For years, organizations have purchased cybersecurity software in the ongoing quest to prevent data breaches or hacks of their systems—or at least to mitigate the impact of an inevitable incident. The increasing prevalence of cyber attacks, and evidence of the significant damage they cause, has driven C-suite interest in cyber security investments. According to Deloitte’s 2023 Global Future of Cyber Survey, "70% of survey respondents said cyber was regularly on their board’s agenda, either monthly or quarterly."
A similar thought process has started for the mitigation of physical incidents, such as extreme weather incidents, transportation accidents, power outages or fires. New OnSolve data points to the increasing frequency of these types of incidents and reveals that the C-suite, and their Boards, are prioritizing investments in technology and resources to address the potential impact. In the same way senior executives are involved in cybersecurity strategies, they need to be involved in physical threat mitigation. Lessons learned from cyber efforts can be applied to further drive this awareness.
Crises that impact an organization’s physical presence are not a new phenomenon, but their increase in frequency, and the broad impact they can have today, is of concern to organizations who realize they’ve neglected to invest in physical risk management resources.
According to our data:
- From 2021 to 2022, extreme weather events were up 42% in the U.S. and 72% globally. In the U.S., winter storms and blizzards were up 216%, while tsunamis (221%), flash floods (52%) and severe storms (138%) all increased in frequency.
- From 2021 to 2022, infrastructure and technology failures (including power outages) soared 807% in the U.S. (688% globally).
- From 2021 to 2022, transportation accidents (aircraft, maritime, rail and road) increased 296% in the U.S. and 21% globally.
The cascading effects of physical incidents make them a pressing concern for organizations. Consider the Canadian wildfires of recent weeks and months. The visceral impact of the fires, dislocating Canadian residents in their paths while spreading thick smoke across wide parts of North America and exacerbating health issues, hides the broader significant economic concerns. Oxford Economics expects Canada’s economy to take a hit of around half a percentage point, according to an early July New York Times story, based on transportation interruptions and power outages. Half a percentage point is significant, as Canada’s economy grew by roughly 3% in the first quarter of this year on an annualized basis.
As a second example, Hurricane Ida knocked out power for more than 1.2 million people in the U.S. in August 2021. But the impact it had on oil production is also important. More than 95% of the Gulf of Mexico’s refining capacity shut down in advance of the storm’s landing in Louisiana, according to CNN Business. Logically, the resulting increase in gas prices impacted any business that relies on shipping, even businesses a long way from the path of the storm. Those costs inevitably were passed on to consumers.
Addressing Physical Incidents Head-On
Securing both the physical and digital aspects of an organization is crucial to maintain the overall security posture and protect against a wide range of threats. As they take the dialogue around addressing physical threats further, the C-suite should apply lessons learned from operational efforts to address increased cyber risks.
First, they need to make the mitigation of physical threats a company-wide concern. C-suite leaders and their counterparts must broaden their understanding of risk from merely cyber to all risks that threaten their people and operations, employee health and revenue. The following efforts should be integrated into company operations.
- Perform a thorough risk assessment for physical security, similar to what has been done for cybersecurity. Identify potential threats and vulnerabilities related to assets, people, physical operations and facilities.
- Create a business impact analysis, working with key leaders across all areas of the business. This will ensure no rock has gone unturned as it relates to potential threats, and it will further elevate the impact a direct threat could have on various departments.
- Organizations test cybersecurity education with tests and drills, for example, by sending emails simulating a fraudulent phishing attack. Parallel exercises can remind employees of physical crisis mitigation plans so they become second nature in the event of a real-world scenario.
Second, organizations need to create clearer, more automated ways to monitor all types of threats. Relying on data to inform decisions about investments or prioritization is essential. Knowing about potential threats will ensure leaders remain on guard. Cyber security procedures include monitoring and threat detection in real-time—the same should be set up for monitoring physical threats that intersect core assets, operations and people. Security and event management solutions can also be used to consolidate the volume of data surrounding physical incidents so leaders know which ones they should be paying attention to. Most importantly, the value of these monitoring systems must be elevated to the C-suite so they understand the importance of the investment and its direct impact on business revenue and employee morale.
Finally, just as cybersecurity teams conduct tabletop exercises and regular awareness training among employees, they should test plans and execute scenario planning that will enable physical incident response and mitigation. As is the case with other significant corporate initiatives, the process should be led by a C-suite sponsor. The plan should map out potential physical crises that will impact the organization, and it should include detailed actions to mitigate their impact across employees, operations, customers and, if applicable, the general public.
Physical incidents are increasing in frequency, and their cascading effects can have a broad impact on operations. As was the case with cybersecurity, organizations must respond by up-leveling strategies to mitigate risks to the C-suite.
Originally published in Forbes, September 2023