Enjoy the first of our four part series on Organisational Resilience.
In cyber security circles, conversation tends to orbit familiar threats: ransomware, insider attacks, phishing, DDoS campaigns, and the ever-looming spectre of APTs.
And yet, as critical as these are, they represent only part of the risk landscape.
The fact remains that many organisations remain dangerously underprepared for the most indiscriminate adversary of all: Nature.
While cyber defences are built to counter intentional disruption, the physical world has no such motive.
Fires, floods, earthquakes, and volcanic eruptions don’t care about compliance, encryption, or firewalls.
They strike without bias, and with consequences that are often far-reaching, devastating, and unplanned for.
In risk assessments, natural disasters are often relegated to the bottom of the matrix—a box to tick for insurers or auditors.
But the increasing frequency and severity of these events worldwide demand a different approach.
Cyber resilience isn’t just about responding to breaches; it’s about ensuring operational continuity when infrastructure itself is threatened.
Let’s take flood, for example: Flooding can destroy on-premises data centres, take entire regions offline, and disrupt power and communications infrastructure in a matter of hours.
The floods New Zealand experienced between 18th and 21st August 2022 and in Auckland 27th January 2023 were, quite literally disastrous.
The water damage brought about by Cyclone Gabrielle (11th – 17th February 2023) disrupted power, phone and Internet services to over 40,000 properties in the Hawkes Bay region alone, with (at the time) an estimated two-week restoration projection.
Two weeks without power and Internet!
Floods are identified as one of New Zealand’s most expensive natural disasters.
Organisations without adequate off-site backups, tested failover procedures, or remote workforce capabilities often discover too late that cyber resilience without physical redundancy is no resilience at all.
Earthquakes add an additional layer of unpredictability, particularly in geologically active regions like New Zealand, Japan, and California.
A major quake may damage fibre lines, cut off access to key facilities, or render critical infrastructure physically inaccessible.
The 2011 Christchurch New Zealand earthquake vividly demonstrated how an entire city can be thrown into chaos.
Yet, well over a decade later, many businesses still lack robust disaster recovery and business continuity plans that account for regional seismic risk.
Volcanic activity presents an even more neglected risk vector.
Here in Auckland, over 50 dormant volcanic cones sit beneath the city’s surface. Few residents consider them a threat. But geological science makes one thing clear: the question isn’t if another eruption will occur – it’s when. A single eruption could displace hundreds of thousands, disrupt regional infrastructure, and render entire data centres or business hubs inoperable.
Despite this, how many organisations based in Auckland have meaningful continuity plans that include the possibility of volcanic activity?
How many organisations assume that such an event is too improbable to factor into their architecture?
In a digital economy, this kind of thinking is not just complacent – it’s negligent.
And then . . .
There are the disasters for which there is almost no mitigation.
Among them: Solar Storms, or more precisely a Coronal Mass Ejection (CME).
A strong solar flare has the potential to knock out GPS systems, satellite communications, aviation navigation, and power grids.
Unlike a cyberattack that targets a known system, a CME can cause continent-wide or even planetary-scale disruption.
In 1859, the Carrington Event produced the largest geomagnetic storm on record. Telegraph systems failed across Europe and North America. Operators were shocked by electric surges (one died), equipment caught fire, and systems functioned erratically or not at all. And that was in the age of copper wires.
Fast forward to August 1972. A massive solar storm took place between the Apollo 16 and Apollo 17 missions. Had astronauts been caught in space during that flare, the consequences could have been fatal.
Then, just over a year ago, in May 2024, we were again reminded of our solar vulnerability. Auroras were visible at unprecedented latitudes, and while no catastrophic disruptions occurred, warnings were issued across sectors from aviation to satellite communications.
The 2024 near miss served as a quiet wake-up call: our modern infrastructure is not immune.
Today, much of our critical infrastructure—from satellite networks and aviation systems to power grids and undersea cables—is vulnerable to geomagnetic storms.
There are few technical defences.
We cannot firewall the sun.
Where does this leave the modern organisation?
It leaves us with a clear mandate: disaster preparedness must extend beyond malware and misconfiguration.
Cybersecurity and operational resilience are inextricably linked. Both depend on robust planning, redundant systems, and the ability to function in degraded states.
Organisations need to shift from cyber-centric thinking to resilience-centric strategy. This includes:
- Hosting critical systems across geographically diverse regions.
- Establishing contingency communications plans that don’t rely solely on the Internet.
- Periodically testing for physical disaster scenarios, not just cyber breach playbooks.
- Maintaining offline, encrypted backups.
- Engaging with local civil defence authorities to understand risk exposure and response protocols.
In the event of a fire or flood, can you still access your systems?
If an earthquake cuts your city in half, can you still serve your clients?
If a solar storm wipes out satellites, can your business operate for 48 hours? What about a week? What about year?
The goal isn’t fear. It’s foresight.
Resilience means being able to adapt, absorb, and recover—no matter the source of the disruption.
As threats multiply, so must our perspective. Cybersecurity, in isolation, is no longer enough. Because when the earth moves, or the sky erupts, it won't matter how secure your systems are if they're sitting under volcanic ash or cut off from power by a solar flare.
CyberForensics provides organisational resilience and integrated risk management services that help organisations prepare for both man-made and natural threats.
Contact us to discuss how to future-proof your infrastructure against risk of the known, the unknown, and the unknowable.