PREPARING FOR
DISRUPTION Navigating natural and man-made threats BY ANDREW SCOTT
Our organizations face disruption all the time. Natural and man-made disasters both have a devastating impact that can cost time, money and customers. But it’s not just events in the physical world that we ought to be concerned about. In our digitally driven society, virtual disruptions can also have severe consequences. We are so reliant on our information technology (IT) networks that work effectively stops when they go down.
Cyberattacks, data breaches and network outages are considered the greatest concern to business continuity and resilience professionals, according to the 2017 Horizon Scan Report by the Business Continuity Institute (BCI). This level of concern far exceeds that of disruptions caused by adverse weather, fire, terrorism or human illness, and is perhaps justified.
The U.K.’s Lincolnshire County Council suffered a more sinister cyberattack in which ransomware was installed and data encrypted, before a ransom of £1million was demanded in order to decrypt it. The computer systems were taken down for several days, causing severe disruption as staff had to resort to pen and paper to get work done. The council was adamant it would not pay the ransom — but at what cost?
In fact, another report by the BCI — The Cyber Resilience Report 2016 — revealed that two-thirds of organizations analysed experienced at least one cybersecurity incident during the previous year, while 15 percent had experienced at least 10.
Public sector organizations such as local authorities and hospitals are often targeted, perhaps because they are perceived as having more vulnerabilities.
WHAT MAKES THE CYBER THREAT SO GREAT? In any single second, it is estimated that more than 10 terabytes of data are being transferred across the internet. Global IT infrastructure makes it a relatively easy task to handle, but what happens when a large chunk of that data is focused on one server?
THE VALUE OF DATA Data is becoming a valuable asset for organizations that continue to gather as much information as possible on clients and prospects. And as many products and services are now being sold online, this data is becoming easier to collect. Organizations are building vast databases containing personal contact details and credit card information.
That was the position the United Kingdom’s largest broadcaster, the British Broadcasting Corporation (BBC), found itself in on New Year’s Eve a few years ago. A distributed denial of service (DDoS) attack of up to 600 gigabits per second brought down their website, including iPlayer, for several hours. A DDoS attack involves an attacker using a series of internetconnected devices to bombard a single target with data until it overloads and crashes. Similar cyberattacks are becoming more frequent, with some studies suggesting that half of all organizations are affected by at least one attack every year. They can be used as a form of activism, or a smokescreen to hide a more malicious attack or theft of data. Sometimes the impact on one organization is just the collateral damage of a wider attack. The BBC breach was reportedly enacted to test whether an attack on such a scale could be mounted. It could.
This data is worth a lot of money, and there are many organizations who would like to get their hands on it. Adobe, Sony and JP Morgan are all big names who no doubt invest heavily in IT security, yet all have suffered a data breach in recent years. And when customers see their personal information being lost or stolen, the reputational damage can lead to customers taking their business, and money, elsewhere. A decreased customer base can represent a notable financial loss, but fines or legal action can also take their toll on the organization. In fact, some sources suggest Adobe, Sony and JP Morgan each lost more than US$1billion as a result of data breaches. PROTECTING DATA Human error, and not sophisticated hacker technology, is often to blame.
PUBLIC SECTOR ORGANIZATIONS SUCH AS LOCAL AUTHORITIES AND HOSPITALS ARE OFTEN TARGETED, PERHAPS BECAUSE THEY ARE PERCEIVED AS HAVING MORE VULNERABILITIES. 58
W W W. I F M A . O R G / F M J
For instance, a recent survey of dry cleaners found that more than 22,000 universal serial bus (USB) memory sticks and nearly 1,000 mobile phones were found in clothes received during any given year. Vast quantities of data are lost due to the careless actions of individuals. How many laptops, phones and memory sticks do you think are gathered in the lost property collections of coffee shops, trains and airports? (That’s assuming the finders are honest enough to hand them in.) Another recent study found the most common passwords used are “123456” and “password.” The remainder of the top 20 included passwords equally as guessable, which means it wouldn’t take a computer genius to hack into those accounts. The Business Continuity Institute is focusing on cyber end-user vulnerabilities as part of its latest campaign and highlighting steps each of us can take to improve cyber security: Use secure passwords, including a combination of at least 12 upper and lowercase letters, numbers and symbols. Do not use number sequences or names that can be easily guessed, like a birthday or pet’s name, for example. Keep passwords safe. Do not record or store them in a location that is easily accessed, like next to your computer. Lock your computer when you’re not using it. Be cautious when using public Wi-Fi, and do not access sensitive information when using it. Do not plug in untrusted USB devices. Do not click on untrusted links. The essence of the campaign is that cyber security is everyone’s responsibility, and we can all play a part in building resilient organizations. PHYSICAL SECURITY While security in the virtual world seems to be leading the list of concerns, it is similarly important to remember security in the physical world. Incidents like vandalism, theft, fraud and protest all cause disruption to organizations, and a surprising finding of the Horizon Scan Report was the rise of physical security as a major concern for organizations. It moved from sixth place in 2015 to
fifth place in 2016, and ranked in fourth place this year. Acts of terrorism moved from 10th place to fourth and back down to seventh place during the same time period. Organizations don’t have to be targeted directly to be disrupted by a security incident or an act of terror. Any organization in the vicinity of such an event has the potential to be disrupted. For example, the police could decide to lock down the area until it is deemed safe. And while many of these concerns are largely the result of man-made threats, let’s not forget the havoc that nature can wreck on organizations. Already in 2017, impacts were devastating as Cyclone Debbie struck New Zealand and Australia. While some regions are affected more than others, no location is safe from the impact of extreme weather, whether it be the result of wind, rain, snow or drought. Add to this threat the damage wrought by earthquakes, tsunamis and volcanoes, and it is clear that organizations must implement plans to prepare themselves for the consequences of disruption. PREPAREDNESS IS KEY How do you prepare your organization for the various disruptions that it could face? Horizon scanning is a fundamental part of business continuity, and it is important for each organization to assess the relevant threats to have a better understanding of the potential impacts. Protecting digital infrastructure With digital infrastructure, it doesn’t matter if it’s a cyberattack or a power failure — if the IT system is compromised or inoperative, a plan is necessary to manage the lapse.