Mar 21, 2016
The growing fear of a physical security incident
With cyber threats remaining a top concern for many organisations, Andrew Scott, of the Business Continuity Institute, says that physical threats are not be ignored either.
The Business Continuity Institute (BCI) recently published its annual Horizon Scan Report – a report that looks at what the biggest concerns are to business continuity professionals across the world – and yet again it has shown that the greatest of those concerns is a cyber attack. In fact, all of the top three concerns relate to IT infrastructure with data breach coming second and IT/telecoms outage coming third. 85 per cent, 80 per cent and 77 per cent of respondents to the global survey conducted by the Institute expressed concern at the possibility of one of these threats materialising and resulting in a disruption to their organisation.
Perhaps that is not surprising considering the increasing likelihood there is of such an attack taking place. One study carried out last year by NTT Com Security (Risk:Value Report 2016) indicated that two-thirds of organisations predicted that they will suffer a data breach at some point in the future. It is also perhaps not surprising given the damage they can cause, not only financially, but to an organisation’s reputation as well.
Target, Sony, Ebay, the BBC all suffered a sizable attack in recent years with downtime or subsequent fines if data is stolen hitting the bottom line significantly.
The rise of physical threats
What was a surprising finding in the Horizon Scan Report was the rise of physical security as a major concern for organisations, with security incidents such as vandalism, theft, fraud or protest moving from sixth place in 2015 to fifth place this year, and act of terrorism moving from tenth place to fourth. Of course it needs to be kept in mind that the events in Paris at the end of 2015 will still have been fresh in peoples’ minds, and will have got them thinking about what impact an act of terror could have on their organisation.
You don’t need to be targeted directly to be disrupted by a security incident or an act of terror, any organisation in the vicinity of such an event has the potential to be disrupted. When the hostage situation was taking place at the Lindt Café in Sydney, many offices in the surrounding area had to be evacuated.
One thing that is worth highlighting that the Horizon Scan Report focuses on concerns, and is not a risk assessment looking at impact or likelihood. It may be that another incident is more likely to occur and/or have a greater impact should it occur, but that does not in itself make it a concern.
There may be other factors involved in respondents’ decision‑making, such as how prepared their organisation is for a particular incident unfolding.
The BCI’s Horizon Scan sets the baseline and shows what the overall threats are. It does break these threats down by size of organisation, sector and location, but it is important that all organisations conduct their own horizon scan in order to assess the threats specific to them. If you know the threats your organisations faces, then you are better placed to know what the potential consequences of those threats materialising could be, and therefore what the potential disruptions could be. From here you have the foundation for a business continuity plan.
Putting a plan in place
Whatever the crisis, it is essential that organisations have plans in place to be able to deal with the consequences, and have that business continuity plan in place.
With physical infrastructure, whether the cause is a fire, flood, or act of terror, if the building is out of action then you need to ensure there are plans in place to work elsewhere. Is there a nearby workspace that can be used instead, or can staff work from home? The technology that is available, either by enabling employees to log in to the server remotely or by using the cloud, makes this a perfectly feasible solution without too much disruption. If the disruption is on a much wider scale, for example New York City after Superstorm Sandy, the important work can be transferred to a separate location but within the same organisation.
Again it comes down to ease of access to data, and perhaps size of organization.
Smaller organisations may have less flexibility to absorb any disruption, and are less likely to have back‑up facilities that could be used.
On the other hand, the smaller the organisation, the less its requirements will be, so it may have more flexibility to relocate elsewhere.
Regarding digital infrastructure, it doesn’t matter whether it’s a cyber‑attack or a power failure, if the IT is out of action then you need to have plans in place to manage through this.
Can it be replicated elsewhere? There are many data replication solutions available that can migrate all of your data to a secondary system, removing the potential single point of failure that could result in you losing all of your data in the event of an IT disaster. With the increasing use of the cloud, in theory people should be able to uproot themselves and move virtually anywhere to get their work done, and in office based environments, this is certainly the case.
It is also essential to respond swiftly to any crisis as the longer you delay any action, the more disruptive it could become. Communicate to all your stakeholders what is going on and what you are doing to resolve it. People are a lot more understanding when you’re being transparent and they can see you’re making an effort to sort things out.
The supply chain power chain
Of course making sure your own house is in order is one thing, but in the globally connected and often complex world that we live in, most organisations are dependent on many other organisations that are contained within their supply chain.
A supply chain is only as strong as its weakest link so it is also important to make sure that the organisations you deal with have their own business continuity plans in place so they can manage any disruption that occurs to them.
A recent piece of research by the BCI – the annual Supply Chain Resilience Report – highlighted that nearly three quarters of organisations surveyed had experienced at least one supply chain disruption during the previous twelve months, and that 14 per cent had suffered cumulative losses in excess of €1 million as a result. Furthermore, nearly three quarters of organisations claimed they did not have full visibility over their supply chains and half admitted that any disruptions occurred below the tier 1 supplier. If you have a better understanding of your supply chain and manage it more effectively, then you stand a much greater chance of withstanding any disruption that may arise.
What is perhaps the key part of any business continuity plan is the validation phase – does it work?
During an incident is a great way of finding out whether your plan works or not, but if the answer is that it doesn’t then it could leave your organisation in a bit of a mess.
Testing and exercising ensures that the plan can be effectively assessed in an environment where it doesn’t matter if it goes wrong. There are several ways of exercising the plans and these range from table top exercises whereby the key players discuss different scenarios and what they would do if those scenarios occurred to a live exercise in which an incident is played out as if it were for real. Disruptive events will always occur, whatever form they may take. By having an effective business continuity programme in place, it should mean that, in the event of an incident, a drama doesn’t turn into a crisis.
The sunny-side of business continuity
A lot of business continuity planning and horizon scanning involves analysing the threats that organisations face, and it can often come across as being rather fear‑mongering, however it is worth noting that there are positive aspects to business continuity as well. It is these positive aspects that are being focussed on during Business Continuity Awareness Week (16-20 May 2016) which has the theme ‘return on investment’.
Being seen as a reliable customer/supplier can lead to reduced insurance premiums and can also be used as a bargaining chip during contract negotiations. The analysis phase of the business continuity programme can often find efficiencies and cost savings within an organization as it looks in close detail at business processes. Exercises held as part of the business continuity programme can often act as effective team building exercises as they see how people respond and work together when put in a challenging environment.
Andrew Scott CBCI is the senior communications manager at the Business Continuity Institute. Andrew has over ten years experience at the Ministry of Defence working in a number of roles including communications and business continuity.