Reflections after experiencing my first hurricane in Florida: Lessons in preparedness and cybersecurity

After experiencing my first hurricane season here in Florida with Hurricane Milton, I was inspired to write another article, comparing the impacts of Hurricane Helene with those of Milton. You can check out my previous reflections here.

According to the World Population Review, Florida has been hit by 120 hurricanes since 1851, with 37 reaching Category 3 or higher. North Carolina has faced 58 hurricanes in the same timeframe, with 7 reaching Category 3 or above. Helene was a Category 4 hurricane on a scale of up to 5, while Milton reached Category 5 before hitting land as a Category 3—potentially the strongest hurricanes ever identified.

The death toll from Helene has been devastating, with over 230 lives lost. In contrast, although the full impact of Milton is yet to be confirmed, it appears that the loss of life may be significantly lower—17 while I am writing this article. Even though I'm not a hurricane expert, this stark difference in outcomes is thought-provoking. Helene swept through Florida, Georgia, North Carolina, South Carolina, Tennessee, and Virginia, causing widespread destruction and flooding. North Carolina reported the highest fatalities, with over 110 lives lost, while Florida had more than 60 deaths.

With Milton, I believe that the extensive early detection and the proactive measures taken in Florida played a critical role in minimizing the loss of life. Due to its predicted path through central Florida, where communities at the coast were still recovering from Helene, evacuation plans were enacted promptly, reducing the impact on human lives. Although significant financial damage was incurred, the effectiveness of these measures illustrates how preparation can make a substantial difference.

States with more frequent hurricane experiences tend to have more robust preparation strategies. For instance, Florida implemented the Florida Building Code in 2002, mandating hurricane-resistant features for new constructions, such as impact-proof windows and storm shutters. Updates in 2010 raised standards further, requiring resistance to winds up to 185 mph. These measures, alongside well-coordinated evacuation and response plans, illustrate how proper planning can mitigate the effects of even the most powerful storms and be decisive factors in preserving lives.

In the same way that hurricanes test coastal readiness, cybersecurity incidents test corporate preparedness. A tested, effective, and efficient disaster recovery plan serves both cases. Every organization can be affected by cyber threats. According to the Verizon Data Breach Investigations Report, sectors most affected by data breaches include Public Administration, Finance, Healthcare, Professional Services, Information, Education, and Retail. However, no company is entirely immune, and the extent to which incidents are detected and managed often dictates the overall financial and reputational impact.

Today, many industries face a multitude of regulatory requirements beyond HIPAA, GDPR, CCPA, FISMA, SOX, GLBA, PCI DSS, and others. Cybersecurity is not just a necessity; it is also a matter of compliance. Large corporations can incur severe penalties for failing to adhere to these regulations, which are designed to enhance cybersecurity maturity. Non-compliance can lead to serious security vulnerabilities and significant fines.

Recently, T-Mobile agreed to invest $15.75 million to improve its cybersecurity and pay an additional fine of the same amount to the U.S. Treasury. In 2022, T-Mobile also faced a massive $350 million settlement due to data breaches affecting millions of customers. Additionally, under GDPR regulations, companies have faced substantial fines, such as UniCredit’s record €2.8 million penalty for a data breach resulting from a cyberattack, Marriott International’s £18 million fine for a breach that exposed customer data, and British Airways’s £20 million fine for a security failure that led to customer data leakage.

Consider two companies: one without detection tools or incident response processes, and another with a comprehensive cybersecurity framework. The first company might experience continuous losses due to undetected fraud, scams, and data breaches, alongside regulatory fines and legal costs from affected clients. The second company, with a robust detection system, quickly identifies threats, fixes vulnerabilities, and maintains regulatory compliance. This company protects its clients, complies with laws, and avoids unnecessary costs.

In the same way that well-defined detection and response plans mitigate the effects of hurricanes, an effective cybersecurity strategy keeps companies compliant, minimizes financial losses from scams and fraud, and ensures the integrity, availability, and confidentiality of corporate data. Cyber incidents are not a matter of "if" but "when." Therefore, having internal (SIEM, EDR, XDR) and external detection tools like Apura’s BTTng Cyber Threat Intelligence platform, along with trained personnel and well-defined disaster recovery plans and incident response processes, can significantly limit the damage.