Andrew Scott 2017-07-13 22:10:12
Navigating natural and man-made threats Our organizations face disruption all the time. Natural and man-made disasters both have a devastating impact that can cost time, money and customers. But it’s not just events in the physical world that we ought to be concerned about. In our digitally driven society, virtual disruptions can also have severe consequences. We are so reliant on our information technology (IT) networks that work effectively stops when they go down. Cyberattacks, data breaches and network outages are considered the greatest concern to business continuity and resilience professionals, according to the 2017 Horizon Scan Report by the Business Continuity Institute (BCI). This level of concern far exceeds that of disruptions caused by adverse weather, fire, terrorism or human illness, and is perhaps justified. In fact, another report by the BCI — The Cyber Resilience Report 2016 — revealed that two-thirds of organizations analysed experienced at least one cybersecurity incident during the previous year, while 15 percent had experienced at least 10. WHAT MAKES THE CYBER THREAT SO GREAT? In any single second, it is estimated that more than 10 terabytes of data are being transferred across the internet. Global IT infrastructure makes it a relatively easy task to handle, but what happens when a large chunk of that data is focused on one server? That was the position the United Kingdom’s largest broadcaster, the British Broadcasting Corporation (BBC), found itself in on New Year’s Eve a few years ago. A distributed denial of service (DDoS) attack of up to 600 gigabits per second brought down their website, including iPlayer, for several hours. A DDoS attack involves an attacker using a series of internet-connected devices to bombard a single target with data until it overloads and crashes. Similar cyberattacks are becoming more frequent, with some studies suggesting that half of all organizations are affected by at least one attack every year. They can be used as a form of activism, or a smokescreen to hide a more malicious attack or theft of data. Sometimes the impact on one organization is just the collateral damage of a wider attack. The BBC breach was reportedly enacted to test whether an attack on such a scale could be mounted. It could. The U.K.’s Lincolnshire County Council suffered a more sinister cyberattack in which ransomware was installed and data encrypted, before a ransom of Åí1million was demanded in order to decrypt it. The computer systems were taken down for several days, causing severe disruption as staff had to resort to pen and paper to get work done. The council was adamant it would not pay the ransom — but at what cost? Public sector organizations such as local authorities and hospitals are often targeted, perhaps because they are perceived as having more vulnerabilities. THE VALUE OF DATA Data is becoming a valuable asset for organizations that continue to gather as much information as possible on clients and prospects. And as many products and services are now being sold online, this data is becoming easier to collect. Organizations are building vast databases containing personal contact details and credit card information. This data is worth a lot of money, and there are many organizations who would like to get their hands on it. Adobe, Sony and JP Morgan are all big names who no doubt invest heavily in IT security, yet all have suffered a data breach in recent years. And when customers see their personal information being lost or stolen, the reputational damage can lead to customers taking their business, and money, elsewhere. A decreased customer base can represent a notable financial loss, but fines or legal action can also take their toll on the organization. In fact, some sources suggest Adobe, Sony and JP Morgan each lost more than US$1billion as a result of data breaches. PROTECTING DATA Human error, and not sophisticated hacker technology, is often to blame. For instance, a recent survey of dry cleaners found that more than 22,000 universal serial bus (USB) memory sticks and nearly 1,000 mobile phones were found in clothes received during any given year. Vast quantities of data are lost due to the careless actions of individuals. How many laptops, phones and memory sticks do you think are gathered in the lost property collections of coffee shops, trains and airports? (That’s assuming the finders are honest enough to hand them in.) Another recent study found the most common passwords used are “123456” and “password.” The remainder of the top 20 included passwords equally as guessable, which means it wouldn’t take a computer genius to hack into those accounts. The Business Continuity Institute is focusing on cyber end-user vulnerabilities as part of its latest campaign and highlighting steps each of us can take to improve cyber security: • Use secure passwords, including a combination of at least 12 upper and lowercase letters, numbers and symbols. Do not use number sequences or names that can be easily guessed, like a birthday or pet’s name, for example. • Keep passwords safe. Do not record or store them in a location that is easily accessed, like next to your computer. • Lock your computer when you’re not using it. • Be cautious when using public Wi-Fi, and do not access sensitive information when using it. • Do not plug in untrusted USB devices. • Do not click on untrusted links. The essence of the campaign is that cyber security is everyone’s responsibility, and we can all play a part