The during and after of business continuity
The recent attacks in Paris along with the stream of terrorist atrocities taking place all over the world on an almost daily basis remind us just how much a danger the terrorist threat has become in recent years. The security services do a terrific job of reducing the number of attacks that take place but, as has so often been said: security services need to be lucky all the time, terrorists only need to be lucky once to inflict severe destruction on their target.
Of course it is important to note that, while the consequence of a terrorist attack is high, in reality the likelihood of your organisation being directly involved in one is still relatively low. The most recent Horizon Scan Report, published by the Business Continuity Institute, highlighted that acts of terrorism were reasonably far down the list of potential concerns, only just making it into the top ten with 42 per cent of business continuity and resilience professionals expressing concern about this type of threat materialising. This has been steadily climbing from 33 per cent in 2013 and 36 per cent in 2014.
Act of terrorism came in behind other events such as adverse weather, human illness, supply chain disruption and telecoms outage.
At the top of the list was cyber attack, and arguably the damage caused by such an incident can just as easily be described as an act of terror as groups like Daesh routinely use cyber warfare to significant effect against anyone they see as their enemy. When a cyber attack does happen it can be expensive, not just in terms of lost revenue, or fines, but through reputational damage.
How do you combat cyber threat?
Technology is advancing all the time to prevent various types of attack, but so is the sophistication with which they are carried out. What is perhaps the most important tool in preventing any unwelcome intrusion into your system is employee awareness. All too often it is a lapse in judgement by an employee which allows the attacker in – weak passwords, clicking on malicious links, opening harmful files.
Organisations need to make sure their staff are aware of the threats posed and be more thoughtful about their own actions. That said, there is also the need to ensure that you have the right software in place to prevent any unwanted intrusions and that your data is properly backed up.
Fighting the physical threat
With an act of terrorism of the more physical nature, however, whether it is a mass shooting such as we saw in Paris, hostage taking such as the Lindt Cafe siege or suicide bombings that we witnessed in London, there are two ways that organisations can be affected by it. There are those in the immediate vicinity who are directly impacted by any incident (eg, building damaged, staff injured etc), and those who are not affected by the incident but are impacted by the consequence (eg cordon put in place preventing access or building locked down etc). Obviously there will be many other ways an organisation or individual could be affected but for sake of ease we will concentrate on just these two.
The most important thing during an incident is to make sure than people are safe, whether it is your staff or your customers, your priority is the maintenance of human life, not just the continuation of the business.
The UK government recently published advice on implementing a dynamic lockdown, ie, the restriction of access and egress to a site or building during a live incident in order to prevent people entering a danger area, or to disrupt attackers in their attempts to move around the building.
Planning for a dynamic lockdown means looking at your facility and seeing how areas can be sectioned off, how they can be secured and who is responsible for what. You also need to consider how to communicate urgent messages to your employees during this time.
The advice, also highlighted in the stay safe principles, is simply – run, hide, tell.
Run: If you can escape using a safe route, get out as soon as you can and encourage others to come with you. Leave your belongings behind.
Hide: If there is no safe route to escape, hide. Try to lock/barricade yourself in a room, but not somewhere where you could become trapped. Move away from the door and keep you and your phone quiet. Remember that you’re not in the movies and bullets will pass through most objects.
Tell: If it is safe to do so then phone 999, don’t rely on someone else to do it. Even if someone else has, you may be able to provide the emergency services with important information that no one else can – number of attackers, casualties or hostages and where they were last seen would be key information.
Once the incident is over, however, that is when you consider how your organisation becomes operational again.
You have a responsibility to your staff to make sure they still have paid employment, and you have responsibility to society to ensure that life goes on, otherwise the terrorists have won.
Of course you need to bear in mind that your staff will have been through a traumatic experience and may need time to recover, both physically and mentally. Ensure that those affected receive counselling to help them come to terms with what they have been through.
As the old adage goes, prevention is always better than cure. If you can stop a terrorist attack then this will be infinitely better than having to clear up the aftermath. The key here is quite simply vigilance. If something looks out of place, report it.
Acting in the aftermath
It is important that you have a plan in place so that people know what to do, it is important that people understand the plan so they are not left confused on the day, it is important that your plan has some flexibility so it can be adapted to suit the situation. The actual response would then depend on what the disruption is.
Is the IT out of action? Can it be replicated elsewhere? There are many data replication solutions available that can migrate all of your data to a secondary system, removing the potential single point of failure that could result in you losing all of your data in the event of an IT disaster. With the increasing use of the cloud, in theory people should be able to uproot themselves and move virtually anywhere to get their work done, and in office based environments, this is certainly the case.
Is the building out of action, either because it is closed or because it is inaccessible? Is there a nearby workspace that can be used instead or can staff work from home? The technology that is available, either by enabling employees to log in to the server remotely or by using the cloud, makes this a perfectly feasible solution without too much disruption.
Perhaps you work in a shop or a factory that cannot be relocated, are your customers and suppliers aware of your situation? They’ll be a lot more understanding about any disruption if they’re kept informed.
Has there been a loss of staff? If this is down to inaccessibility of their workplace then again you need to look at options such as working from other locations. If it is down to inability to work due to physical or mental injury sustained as a result, then your plan needs to include a succession plan identifying who can cover the important roles. If you are a small organisation that does not have enough staff to cover roles, are you able to access staff from elsewhere, perhaps from an agency or another organisation that you have a good relationship with?
Communication is vital throughout any period of disruption, both internally and externally. To get the best out of your employees, you need to keep them up to date on what is happening and what they can do to support the organisation. To maintain the confidence of your customers and suppliers you need to keep them informed of the situation, even if that is just to confirm any new arrangements you have in place.
Will it work?
What is perhaps the key part of any business continuity plan is the validation phase – does it work?
During an incident is a great way of finding out whether your plan works or not, but if the answer is that it doesn’t then it could leave the organisation in a bit of a mess. Testing and exercising ensures that the plan can be effectively assessed in an environment where it doesn’t matter if it goes wrong.
Disruptive events will always occur, whatever form they may take. By having an effective business continuity programme in place, it should mean that, in the event of an incident, a drama doesn’t turn into a crisis.
Andrew Scott CBCI is the Senior Communications Manager at the Business Continuity Institute who joined after ten years at the Ministry of Defence working in a number of roles including communications and business continuity.