Tuesday, 27 May 2014

Football World Cup: a disruptive influence or an opportunity?

The long wait is nearly over. On the 12th June Brazil take on Croatia at the Arena de Sao Paulo in Brazil to officially kick start one of the biggest, if not the biggest, sporting event in the world – the football World Cup. Over the course of 31 days, 32 countries will battle it out in 64 games for the right to be crowned world champions.

So what does this mean for business continuity planners? Well clearly the level of disruption in Brazil is a major issue but this blog isn’t about that. It’s not about the many years of disruption caused by construction projects and the rebuilding of infrastructure. Neither is it about the disruption caused by having over half a million visitors descending on the twelve host cities. This blog is more about the disruption caused by, for most people, the antisocial timings of the matches.

When we watch our own football teams (or attend any other entertainment event), it is very often at a time that is accommodating – weekends or evenings perhaps. With large international tournaments this is rarely the case. Take England's three group fixtures for example – 11pm (expect some employees to be very sleepy the next day), 5pm (expect some employees to want to leave work early) and 8pm (okay that’s more like it). This is a problem that most of the European and African countries will have. Kick off times are even more unsociable if you’re from Iran, Japan, South Korea or Australia.

In England’s case the last two World Cups (South Africa and Germany) didn’t cause any problems as the time zones were only a couple of hours away, but the 2002 World Cup in Japan and South Korea did throw up issues with some games kicking off at 9am. Many employers chose to allow their staff to turn up a few hours late, some chose to install televisions in the office. Productivity may not have been at its highest but arguably this was a better solution than having people call in sick or just not showing up.

The timings of the games may not allow for the same solutions this time but employers still need to think about what their options are. Will their staff want to watch the games? What are the consequences of them doing so? Finally, the all-important question, what can be done to make sure this doesn't disrupt the organization?

Consider also how the World cup will impact on your organization. Will you be quieter as many of your customers will be watching the game, or will you be busier as many of your customers are the sort of people who have no interest in football and are desperate to avoid the football-mania taking place?

Of course you do not have to embrace the World Cup and you could insist that your staff are at work when they normally should be. In all likelihood this will lead to reduced morale and this will in turn reduce the overall level of productivity or service given to customers.

The World Cup is a massive event that for many countries will dictate the mood of the nation over the month that it takes place – organizations should make the most of this. Rather than thinking of it as a disruptive experience, think of it as an opportunity to enhance staff morale by allowing employees, where possible, the flexibility to watch games.

If you are allowing staff time off to watch any of the games, make it fair on all employees by creating a rota so work can still be done. You need to make sure it is fair to those who have no interest in football as they will not appreciate having all the work dumped on them.

Andrew Scott is the Senior Communications Manager at the Business Continuity Institute who joined after a brief stint working as the Press Officer for a national health charity. Prior to that he had over ten years at the Ministry of Defence working in a number of roles including communications and business continuity. During this time he also completed a Masters in Public Relations at the University of Stirling.

Sunday, 25 May 2014

Information - friend or foe?

Information is both a risk and a resource when thinking about organisational resilience, including business continuity. There are plenty of examples of information losses that have caused major embarrassment, cost a considerable amount of money to resolve and resulted in a loss of trust as well as clients. These have included hacking and cyber attack problems, lost memory devices, leaving files on the train or selling off filing cabinets with records still in them. They even involve being photographed on the way to an important meeting carrying a document the content of which can be easily read from the photographs. Organisations involved have ranged from small business to multi-nationals and public sector bodies. The nature of information as a risk is well publicised, as a result, even if after the fact of its loss. The assessment and treatment of information risks is perhaps less well understood in practice as such losses continue to occur. How well thought through is your information risk strategy? Do you fully understand the nature of this risk and have you treated it properly? No one wants to see his or her organisation’s reputation in the gutter due to the loss of sensitive information, be it commercial or personal.