in building resilient organizations. PHYSICAL SECURITY While security in the virtual world seems to be leading the list of concerns, it is similarly important to remember security in the physical world. Incidents like vandalism, theft, fraud and protest all cause disruption to organizations, and a surprising finding of the Horizon Scan Report was the rise of physical security as a major concern for organizations. It moved from sixth place in 2015 to fifth place in 2016, and ranked in fourth place this year. Acts of terrorism moved from 10th place to fourth and back down to seventh place during the same time period. Organizations don’t have to be targeted directly to be disrupted by a security incident or an act of terror. Any organization in the vicinity of such an event has the potential to be disrupted. For example, the police could decide to lock down the area until it is deemed safe. And while many of these concerns are largely the result of man-made threats, let’s not forget the havoc that nature can wreck on organizations. Already in 2017, impacts were devastating as Cyclone Debbie struck New Zealand and Australia. While some regions are affected more than others, no location is safe from the impact of extreme weather, whether it be the result of wind, rain, snow or drought. Add to this threat the damage wrought by earthquakes, tsunamis and volcanoes, and it is clear that organizations must implement plans to prepare themselves for the consequences of disruption. PREPAREDNESS IS KEY How do you prepare your organization for the various disruptions that it could face? Horizon scanning is a fundamental part of business continuity, and it is important for each organization to assess the relevant threats to have a better understanding of the potential impacts. Protecting digital infrastructure With digital infrastructure, it doesn’t matter if it’s a cyberattack or a power failure — if the IT system is compromised or inoperative, a plan is necessary to manage the lapse. Consider backup options for replication of digital infrastructure. Many data replication solutions can migrate data to a secondary system. They remove the potential single point of failure that could compromise all data in the event of an IT disaster. The increasing use of the cloud also helps with possible disruptions to workflow. In theory, people should be able to uproot and move virtually anywhere to get work done though cloud-based systems, and it’s certainly the case in office-based environments. Maintaining physical infrastructure Regarding physical infrastructure, whether the cause for disruption is a fire, flood or act of terror, parts or the entirety of a facility may have to be closed. If the building is unsafe or uninhabitable, a response plan that accommodates alternate working space is mandatory. Research substitute workspace options inside and outside of your organization. Consider nearby workspaces that can be used instead, or allow staff to work from home — and remember to consider the logistics of remote working. Enabling employees to log in to a remote server or use the cloud is a perfectly feasible solution without too much disruption. Disruption on a much wider scale, like the destruction created by Superstorm Sandy in New York City, may mandate transferring operations to a separate location within the same organization. Again, it comes down to ease of access to data, and at times, the size of the organization. Smaller organizations may have less flexibility to absorb disruption, and be less likely to have backup facilities available. On the other hand, the smaller the organization, the fewer the requirements — so it may have more flexibility to relocate. Sadly, loss of staff is another frequent result of disaster scenarios. If decreased staff numbers are due to an inability to access the workplace, then alternate locations and remote working serve as solutions. However, if staff members are unable to work as the result of sickness, injury, etc., then response plans should also identify emergency processes and individuals who can cover important roles and responsibilities. THE TAKEAWAY Whatever the crisis, it is essential to respond swiftly and strategically. The longer action is delayed, the more disruptive the crisis can become. Communicate the situation to all stakeholders, and explain what is being done to achieve resolution. People are more understanding when organizations are transparent and plans are enacted to remedy issues. Disruptive events will always occur, whatever form they may take. But having an effective business continuity program in place should mean dramatic events don’t become crises. Learn more about business continuity and start forming your own disaster response plan by visiting the Business Continuity Institute at www. thebci.org. ANDREW SCOTT, CBCI, is the senior communications manager at the Business Continuity Institute. Scott joined the organization after a brief period working as the press officer for a national health charity. Prior to that role, he dedicated more than 10 years at the Ministry of Defence working in a number of fields, including communications and business continuity. Scott has a master’s degree in public relations from the University of Stirling, and has successfully taken the Certificate of the BCI (CBCI) examination, which he passed with merit.
Published by International Facility Management Association . View All Articles.
This page can be found at http://fmj.ifma.org/article/Preparing+for+Disruption/2833548/424349/article.html.