Facilities: Scanning the horizon for potential threats
As part of SHP’s focus on facilities management, Andrew Scott from the Business Continuity Institute looks at how to stop an IT drama becoming an IT crisis.
In any one second it is estimated that over 10 Terabytes of data is being transferred across the internet. But that’s okay, the global IT infrastructure makes this a relatively easy task to handle. What happens, however, when a large chunk of that data is being focussed on one server? That was the position the BBC found itself in on New Year’s Eve when a Distributed Denial of Service (DDoS) attack of up to 600GBps brought down their website including iPlayer for several hours.
It is this sort of event that is considered by business continuity professionals to be the greatest threat to organisations with 85% of respondents to the Business Continuity Institute’s Horizon Scan survey expressing concern about the prospect of such a disruption. Cyber attacks are becoming more frequent, either as a form of activism, with the intention of holding the victim to ransom, or in some cases it’s just collateral damage as part of a wider attack. In the case of the BBC it was reported that the attack was just to test whether it was possible.
While DDoS attacks are about flooding computer systems with data, not long after these attacks on the BBC, it was flooding of a more traditional nature that caused a chaos as record rainfall in parts of the UK led to rivers bursting their banks in what is becoming an annual occurrence. As a result, infrastructure is damaged and buildings become uninhabitable. Adverse weather, be it rain, wind, snow or extreme temperatures, has long been a major concern due to the disruption it can cause and lasting damage it can leave.
Horizon scanning is a fundamental part of business continuity and while the examples above are the top level threats, it is important for each organisation to assess the threats relevant to them. If you know the threats you face, you will have a better understanding of what the potential impacts could be. From here you have the foundation for a business continuity plan.
So how does an organisation respond to disruptive events? That all depends on what the disruption is.
Is the IT out of action? Can it be replicated elsewhere? There are many data replication solutions available that can migrate all your data to a secondary system, removing the potential single point of failure that could result in you losing all your data in the event of an IT disaster. With the increasing use of the cloud, in theory people should be able to uproot themselves and move virtually anywhere to get their work done, and in office based environments, this is certainly the case.
Is the building out of action, either because it is closed or because it is inaccessible? Is there a nearby workspace that can be used instead or can staff work from home? The technology that is available, either by enabling employees to log in to the server remotely or by using the cloud, makes this a perfectly feasible solution without too much disruption. If the disruption is on a much wider scale, can the important work be transferred to a separate location but within the same organisation. Again it comes down to ease of access to data.
Has there been a loss of staff? If this is down to inaccessibility of their workplace then again you need to look at options such as working from other locations. If it is down to inability to work, for example the result of a pandemic, then your plan needs to include a succession plan identifying who can cover the important roles, or whether staff are trained in multiple roles?
Whatever the crisis, it is essential to respond swiftly as the longer you delay action then the more disruptive the incident could become. Communicate to all your stakeholders what is going on and what you are doing to resolve it. People are a lot more understanding when you’re being transparent and they can see you’re making an effort to sort things out.
Of course making sure that your own house is in order is one thing, but in the globally connected and often complex world that we live in, most organisations are dependent on many other organisations contained within their supply chain. A supply chain is only as strong as its weakest link so it is important to make sure that the organisations you deal with have their own business continuity plans in place and can manage through any disruption that occurs to them.
What is perhaps the key part of any business continuity plan is the validation phase – does it work? During an incident is a great way of finding out whether your plan works or not, but if the answer is that it doesn’t, then it could leave the organisation in a bit of a mess. Testing and exercising ensures that the plan can be effectively assessed in an environment where it doesn’t matter if it goes wrong. There are several ways of exercising the plans and these range from table top exercises whereby the key players discuss different scenarios and what they would do if those scenarios occurred to a live exercise in which an incident is played out as if it were for real.
Disruptive events will always occur, whatever form they may take. By having an effective business continuity programme in place, it should mean that, in the event of an incident, a drama doesn’t turn into a crisis.
Andrew Scott CBCI is the Senior Communications Manager at the Business Continuity Institute who joined after a brief stint working as the Press Officer for a national health charity. Prior to that he had over ten years at the Ministry of Defence working in a number of roles including communications and business continuity. During this time he also completed a Masters in Public Relations at the University of Stirling. Andrew has successfully taken the Certificate of the BCI exam which he passed with merit.