Information is also a key resource when it comes to business recovery. Systems and processes are not useable if the information they require is not available in an accurate, up to date and workable form. Often it may take longer to get information, with proven integrity, loaded back onto a system than to recover the hardware itself. Perhaps this was the problem when it came to the interruption to bank account access experienced in the UK and Ireland in the recent past. The concept of the Recovery Point Objective, the time by which information must be recovered to meet the Recovery Time Objectives of critical processes, is well documented but perhaps less well implemented. If you haven’t gotten into the weeds on this one your recovery strategies may well not deliver as you had hoped. In addition some recovery strategies themselves introduce information risks that may not have existed before the business disruption that caused the strategies to be invoked. Take for example home working. How secure is sensitive or personal information, including emails, when this is your selected recovery option? It is not clear that all organisations have assessed this risk and put in place appropriate steps to treat it. The UK Information Commissioner has had recourse, for example, to fine an organisation in the past for information uploaded onto the web accidentally from a home computer during home working.

There is legislation to cover information risks with the potential for significant fines and websites that name and shame those found responsible for the loss of personal and sensitive information. Currently the EU is reviewing this legislative framework and the outcomes of this work could significantly strengthen the approach taken with those organisations that compromise such information. Planning for this issue isn’t just about what do to when information may be lost but includes a more careful analysis of what information you gather in the first place, how you store it, for how long you keep it, who you allow to access it and how it can be recovered in time. Added to this is the complication of where information ends up and how people actually access it, sometimes without organisations perhaps being aware. This covers issues as diverse as portable laptops, photocopier memory storage and Bring Your Own Devices (BYOD) such as phones or tablets. The scale of the problem can be considerable.

A key place to start is with an information policy. Such a policy could useful set out the principles by which information is to be governed, from initial collation to storage and use/sharing. It should also include destruction and disposal guidance that can be applied to information no longer of use or technology that is not required or obsolete. Such guidance should also cover the eventuality of the invocation of recovery strategies as well as how damaged or irreparable equipment that could hold information is to be safely managed. You can find out much more about this issue at the ICO’s website. Go have a look and educate yourself on this risk and resource.

Risk and Resilience Ltd


You can find out more on this subject by watching Alan's webinar - the management of information related risk.

Friday, 23 May 2014

Is ISO27001 effective in dealing with the cyber threat?

ISO27001, the standard for information security, has recently had a face-lift. It is claimed that ISO27001 is the second largest selling management systems standard in the world and one might assume that this means there has been a significant uptake in its global implementation. The numbers of standards sold is not too surprising. It has been around since 2007 and was essentially derived from BS7799 (1995) and ISO17799 (2000), so information security professionals have had two decades to get used to it. How influential it has been in changing attitudes to security is less clear, some see it as the most important landmark in getting to topic on the management agenda; others see it as too inflexible and procedure based to help counter the real threats posed today by cyber criminality.

Given the strength of some arguments about the value of ISO27001 in a modern context, the need for a face-lift seemed obvious. Many argue that we need a whole new and more agile approach to dealing with cyber threats— and perhaps rigid frameworks like ISO27001 are counterproductive. An analogy that has been made is that the minute tsetse fly is now the biggest threat to human life in Africa, killing the victim slowly following an almost imperceptible bite. Is ISO27001 the equivalent of rifles designed for shooting lions and rhinos when we what we need is new preventative measures and changes in human behaviour? Organizations must be as agile and proactive as the attackers. Frameworks developed for the old world may make this harder.

If this criticism is valid then we have to question whether the revisions to ISO27001 address the main concerns. I think it is fair to say that they do not; there are very little changes and those that have been made are mainly to bring it in line with the administrative requirements now required by ISO. All management systems standards need to follow a structure defined by Annex S1 which is part of a wider ISO directive. In fact old our friend ISO22301 was the first standard to be built against that directive so all the older standards have to play catch-up. The new format for ISO27001 will thus appear very familiar to BC professionals. There are a couple of areas of improvement; beefing up the requirements for performance monitoring and bringing in the outsourced operations. Both additions are very positive improvements in my view.

