Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How Hurricanes Stress the Security Lessons of Vulnerability and Risk

Even when all hell breaks loose in the world of information security, it has never rivaled the fallout of a natural disaster. This is a perspective worth considering, after two major hurricanes, Harvey and Irma, left paths of destruction over a three-week span, striking at our hearts and permeating the public consciousness like the most egregious data breach never has come close to doing.

But given that this is a blog for information security professionals like yourself, let's try to draw a connection between the two types of events - at least in terms of how they could be prepared for - which may help provide some context to the digital tempests you regularly take on.

Hurricane Harvey laid waste to parts of coastal Texas and devastated the Houston area with historic flooding, while Irma ravaged the Florida Keys and several Caribbean islands with punishing winds and storm surge. When studying the impacts of these hurricanes, it is common to ask if they could have been worse, whether we have learned anything from prior events that may have minimized the repercussions this time around.

In the case of Harvey, it seems clear now that Houston was not prepared to confront a storm of this magnitude. On the other hand, an aerial tour of the Florida peninsula following Irma revealed that stricter building codes - and greater investment in stronger structures - helped keep damage down, according to U.S. lawmakers and Coast Guard officials.

As Time wrote following Harvey: "Research has shown that spending more (upfront) saves money in the long run." It cited a Pew report, which found that underinvestment in natural disaster risk mitigation has become a chronic problem, despite every dollar that is invested in risk reduction saving $4 in "relief and rebuilding costs" down the road.

How many times have we heard similar proclamations made relative to cybersecurity? That the average cost of a data breach - $3.62 million, according to a recent estimate - is something no organization wants to deal with. As such, sufficiently modeling risk and building security in, versus bolting it on after a breach (when you're already dealing with hard costs like direct revenue losses and soft costs like reputational harm) is a far more affordable preference.

But one can preach the importance of secure coding, testing for vulnerabilities, applying patches in a timely manner, security awareness education, endpoint detection, threat hunting, etc. until we're blue in the face. These are all sound best practices to implement before it becomes necessary to dispatch a breach response.

At the end of the day, though, cybersecurity will remain an exercise in risk. But just like some cities may be underestimating their likelihood to absorb a natural disaster, businesses may not be properly weighing the dexterity and elusiveness of today's cybercriminals - and how much mayhem they can inflict when something is missed.

Part of the problem is that organizations tend to miscalculate how they should prioritize their cyber defense, and even when they know where they should position their focus, they face a shortage of internal talent and resources to make any use of that knowledge. This white paper on evaluating your IT risk assessment process can help move you forward and point you in the direction to which you need to get.

Remember, a 500-year flood may never be far off. When in doubt, hope for the best, but prepare for the worst.

Dan Kaplan is manager of online content at Trustwave.

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More