consciousness like the most egregious data breach never has come close to doing.

But given that this is a blog for information security professionals like yourself, let's try to draw a connection between the two types of events - at least in terms of how they could be prepared for - which may help provide some context to the digital tempests you regularly take on.

Hurricane Harvey laid waste to parts of coastal Texas and devastated the Houston area with historic flooding, while Irma ravaged the Florida Keys and several Caribbean islands with punishing winds and storm surge. When studying the impacts of these hurricanes, it is common to ask if they could have been worse, whether we have learned anything from prior events that may have minimized the repercussions this time around.

In the case of Harvey, it seems clear now that Houston was not prepared to confront a storm of this magnitude. On the other hand, an aerial tour of the Florida peninsula following Irma revealed that stricter building codes - and greater investment in stronger structures - helped keep damage down, according to U.S. lawmakers and Coast Guard officials.

As Time wrote following Harvey: "Research has shown that spending more (upfront) saves money in the long run." It cited a Pew report, which found that underinvestment in natural disaster risk mitigation has become a chronic problem, despite every dollar that is invested in risk reduction saving $4 in "relief and rebuilding costs" down the road.

How many times have we heard similar proclamations made relative to cybersecurity? That the average cost of a data breach - $3.62 million, according to a recent estimate - is something no organization wants to deal with. As such, sufficiently modeling risk and building security in, versus bolting it on after a breach (when you're already dealing with hard costs like direct revenue losses and soft costs like reputational harm) is a far more affordable preference.

But one can preach the importance of secure coding, testing for vulnerabilities, applying patches in a timely manner, security awareness education, endpoint detection, threat hunting, etc. until we're blue in the face. These are all sound best practices to implement before it becomes necessary to dispatch a breach response.

At the end of the day, though, cybersecurity will remain an exercise in risk. But just like some cities may be underestimating their likelihood to absorb a natural disaster, businesses may not be properly weighing the dexterity and elusiveness of today's cybercriminals - and how much mayhem they can inflict when something is missed.

Part of the problem is that organizations tend to miscalculate how they should prioritize their cyber defense, and even when they know where they should position their focus, they face a shortage of internal talent and resources to make any use of that knowledge. This white paper on evaluating your IT risk assessment process can help move you forward and point you in the direction to which you need to get.

Remember, a 500-year flood may never be far off. When in doubt, hope for the best, but prepare for the worst.

Dan Kaplan is manager of online content at Trustwave.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.