Perhaps one of the real issues we need to consider is what we mean by information security and cyber resiliency. I do not believe they are necessarily the same thing, although you can’t really have one without the other. A cyber resilient organisation is one that goes beyond compliance. It is one that requires strong, clear leadership and a business model that is flexible, adaptable and agile. It needs to be multi-functional and operate outside of the traditional information security technical expert silo. It must to work closely with all other resilience disciplines as well as understanding business priorities and the key executive concerns.

So does another standard ISO/IEC 27032 provide a better approach? ISO/IEC 27032 claims to address cybersecurity, which it defines as the “preservation of confidentiality, integrity and availability of information in the cyberspace”. In turn cyberspace is defined as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form.” So, in reality this standard is purely about internet security. It does not address cyber-safety, cybercrime, internet safety, internet related crime or protection of critical information infrastructure, although there are oblique references to these aspects. It is also not a specification, only a guidance document so it provides some valuable insights but does not replace the need for or do the work of ISO27001.

Clearly, there are no shortages of formal approach to cyber security but resilience requires more than a traditional information security framework. Compliance against ISO27001 gives baseline protection against conventional cyber-threats, but it might not be agile enough to handle the ever changing landscape. Professionals need to beyond compliance and create organisations that are more pro-active in understanding threats and more flexible in response capability. ISO27001 is a useful tool but more fundamental cultural shifts are needed in the way organizations behave.

Lyndon Bird
Technical Director at The Business Continuity Institute

Wednesday, 7 May 2014

What if...?

Keynote speaker and facilitator at this year’s BCI Executive Forum, Dr James Bellini sets the scene and identifies some of the major issues that will face business continuity professionals in the years ahead:

As a futurologist of many years’ standing I am regularly confronted with requests to ‘predict’ the outcome of some activity or development in the world of tomorrow. On occasion I’m even asked the name of the winner of an important upcoming horse race, or the score line of a major soccer match a few weeks hence. If only my crystal ball were that magical ... but it also reveals a basic misunderstanding of what futurology is all about.

I see my task as threefold: to apply a reality check on popular perceptions of the world around us, to create a framework for examining how ‘the future’ might unfold and to identify one or two possible future events or issues that would, if they actually occurred, pose very serious challenges for either business, government or the wider society – or all of these together.

A key tool of the futurologist is the ‘scenario’, in effect a way of thinking about a range of ‘possible’ futures that would have major implications for the way the world works in five, ten or fifteen years from now. To be of any value these scenarios should have a degree of realistic plausibility about them. A Star Trek future of brain transplants and off-world vacation resorts might offer a wacky or romantic vision of life in the 23rd century, but is of little use to decision-makers keen to understand what environment they may have to deal with over the decade ahead. A ‘relevant’ future timeline of perhaps a dozen years at most is the backdrop against which business continuity professionals must arrange their thinking about the risks, pitfalls and options of a changing world.

I will use my opening session to explore the emerging new realities of tomorrow, offering a range of ‘possible’ futures that would – if any of them materialised – change the rules that shape the nature of crises and threats to reputation. For example, it is clear the ‘geography’ of global business will undergo a fundamental shift in the years ahead – but in which direction? What, to take a liberty with syntax, might be the where of tomorrow’s potential crisis situations?

Other scenarios will consider the impact new technologies might have in the years ahead. How (and where) might homes and businesses, neighbourhoods, cities and even entire countries function in the ‘smart’ world of the 2020s? The social benefits may be immense, but with ever more technology in our lives, will it also bring more risks to everyday continuity?

And what are the implications for crisis management of an increasingly connected, online, digital universe. How is this changing the way information is originated, managed, distributed and owned? What if the internet collapses, or the social media revolution takes an unforeseen change of direction, or people simply grow bored with their digital lives and dump the devices and networks that are now the backbone of business, government and everyday life? What if...?

With the theme 'a new horizon', the BCI Executive Forum takes place on the 21st and 22nd May at the Marriott Hotel in Amsterdam. For further information or to book your place, click here.