Business Continuity Management

Britain again faces the threat of mass walkouts by public sector workers. These are set to begin as early as November and could run indefinitely.

The GMB has stated that “we're not talking about a day out and a bit of a protest, because this is going to require days of action running through the winter, through into next year right into the summer."

Given this kind of warning, it makes sense for organisations to take a look now at how they intend to cope rather than waiting until events outstrip their ability to respond and recover when it does happen.

A small amount of consideration and planning now can avoid a great deal of headaches further down the line.

Proactive companies will already be thinking about how these walkouts may affect them specifically. School closures, transport disruption and lack of other public services upon which employees depend may result in increased absenteeism, supply chain disruption and reduced availability of goods and services. 

Organisations would do well to take a look now at their work from home arrangements, transport arrangements, communication options and other potential opportunities to manage through such disruption.

They should question the level of confidence in their ability to handle the effects of strikes, and where plans and arrangements are already in place for this kind of event, check to see when they were last rehearsed.

Where organisations may not have specific business continuity or response plans in place to deal with Industrial action, they can draw on existing plans which are tried and tested. Many companies created plans for mass absenteeism in preparation for pandemic flu. Transport disruption was a significant factor during the severe weather last winter and companies can draw on this experience to prepare for industrial action.

At the very least, businesses should understand their key business processes, the likely impact of the disruption both to these and to the resources or services upon which they depend – particularly where organisations are heavily dependent upon extended supply-chains.

That said, with all of this discussion happening about a potential, rather than an actual, event it is important that organisations do not overplay this particular risk. There needs to be a level of pragmatism in the approach taken and a constant review of the developing situation will help inform any required response.

Regardless of what eventually takes place it is certain that it pays to be prepared. Even if industrial action is avoided other events can and will take place that can affect organisations in very similar ways; preparing simple and straight-forward business continuity plans well in advance is always a worthwhile investment.

Cyber-crime is not new.  It is a fast evolving business - Yes, I am describing it as a business - but that is not new either.  Like in so many businesses, and life in general, evolution rewards the adaptable and builds on strengths of those that can adjust. 

Cyber criminals these days probably have MBAs.  I know there are already operations that are structured with multiple units each playing a distinct roles such as the identification of targets (Research & Development: Vulnerability and Discovery Exploitation), Penetration/Capture/collection of information (Logistics: Botnet Deployment), product distribution (Sales: Criminal Actions). 

These may be loosely banded at the moment but how long before they are streamlined?  Will wholesalers be directed to pick their targets to satisfy the various sales channels (Business Development:  Criminal Mobility) that have together set revenue targets and with whom they have built business plans?  Will they begin to employ (or do they already have) assessors who look through the volumes of data they have captured and separate out PII to their identity or credit card fraud divisions.  Intellectual property will be moved into the appropriate sector [car manufacturers in the far east are driving prices up this year while new energy technologies are down] for sale on the international market. 

In fact all the divisions will operate on a global scale [Ransom as a revenue tactic seems to work best in the SME range in the Americas while blackmail (threat of media disclosure of captured information and therefore loss of company reputation) is producing record results in the FTSE 500 targets / European headquartered multinationals]. 

Revenues will grow.  Competitors in this market may start targeting each other to steal what has already been stolen (is that a crime?).  What about 'legitimate' bounty hunters, hired for a fee to steal back what was stolen?  Is it better to pay a bounty hunter than it is to pay the people demanding a ransom?  How will you know which is which?  Cyber criminal businesses will "buy up" these bounty hunter operations (Investment: Money Laundering) and build a set of independence rules that separate them from their core operations, hedging their bets to ensure they get paid either way and driving innovation on both sides.

These scenarios are only partially fiction.  The effects are real.  And, they are really an issue for business continuity.  In order for our businesses to survive, BC needs to evolve, embrace and incorporate more of the contributions made by other security disciplines.  BC does not address cyber-crime issues directly but it is absolutely essential that our ties with other Risk and Security disciplines are strengthened so that the effects are dealt with.  Through Crisis Management exercises businesses hone their decision making and public response mechanisms while vulnerability management experts provide advice and guidance on how to respond.  Information security influence DR solutions by providing suitable controls into the technical solution design.  Physical Security participate in the selection of the recovery site and it's controls. 

Convergence isn't an option or a luxury, it is a necessity for survival.