Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Cyber-attacks, Black Swans and business continuity management


By Jim Preen

Cyber-crime is rarely out of the news these days. Sony says that hackers may have stolen personal data belonging to as many as 77 million PlayStation gamers. The company admitted that credit card information, used to purchase games, films and music, may be part of the haul.

Just prior to that story breaking, computer security firm McAfee released a report called ‘In the dark: Crucial Industries Confront Cyberattacks’ which casts a beady eye at the impacts of cyber-attacks on power grids, oil, gas, water and the like.

The survey of 200 IT security executives working for utility companies finds that 40 percent believe their industry’s vulnerability has increased. Around 3 out of 10 believe their company is not prepared for a cyberattack and nearly half expect a major cyber-attack within the next year.

Denial of service attack
Buried deeper in the report; 80 percent of respondents say they have faced a distributed denial of service attack (DDoS), and a quarter report daily or weekly DDoS attacks.

These types of attacks have the potential to compromise websites and email traffic, but researchers say they are unlikely to disrupt energy supplies.

However, one of the report’s authors, Stewart Baker a former US national security advisor, warned power companies not to be complacent. “We asked what the likelihood was of a major attack that causes significant outage. That is one that causes severe loss of services for at least 24 hours, loss of life or personal injury or failure of a company. Three quarters thought it would happen within the next two years," he said.

By now cynics will be muttering that this is no more than a marketing exercise on the part of McAfee, a wholly owned subsidiary of Intel Corporation and one of the world's largest security technology companies. To put it crudely: McAfee has come up with a worrying report that should frighten us into buying their products. But are the cynics right?

Black Swan
In 2007 Nassim Nicholas Taleb wrote the bestseller ‘Black Swan’. Not to be confused with the Oscar winning film of the same name, Taleb’s book looks at what he calls Black Swan events. These are low-probability, high impact crises that are almost impossible to predict. He cites World War 1 and 9/11 as examples.

Until the 19th century and the discovery of mutant black swans in Australia, it was assumed all swans were white. Thus to people 200 years ago the idea of a black swan was unimaginable and serves as a compelling image for all that is unexpected.
Some derided the book as being of little value to risk mangers if his assumption was correct that history taught us nothing and catastrophe couldn’t be predicted.

In fact his point is that not only do we have a terrible record when it comes to predicting catastrophe, but attempting to do so is a waste of time.

Far better in Taleb’s view to forget trying to predict when an extreme event will happen and to look at the consequences of a catastrophe and reverse engineer risk mitigation.

Limiting risk
For example, outside work we don’t try to predict if and when our house will burn down, we hope this will never happen, but nonetheless most people take out home insurance on buildings and contents. And not just on property, there’s life insurance, car insurance and health insurance to name but three.

Yet in business insurance is often treated as an option, something that might be nice to have but could be expensive. Companies should actively think about insurance as a way to hedge risks.

Even relatively small companies now have business continuity plans which is a step forward in combating risk, but how many of these just languish on a shelf or on a computer’s hard drive and are largely ignored? A plan needs to be communicated extensively around a company’s staff, must be regularly updated and above all should be tested. If these three criteria are not met then the plan may be of little value. Far better to test a plan during a simulation that to find it has major shortcomings in the teeth of a real crisis.

As well as being rehearsed, plans need to be flexible, particularly if Taleb is right about our inability to predict the future. Businesses need to have the right capabilities, which means training people in appropriate crisis skills. In this way businesses can ensure they are best placed to deal with the impacts and not just the causes of a catastrophe.

Snake oil
Walk in to any bookshop, particularly those at airports and there are always shelves stacked with biographies of successful business people detailing their rags to riches story.

Those yearning for success, (and who doesn’t?) pick up these tomes to get the inside track on the subjects’ positive approach to riches. Then there are the self-help books, now increasingly not just the domain of agony aunts but of the ‘how to get ahead in business’ variety. Much of it is pure snake oil and should be avoided. A better book might be one that tells you what you shouldn’t do rather than what you should.

Druin Burch in his book ‘Taking the Medicine’ says: “The harmful effects of smoking are roughly equivalent to the combined good ones of every medical intervention developed since World War II. Getting rid of smoking provides more benefit than being able to cure people of every possible type of cancer.”

In the same vein, had banks in the US, the UK and elsewhere heeded the advice NOT to accumulate large exposures to low-probability, high-impact events, the after effects of the financial crash might not still be with us. Though, of course, at the time they would have made less money.
Capitalism is about incentives and disincentives about saying yes and no, but if companies automatically disparage the nay sayers or negative advice then companies are treating risk management with contempt.

The tangled web
Which brings us back to the McAfee report and why the cynics who think their report is just sales and marketing are wrong. If we can’t predict the future, but we still need to mitigate risk then such warnings need to be considered carefully.

We live in a complex, globalised world that is interconnected by the tangled web of the internet. There are endless reports in the news about cyber criminals and cyber warfare where one country targets another; we hardly need a report to tell us this is the case. So make sure that you information security solutions and processes are appropriate and keep them up to date.

As Nassim Taleb suggests, forget about predicting the future and continue the core task of all business continuity mangers - search out the weaknesses and vulnerabilities that are present in every company, alert the bosses and find a way to fix them.

Author: Jim Preen, Crisis Solutions.

•Date: 6th May 2011 • Region: World •Type: Article •Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here