Any cyber incident response strategy will include plans for power outages and cyberattacks, but many IR plans may still be missing a key risk factor. With global temperatures already up 1.1°C. during the 20th century and projected to rise another 1.5°C over the next two decades, climate change risk is becoming critically important to cyber incident response and cyber resilience, too.
Already, increasingly large wildfires are threatening physical infrastructure, destroying supercomputers. Extended droughts and higher temperatures make it difficult to provide adequate cooling for data centers. More severe, less predictable hurricanes, flooding, and other weather creates cyber risks and complications for business IT on several fronts.
Businesses may need to rethink where they operate massive data centers, and also how they construct them, says Chris Bronk, an assistant professor of information and logistics technology at the University of Houston. The answers are “not always obvious because there can be overlying factors to consider,” says Bronk. For instance, a cooler region may be more attractive but also more prone to energy grid disruptions. An area with lower energy costs may be more prone to flooding or violent storms.
Further complicating matters, some communities have become increasingly vocal about opposing new datacenters, which themselves consume enormous volumes of water and other resources. Over the last few years, pockets of resistance have emerged in the drought-stricken West and also in places like Oregon and South Carolina.
Not Just a Data Center Problem
Andrea Bonime-Blanc, CEO of GEC Risk Advisory, a New York City-based global consulting firm and Cyber Leadership, Risk & Resilience Professor at NYU’s Center for Global Affairs, points out that climate change and cyber resiliency challenges expand across supply chains. “It becomes a very complex and multi-faceted problem -- especially if a business or its partners have dependencies in a specific region.”
Even IT operations that may seem immune to the effects of climate change could be impacted. For example, manufacturing might be directly affected, but so could e-commerce, logistics, and customer relationship management (CRM) systems that depend on live data.
Plus, the problems extend beyond operational resilience and constructing more flexible IT frameworks. Climate change will also likely lead to higher levels of social and political disruption, and a rise in cyber-attacks and cyber-crime are likely.
As Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute, puts it: “Climate change could create more widespread disruptions for companies that are not prepared. As technology evolves, and business operations become more complex, this provides bad actors with more opportunities for deception.”
Addressing climate change and cyber resilience begins, Nocera says, with a basic recognition: Climate change isn’t a future problem -- it’s already here. A Harvard Business Review study found that abnormal weather now disrupts the operations and financial performance of 70% of businesses worldwide.
While addressing cyber resiliency is a complicated task, a well-formulated strategy pays dividends. “A more resilient IT framework delivers benefits that extend beyond the impacts of climate change,” Nocera says. For example, “Many of the things an organization does to be resilient from ransomware attacks could make them more resilient to … natural disasters,” he explains.
Cyber Risk, Resilience and ESG
As a result, Nocera suggests viewing climate change in a broad way that spans all risks. This includes a deeper understanding of where an organization resides within the environmental, social and corporate governance (ESG) spectrum. It also requires an examination of the organization’s physical and virtual footprint, including cloud services and where data resides. This extends to third parties. “It’s critical to know what outside factors could potentially impact the business and the IT framework,” he says.
This process must touch every corner of the organization, including IT. For example, it may be wise to invest in solar panels and battery-powered storage systems for a building or have alternative sources of energy available if rolling brownouts occur or the power grid fails. “You have to find ways to continue operating if and when infrastructure goes down,” Nocera says.
It’s also crucial to build in redundancies -- including for data stored in the cloud. Yet, a backup and recovery strategy is only a starting point for a climate change plan. By keeping key documents in a service such as Dropbox, Office 365 or Box, for example, employees located in offices around the world may be able to access files even if those in a particular office cannot.
Another approach is to possibly revert to non-digital systems as a fail-safe strategy. This might include a phone tree and paper records for the most critical data, Bonime-Blanc says. That way, if power fails, a cyberattack occurs or major storm strikes, employees can access key documents and have phone conversations that keep the company afloat.
“You really have to have everybody thinking proactively about risks and you cannot allow complacency to set in,” Bonime-Blanc cautions. She recommends that organizations view climate change as a company-wide issue and establish a cross-disciplinary team to monitor enterprise risks. The board and C-suite must be involved with the process.
Even the new technologies created to address climate issues bring with them new cyber risks. “As we continue to implement new technologies such as clean energy grids, smart factories, connected cars, and other systems, greater digital dependency will lead to new vulnerabilities and avenues of attack,” states Nocera.
With a focus on key areas -- governance and leadership, crisis management, and ESG in a broad context -- Bonime-Blanc believes that it’s possible to manage climate change risk and build a more resilient digital framework.
“Every product and service is different; every company’s footprint and supply chain are unique,” she concludes. “Once you understand all of this and you have a high level of situational awareness, you can design systems and strategies to minimize the impact of climate change.”
What to Read Next: