recovery and resilience, cyber, information security

The expert view: Recovery and resilience – is your organisation really prepared?

Any number of scenarios could have a disruptive effect on your business, Tom Holloway, of Sungard Availability Services, told an audience of senior executives at a Business Reporter breakfast briefing at London’s Savoy Hotel. Unpredictable events, from a cyber-attack by a foreign state, to GDPR or Brexit can all have an impact on a business’s daily functions and end up affecting the bottom line.

He asked attendees how they were ensuring that their business is resilient in an environment of broadening threats and an ever-present need to cut costs.

Most attendees agreed that they have a multi-layered plan in place to ensure recovery and resilience. From staff training and simulations, through to thorough business impact analyses and detailed procurement processes.

However, unexpected threats still emerge, regardless of planning. One attendee, from a law firm, said that the snowstorm in early 2018 left many employees unable to get to work. When they tried to log on to the company VPN, they found that it could not support all the people who were trying to access it.

The company resolved to tackle this by looking again at VPN capacity and ensuring that staff, are told whether they should expect to be able to use the VPN in an emergency. Some staff will simply be told not to try.

Another attendee, from the financial services sector, said that during risk assessments the company had decided that its Ukraine-based developers were not critical personnel and business could continue without them in the event of an emergency. However, when Russia invaded the Ukraine, and these developers were unable to work, the business soon realized that they were engaged in important tasks and it needed to find a way to keep them working.

Third party risks are harder to control, particularly since many cloud suppliers are reluctant to allow customers to audit their operations. Nevertheless, attendees argued, businesses must have a robust procurement process in place. At the least, it is important to understand how the cloud service is structured and where your data is being stored.

A more complicated problem that those present said they were just beginning to explore is the issue of fourth party suppliers. A company might feel that they have spread their risk sensibly by using 10 different third parties for various aspects of the business but if all 10 of them outsource to the same supplier (the fourth party company) then the company actually faces a very concentrated risk. Untangling this can take a lot of time.

Those present suggested that businesses were not yet able to fully grasp the risks of the Internet of Things, which continues to spread across organisations. One delegate, from the mining sector, pointed out that his company now uses driverless trains to transport iron ore. These trains, when travelling at full speed, need seven miles of track on which to stop. He said that his company has had to consider very careful how those trains are secured because a cyber-attack or a malfunction could have grave consequences.

Even more trivial technologies can cause problems. One attendee said that smart lights, had been a target for hackers and simply being able to turn a company’s lights off remotely could be enough to disrupt operations.

What should the board do about these problems? An attendee from the public sector said that he only discussed recovery and resilience with his board when things go wrong. This meant that they were in an “emotional” state, making constructive dialogue difficult. The result is that it is hard to call the organization “prepared” because its default position is always reactive.

For some, though, the issue is not one for the board at all. One attendee said that the reason it is hard to interest the board in resilience is that it isn’t really their job. Resilience is a function of resistance and adaptability and ensuring that it is in place is the responsibility of the executive committee.

However, most of those present agreed that the board still needs to know enough to ask the right questions about what is being done and how. One way to do that, some attendees suggested, is to have a resistance committee that is chaired by a member of the board – ideally a non-executive director. This means that resilience is not something the board has to monitor too closely but when it is discussed there will be someone present who has a good grasp of the issues and challenges.

Resilience comes at a cost and it is not possible to offset every risk. Instead, the company needs to put in place the systems necessary to survive a variety of risks and give the organization the flexibility needed to react to them.

Shares